DR Planning - The Importance of Recovery Time and Point Objectives

Disaster Recovery (DR) planning provides an actionable plan to use in order to recover from a disaster and cyber incident. It enables data owners and data processors to know beforehand exactly what to do and minimize the threat as quickly as possible.

In order to create an effective backup and DR plan, you need to consider a number of factors ranging from your IT staff expertise, the hardware and software performance capabilities of your IT infrastructure, the resources your business is willing to dedicate to cyber-security, and lastly but most importantly Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

It goes without saying that DR plans vary depending on business model, priorities, and compliance regulations. To help you with DR planning, I’ll be briefly explaining what RTOs and RPOs (or RTPOs) are, and how to calculate them– ending the blog with some recommendations for DR planning best practices.

What are Recovery Point Objectives (RPOs)?

Recovery Point Objectives (RPOs) are a measure of the volume of data your business is willing to lose in the event of a disaster. RPOs are determined by your backup frequency.

For example, if you’re backing up your critical systems every hour, then your RPO is an hour. If a disaster strikes, then you can restore operations using the backup copy the system generated an hour ago. As a result, there’s a chance you will lose an hour’s worth of work and the resulting costs will reflect that. Be it financial costs, loss of reputation, or loss of customers. Alternatively, if the backup frequency is shorter, the RPOs are shorter, and the resulting data lost is reduced.

Cyber-threats have evolved. Ransomware and data breaches are the top concerns of data owners and data processors worldwide. This threat landscape forces organizations to set up shorter RPOs. However, that tends to be costly.

The shorter the RPOs, the more performance and storage resources it requires. If you’re looking to set up near-zero RPOs, you’ll need to create backups in real-time which means that your production will be processing twice the workloads – at all times.

What are Recovery Time Objectives (RTOs)?

Recovery Time Objectives (RTOs) is the time it takes to restore your critical systems. In other words, the time it takes to restore operations from a complete halt (downtime). It needs to be mentioned here that RTOs do not refer to the complete recovery of data – only the essentials or mission-critical workloads. ?

RTOs, as opposed to RPOs, are determined by a number of factors including:

1. Performance capabilities of your infrastructure.
2. Available network speed and bandwidth - if you’re using cloud backup and replication.
3. Backup frequency – when was the last backup/snapshot created.
4. Target platform to restore operations – similar or dissimilar hardware and/or the cloud. ?

Similar to RPOs, the shorter the RTOs, the more resources it requires – the costlier it gets. Depending on your needs, this can be desirable at times. For example, for healthcare service providers, downtime can mean death which makes bearing the cost the only viable option.

How to calculate your RTPOs

In order to effectively calculate your RTPO, you need to find out the cost of downtime for your organization. Can your business tolerate the cost of an hourlong downtime? Is a daylong downtime still acceptable? Or do you need your critical systems to be back up and running within minutes? By answering these questions, you will be able to tailor a DR plan that works for your organization.

Here’s a general formula* to calculate your downtime cost:

Cost of downtime = Avg. hourly salary of the impacted employees x Est. Productivity Factor (%) x No. of Employees

Where productivity factor is determined by the nature of the employee’s responsibilities and their role for the organization. For example, senior management would get 30-40% productivity factor depending on their role.

* source: cio.com

DR Planning: Best Practices

The more detailed your disaster recovery plan, the more effective it will be. In order to devise a plan that works for your entire IT infrastructure, you’ll need to have a better understanding of your data lifecycle.

Before embarking on the project of coming up with a backup and DR plan, here’s what you should do:

• Analyze your data lifecycle and understand the creation, processing, and retention environment(s).
• Monitor usage to allocate hot-tier, cold-tier, and archive tier workloads.
• Audit current IT system(s) to ensure longevity and future-proof usage.
• Create a map for different endpoints, required access credentials, and the IT staff with admin authorization.
• Assess data governance at different stages of the data lifecycle. If data is leaving your on-prem data center, then what are the policies of the service provider (if any).

Once you have a clear idea of how data moves through your infrastructure, you can begin assigning RTPOs to the different type of workloads.

The assigned RTPOs will also determine the infrastructure and environment(s) you’ll use to ensure backup and recovery. For example, it’s good practice to leverage high performance NVMe SSD-based storage for hot-tier workloads so that you can recover them quickly. Alternatively, cloud-based or tape storage is good for cold-tier or archive-tier assets, respectively.

An effective backup and DR plan must include:

• Employee response training in the event of a disaster. Train IT staff to counteract different disasters and train the entire staff about cyber security practices.
• Cyber-security practices and backup strategies such as 3-2-1, 3-2-1-1-0, or 4-3-2.
• Reliable data security and ransomware protection measures such as air-gapping, immutability, and anti-ransomware with threat scan for dormant malware.
• Backup and DR testing with mock disaster scenarios.
• Regular checks to ensure backup integrity and recoverability.
• Scheduled audits to ensure endpoint security.
• Multi-factor authentication and periodic password changes to protect from brute force attacks.

Conclusion

RTPOs should always be included in a discussion about data recovery and disaster recovery planning because these metrics determine downtime and business continuity. The lower the RTOs and RPOs, the lower the downtime and consequently the lower the costs.

Depending on your business model, your RTPOs may vary from others in the same industry which makes it important to carefully analyze your data lifecycle and come up with a DR plan that works for you.

And always remember: a DR plan is only a piece of paper until it’s tested, improved, and tested again.