Choosing a provider
So why choose an outside DR provider? IT departments turn to third-party service providers because they seek to express DR as a manageable or fixed cost. For example, off-site data replication involves acquiring a second physical location (along with the costs of utilities and physical security), equipping the location with storage and other infrastructure, maintaining or upgrading the second facility, and supporting added management or any troubleshooting overhead. All of those costs must be sustained for a facility that a company (ideally) never wants to use.
By renting the services of an outside provider, a business only pays for the services it needs, and never has to deal with problems like maintenance or technical obsolescence -- that's left to the service provider. Thus the many expenses and logistical challenges involved with remote sites are reduced to a fixed monthly bill which can easily be budgeted.
Speed is another important consideration. If you're just transporting tapes to an off-site vault, "speed" is largely a matter of tape retrieval. For example, it might take 24 hours to retrieve the latest set of backups from Iron Mountain, and once the tapes are in-hand, it may take another six hours or more to actually restore the bandwidth. A company needs enough WAN bandwidth to transfer the necessary volume of daily information to the off-site location, and the service provider must support at least that level of connectivity. For example, a typical broadband Internet connection offers about 600 Kbps (75 KBps). T1 and T3 connections are used for higher bandwidth connectivity.
Compatibility (interoperability) is generally not a serious concern when dealing with remote backups. For example, copying data to a hosted Iron Mountain backup location using software like LiveVault typically doesn't raise compatibility problems. However, true "remote replication" tasks that mirror data between locations can be very sensitive to differences in servers and storage platforms. Storage virtualization can often be employed to ease any differences between hardware. Don't forget about software compatibility. For example, if it's necessary to backup an open database, make sure that the provider can backup the open file without sequestering the database. Discuss your critical applications with the provider to determine compatibility.
Finally, a service provider should support security. Tape vaults should demonstrate strong physical security, preventing anyone other than a few authorized individuals from accessing tapes and other media (such as CDs or DVDs). For an added measure of security, tape data should be encrypted through backup software before releasing the media for vaulting. Remote backup users should consider encryption for data in transit and remote storage.
Evaluate external controls
So what happens when disaster strikes your service provider? Remember that your data is retained by a third-party, so any risk to their facilities is also a risk to your data. When evaluating an independent service provider to meet your disaster plans, it's important to assess the provider's disaster plans as well.
An unlocked warehouse with no air conditioning and water sprinklers is probably not an ideal environment for your long-term tape storage, so understand how the provider's facilities are protected against fire and theft. Restricted access, environmental controls, and media-friendly fire suppression systems are some key attributes to look for.
Remote backup and replication services are a bit more complicated. As you backup mission-critical data to the service provider, the provider must also plan for the unexpected. Providers will typically use remote replication technologies to protect themselves against disaster, but look for providers operating their own replication hot site(s) -- if their main site fails, a secondary site should be online to handle any restoration requests. A provider should never replicate or backup their customer's data to a location outside of their direct control.
Consider the legal implications of any outside service relationship. Identify the provider's obligations to you as a customer, establish a fallback plan if your data is inaccessible for any period of time, and understand any avenues of recourse for yourself and your customers if valuable data is lost or stolen.
The rebuild process
An IT staff should know how to retrieve tapes or restore remote data as a standard business operation, so testing is a crucial part of any independent service relationship -- it not only keeps the provider on their toes, but it also maintains your own disaster preparedness. The provider will generally provide all of the instructions (and training) needed to utilize their services.
The actual rebuild process can vary significantly between service providers, but the typical process starts by logging into the provider's service (or inserting the first backup tape), selecting the file, folder, server, volume, or backup name to restore, choosing the desired restoration target, and then initiating the restoration process. If the backup contains more than one version of a file, you can select the specific file date to restore. The actual restoration may take from several minutes to many hours depending on the amount of data loss being restored and the bandwidth available. Network-based restorations should proceed automatically, but large tape restorations may require multiple tape swaps to complete the process.