Backup and Disaster Recovery often “travel together” in the debate linked to IT security and Data Protection but beware, they are two sides of the same coin but still two distinct sides, each with its technological peculiarities that respond to needs, models and areas of different applications.
So let’s analyze what Backup and Disaster Recovery are, how they differ and why they are essential for data protection and business and operational continuity of companies (although it should be emphasized that a Business Continuity strategy is something much more “extended” and complex of Backup and Disaster Recovery and – even in this case – should not be mistakenly taken as their synonym), including SMEs.
Table of Contents
Backup: What It Is And What It Is For
When we say “backup,” it means, in practice, to make a copy of data, files, and folders to put everything in safety, that is, to have one or more copies of your computer system (or of a device from the computer to the smartphone up to any other machine that contains data) to be used as recovery if “original” data and files are lost, damaged or destroyed due to malware, an accident or human error (which happens much more often than believe me).
The Backup is mainly used to create “versioning” points of data, files and folders to allow companies to return to a “previous situation” of normality after events or accidents that have compromised or damaged the data. With the Backup, it is possible to recover and overcome emergencies (also related to unsuccessful operations, therefore not only in case of severe attacks or theft/loss of data), bringing the systems back to a situation before the emergency.
In other words, the Backup is a repository where the copy or copies of the company’s information assets are brought together, allowing it to operate with more significant serenity and security.
However, today Backup alone is not enough to protect a company from more “serious” accidents such as possible “downtime,” i.e., downtime of systems and devices necessary for the operation and carrying out of the company’s activities. In this case, it becomes essential to have a Disaster Recovery strategy and plan.
What Is Disaster Recovery, And Why Is It Important
Wanting to give a somewhat “classic” definition of Disaster Recovery, we can say that it is the set of technological and logistical/organizational measures necessary to restore systems, data and infrastructures that are used for the provision of business services (access and availability of data, use of applications, access and use of digital services, access to files and folders, etc.)
From a convenient point of view, Disaster Recovery is obtained – greatly simplifying the concept – by providing the company with a “second site” where to host a “replica” of its entire IT infrastructure, to allow the company to continue to work in case of interruptions, stops, malfunctions, accidents at the primary site.
Disaster Recovery, therefore, means, in the strictest sense, the emergency recovery following a disaster which, generally, is “guided” by the so-called Disaster Recovery Plan (DRP) (in Italian, Disaster Recovery Plan), i.e., the document that explains all the measures (technological and procedural) aimed at restoring operational normality and which is usually included within a broader business continuity plan (BCP – Business Continuity Plan).
The “computer literature” today allows us to classify the disasters that can put IT systems at risk into two broad categories:
- Natural Disasters: floods, hurricanes, tornadoes or earthquakes. However, disasters that are impossible to predict with precision do not exclude the possibility (and increasingly the burden) for companies of using risk management tools (such as a Disaster Recovery strategy and a DRP – Disaster Recovery Plan).
- Disasters Generated By Human Beings: in this case, we mean accidents, infrastructural failures, computer bugs, negligence in the management and maintenance of corporate assets, to terrorism and cybercrime. In cases like these, strategy, planning, governance, monitoring and surveillance, and risk mitigation are fundamental aspects of Disaster Recovery that can help companies effectively recover their activities without serious repercussions.
In addition to having to take into consideration the different possible levels of disaster to have an effective strategy and a Disaster Recovery plan that can allow a company organization to respond adequately to an emergency, the criticality of IT systems and applications ( not all systems are “critical” and not all could be included in the Disaster Recovery Plan).
By way of example, systems are usually classified according to the following (or similar) definitions:
Critical Systems are those whose functions cannot be performed without being replaced by tools (means) of identical characteristics. Urgent applications cannot be replaced with manual methods. The tolerance in the event of an interruption is very low. Therefore the cost of an interruption is very high.
Vital Systems are essential for the organization but capable of being “replaced” by any manual operations, but only for a short period. There is a greater tolerance to outages on critical systems than expected for essential procedures. Consequently, the cost of an outage is lower, provided such downtime is limited in time (for example, for maintenance or for an incident that does not require recovery times too high).
“Delicate” Systems can withstand – at acceptable costs – a sure downtime because manual operations can replace them. However, it should be noted that they are classified as “delicate” because although these functions can be performed manually, their performance is complex and requires more dedicated resources than those needed in normal conditions.
Non-critical systems, whose functions can remain interrupted for an extended period, with a modest cost to the business.
Today, technology allows companies to choose between many Disaster Recovery solutions, up to the de facto guarantee of a continuous supply of IT services necessary for systems defined as mission critical.
The more stringent the levels of continuity (defined by two critical parameters, RTO and RPO), the more it will be necessary to have adequate systems and plans that ensure “exact” replication of the primary site and recovery and recovery times that do not stop the activity or cause harm.
RTO And RPO, What Are The Two Most Important Symbols Of Disaster Recovery
RTO, an acronym for Recovery Time Objective, and RPO, an abbreviation for Recovery Point Objective, are two critical parameters for Disaster Recovery (which, however, also involve Backup).
The service level defined by the RTO determines the speed with which a company manages to restore the information systems because it is the parameter that indicates the time required for the full recovery of the operation of a system or process organization. In practice, this is the maximum duration, expected or tolerated, of the downtime; the closer it is to zero, the less damage and repercussions for the company organization.
A useful measure for reducing RTO is to have data backups fully available on secondary sites… that’s why Backup and Disaster Recovery often travel “hand in hand.”
In the case of RPO, on the other hand, what is measured is the fault tolerance of an information system, i.e., the permissible loss of data or the “acceptable” damage resulting from an accident or disaster. It represents the maximum time that must elapse between data production and its securing (for example, through the Backup) and, consequently, provides the measure of the total amount of data the system can lose due to sudden failure.
Therefore, the RPO is the percentage of data the company is willing to lose in the event of a disaster (the parameter thus measures the amount of unsynchronized and, therefore, unavailable data compared to the last Backup). At the same time, the RTO takes time for the organization to restore systems, processes, operations and return to function and defines how much a company can remain “off” without suffering severe damage.
There are no standard indices; each company will have to find its point of equilibrium by understanding how it can face any downtime and costs, with what impacts and to what extent they are tolerable.
The Difference Between Backup And Disaster Recovery
From the first definitions of Backup and Disaster Recovery and the more detailed analysis of their intrinsic meaning, it is evident that they are not at all to be considered synonyms; they are two very different approaches (methodological and technological) that respond to different needs.
Backup allows you to protect IT systems’ data and information and works granularly on single files, folders, and data. From a technical point of view, backups acquire and synchronize data by making a so-called point-in-time snapshot (PIT), i.e., a photograph/image of the condition of the information system at a given moment that can be used to bring the system back to that specific point following an accident. The system allows you to recover the data, files and folders of that typical PIT (it is evident that everything that happened after the PIT, in the absence of another subsequent Backup, is lost).
Disaster Recovery, on the other hand, is not designed to save data in such a granular way but is designed to protect and safeguard the entire IT system (and any devices connected to it that exploit IT resources) to prevent it from blocking, downtime, malfunctions, accidents or disasters stop the operations of the company causing irreparable damage.
It is therefore evident that, even if they are sides of the same coin, they must not be confused and, precisely because they are part of the same coin, the ideal is to have both a Backup system and a Disaster Recovery system in place.