I promised to provide a blog with a methodology or series of steps that will help you establish a workable, testable and cost-effective data protection plan. This is that blog. The methodology I am about to outline is fairly general and will need to be customized for your organization.
Step 1: Preparation
Take time to understand the business prioritization and valuation of each application and its data. Determine the required recovery point objective (RPO) and recovery time objective (RTO) for each application. A good way to figure out an acceptable RPO and RTO is to calculate the cost of downtime. The formula for calculating this is:
Cost per application outage = (RPO + RTO) x (HR + LR) x Length of outage in hours:
- RPO = The amount of data that can be lost.
- RTO = The time it takes to be back in operation.
- HR = Lost worker productivity per hour of downtime or the cost/hr/non-productive worker.
- LR = Lost revenue per hour of downtime.
Adjust the RTO and RPO values to match the acceptable cost per application outage. This is that application's RPO and RTO.
Next, evaluate the regulatory and legal requirements for protecting the different types of organizational data. This may require consultation with the corporate legal council. These requirements may force you to adjust the RPO and RTO values by application. Calculate the amount of data (scalability) that will require data protection and project a range (high, low and most likely) of growth rates based on past trends. Once the RPO, RTO and growth values are determined for each application, planning can take place.
Step 2: Planning
Evaluate the different technologies and vendors that can meet the breadth of RPO, RTO and growth (scalability) values for three to five years. Include your current technology as well. Understand that there is no panacea. There is a high likelihood you will have to have some combination of technologies to meet all your needs.
Compare the total cost of ownership for each solution. Make sure to include the hardware implications of the software (e.g., if the software provides de-duplication, it will most likely require much less hardware than software that does not.) Also include maintenance, subscription, training and personnel costs.
Narrow down your choices as much as possible and bring the products in for evaluation. Make sure you have an objective weighted criteria matrix and test plan for the evaluation (see previous my blog on over-hyped storage terms.) Get performance, savings, pricing and all other promised costs from the vendors in writing. Make sure all promised savings are quantifiable. Try to test with a copy of production data.
Based on your weighted criteria matrix, make your selections.
Step 3: Execution
It may be cliché, however, it's still true. Plan your work and work your plan. Schedule how your data protection will be implemented with each application in order of priority. Test at every stage of implementation. Make sure everyone involved is aware of (in writing) his or her specific responsibilities and timetables. Once completely installed, move to step 4, test.
Step 4: Test
Testing is never fun and is usually quite time consuming; however, it is an absolute must. You must test a minimum of twice a year to make sure your data protection plan is working as you planned and is meeting your data protection objectives. What good is protecting the data if you can't recover it?
Step 5: Constant analysis and review
Evaluating how well the implemented data protection plan is meeting the current organizational needs allows you to modify the plan ongoing. This insures you are staying within organizational and regulatory compliance.
The end result should lead you to a cost-effective data protection plan. Remember that these steps are designed to be general guidelines and not the specific plan itself.
Comments? Let me know.
About the author: Marc Staimer is president and founder of Dragon Slayer Consulting in Beaverton, Oregon. He is widely known as one of the leading storage market analysts in the network storage and storage management industries. His consulting practice of six plus years provides consulting to the end-user and vendor communities.