From backup to business continuity: How to stay prepared

Stratégie de sauvegarde 3-2-1

From backup to business continuity: How to stay prepared

According to Gartner, an incident involving a service interruption costs an average of 4,595 euros per minute. When we look more closely at company sizes, the average cost of this type of incident is 45,130 euros for a small business and 74,670 euros for an SME*. In addition to the financial impact, a computer failure or disaster can temporarily or permanently harm your customers’ data. Such losses would be dramatic for your company's reputation.

 

    Context and market situation

    Preparedness - Response - Recovery - Mitigation

    Over the past 12 years, the use of replication technologies, multi-site datacentre architecture, public cloud storage and DRP implementation has increased significantly. However, only a portion of those surveyed (38%) by Forrester in 2019 say they are fully prepared for an incident**. And for the most part, large companies are better organised than small to medium-sized companies.

    There are several reasons why professionals plan to implement an DRP. The main reason is that 54% of respondents want to stay online 24 hours a day. This is a huge challenge, especially for e-commerce companies.

    It is important for organisations to improve the availability of their critical applications (for both themselves and their customers). Furthermore, the financial impact of downtime for services is also an important factor to keep in mind.

     

    To meet these needs, organisations should:

    • Perform regular and recoverable backups of their data.
    • Establish a realistic and effective DRP strategy for their business.

    Sauvegardes et réplication

    Il s’agit de la base de la protection de votre entreprise. Les sauvegardes vous permettent d’éviter la perte de vos données et de celles de vos clients. Elles constituent un socle solide pour relancer votre activité et sont utiles dans plusieurs situations. Parmi elles, une détérioration du disque dur, un piratage, une catastrophe naturelle ou même une erreur humaine.

    Qu’est-ce qu’une bonne sauvegarde ?
    Une sauvegarde efficace est une copie de vos données récupérable rapidement et facilement en cas d’incident.
    La restauration de ces backups est l’élément le plus important.

    Selon Veeam, notre partenaire, la stratégie de sauvegarde optimale est le principe du « 3, 2, 1 ».

    Cela signifie :

    • posséder trois copies de vos données ;
    • sur deux supports différents, pour éviter la perte, la corruption ou le piratage ;
    • dont l’une de ces copies est stockée sur un autre site (en cas de sinistre au siège de votre entreprise).

    Cette stratégie vous permet de vous prémunir contre une grande partie des pertes de données. Celles-ci peuvent en effet survenir dans plusieurs cas.

    Afin de mieux vous figurer cette stratégie de sauvegarde, prenons l’exemple de l’entreprise X. Il s’agit d’une PME qui vend en ligne un kit pour créer ses propres capsules de café. Elle produit donc des informations critiques qu’elle doit protéger, comme les données personnelles de ses clients. Pour cela, elle a choisi d’effectuer :

    • une sauvegarde de ses données à Paris, sur un serveur et un disque dur externe ;
    • une autre sauvegarde sur un serveur distant, situé à Lille.

    En cas d’incident sur le site de Paris, les informations pourront être retrouvées sur le serveur à Lille. Si, fait rare, les deux serveurs sont détruits, le disque dur externe permettra de restaurer les données sur un nouveau serveur. Cette solution limite ainsi les risques de perte des données centralisées sur un même site et sur un même support.

    Si vous disposez d’une architecture cloud, notre client YetiForce a mis en place un système de sauvegarde complet. Il permet une reprise rapide de votre activité en cas d’incident, en effectuant différentes copies de vos données sur des serveurs dédiés à cet usage. Ceux-ci sont situés dans un datacenter distant. Le système y effectue des sauvegardes hebdomadaires, quotidiennes et toutes les 30 minutes, en fonction du type de données à protéger.

     
    ForePaaS - réplication des données

    Un autre mécanisme de sauvegarde efficace est la réplication des données. Elle peut être effectuée en temps réel et permet de créer des copies dans différents datacenters. Ainsi, en cas d’incident dans un centre de données, les informations sont toujours actives dans les autres.

    Prenons l’exemple de notre client ForePasS :

    Les données de leur plateforme de cloud management sont répliquées en temps réel dans trois datacenters, dont un est situé sur un autre continent (Amérique du Nord). Ainsi, si l’un des sites venait à subir un incident majeur, l’entreprise peut récupérer ses données dans un autre. Ils pourront donc redémarrer leur activité sans délai.

    Un système de sauvegarde n’est cependant qu’un outil visant à vous protéger contre la perte de vos données. Même s’il constitue le socle de la continuité de votre activité, il reste important de prévoir les actions à mettre en place de façon anticipée. Ainsi, vous pourrez redémarrer vos services.

    Disaster Recovery Plan (DRP) strategy

    The DRP defines the business processes to be set up in order to get your business back up-and-running. Important indicators for defining DRP strategies are:

    RPO vs RTO
    • The RPO (recovery point objective). This term refers to the maximum allowable data loss rate. It is measured over a period of time, and is generally staggered as follows: no data loss, 1, 4 or 24 hours of data.
    • The RTO (recovery time objective). This refers to the maximum time that an application can remain down before it is restarted. The RTO is staggered in a manner similar to RPO: no delay, 1, 4 or 24 hours.

    These indicators must be pre-defined based on the criticality of the data affected by an incident. As an example, we can look at company X. It has three types of applications that require a different disaster recovery plan. First, a banking data application, which cannot afford downtime or data loss. Then its institutional site, which is essential but not critical. Finally, its application for booking meeting rooms, also non-critical. The company adapts a different DRP depending on the application.

    How to adapt your disaster recovery plan

    Critical application

    RPO & RTO=0

    Essential application

    RPO > 1 hour & RTO > 4 hours

    Non-critical application

    RPO > 24 hours & RTO > 24 hours

    RPO=0 RTO=0
    RPO>1h RTO >4h
    RPO>24h RTO>24h

    The company cannot function without these applications.

    It runs its application:

    • In 2 datacentres.
    • With spaces of several kilometres (+100km apart).
    • Data is synced between the two locations.
    • Backups are placed in a third datacentre.

    The company can function without these applications, but not for more than an hour.

     

    It runs its application:

    • In a primary datacentre.
    • The data is replicated in a second location, several kilometres apart (+100km).
    • Backups are located in a third datacentre.

     

    The company can function without this application for more than a day.

     

    It runs its application:

    • In a datacentre.
    • Data backups are located in a second datacentre.

     

    It will therefore use the backup data to restore the application to the second datacentre if the first is down.

     

    To help our customers set up their DRP, we offer partner solutions. For example, Partitio offers different models of disaster recovery plans to its users. They are based on solutions for manual backup and replication by Veeam, with automatic replication via Zerto.

    The DRP helps you minimise the impact of incidents on your business, and minimise data loss resulting from temporary service interruptions. However, some types of companies — such as banks or IT service providers — cannot afford downtime. They must be offered online services at all times. This involves building a resilient infrastructure to remain accessible, regardless of any issues.

    Our customer KBRW, who offers SaaS cloud-native solutions to retail and logistics companies, certifies that building resilient infrastructures is the goal for a company’s security. However, implementing and maintaining an effective disaster recovery plan is an ongoing process. The plan must be tested and updated regularly. Your IT solution portfolio and infrastructure are constantly changing. This will affect your security requirements.

    “[...] Resilience should be seen as a global approach within the company. It is by no means the sole responsibility of IT or security experts. From a company perspective, it’s important to build a culture of IT risk management — and this culture should be fostered from the lowest to the highest levels. Each employee should be aware of their role and responsibilities in this overall strategy. To successfully implement an IT resilience plan, it is essential to start with a realistic potential risk assessment. It must be conducted on a regular basis. We usually recommend running it every 6 months on all of the critical points in your system.”

    Arnaud Wetzel, co-founder and CTO of KBRW, and Ronan Garet, Site Reliability Engineer

     

    Your business continuity

    A disaster recovery plan enables you to react to an incident. Business continuity planning includes actions to be taken before, during and after this event. This is to maintain your services, and ensure that your business can carry on functioning in the best possible conditions.

    This planning is based on three factors:

    • Transparent communication about the possible crisis on the channels available to you, such as emails, social networks or the press. Keep your employees, customers and partners informed of the incident resolution progress, and let them know when it is complete.
    • Establishing an action plan for your employees in the event of an incident. They need to know what to do, and who to contact. Ensure that they are regularly updated on planning and security policy changes, for example.
    • A resilient IT infrastructure is the best way to keep your services online under all circumstances. This will avoid any losses or costs associated with service interruptions.

     

    Plan de reprise d’activité vs la continuité de votre activité

    Business continuity is the goal. Planning procedures to follow will help you deal with most situations that impact your business. Our partners, such as Thales and Capgemini, can provide you with consulting services to help you set up a DRP or business continuity plan.

    “[...] the first step to take involves properly identifying your resilience needs, depending on the hosted service. Each service’s level of criticality must be defined, along with the risk involved in the event of an availability issue. Once we have completed this assessment, we enter the design phase of the architecture, looking all the elements identified during the assessment phase. [...] We can identify three different infrastructure plans that the customer needs to work on to ensure resilience:

    • Resilience of the production infrastructure.
    • Backup implementation.
    • DRP implementation.

    These solutions must of course be secure, to ensure that all customer data is kept under lock and key.”

    Jean-Charles Ferrand, Managing Director of Partitio

     

     

    *According to a study conducted by software publisher CA technologies.

    **Source: The State Of Disaster Recovery Preparedness In 2020, Forrester Research, Inc., 24 August, 2020.