Symantec 2010 Disaster Recovery Study
-
Upload
symantec -
Category
Technology
-
view
4.934 -
download
3
description
Transcript of Symantec 2010 Disaster Recovery Study
2010 Symantec Disaster Recovery Study
Global Results
Methodology
• Applied Research performed survey
• 1,700 enterprises worldwide
• 5,000 employees or more
• Cross-industry
2
Key Findings
• Virtualization and Cloud Make DR Complex
• The Downtime Recovery Gap
• Impact of Disaster Recovery Testing
• Recommendations
3
4
Virtualization and Cloud Make DR Complex
Virtual Environments Protected Properly?
• 56% of data on virtual systems is regularly backed up
• Only 20% of virtual environments protected by replication or failover technologies
5
Lack of Tools, Decrease of Virtual Protection
• 58% report different tools for virtual and physical environments is a challenge
• Virtualization led 84% to reevaluate DR plans in 2010
• 60% of virtualized environments not covered in DR plans
6
Storage and Resource Constraints an Issue
• 59% identified resource constraints (people, budget, and space) as the top challenge when backing up virtual machines
• 57% state that the lack of primary and 60% state that lack of backup storage hampers protecting mission critical data
7
Cloud Causes Security and Control Issues
• Organizations put 50% of applications in the cloud
• 66% say security is main concern of cloud
• 55% say control is biggest challenge of cloud
8
9
The Downtime Recovery Gap
Downtime Recovery Gap
• Expectation of downtime for outage = 2 hours
• Actual downtime in last 12 months = 5 hours
• Median of 4 incidents in past 12 months
10
Major Causes of Downtime
• 72% experience downtime from system upgrades (50.9 hours)
• 70% experience downtime from power outages and failures (11.3 hours)
• 26% conducted a power outage and failure impact assessment
• 63% experience cyber attacks (52.7 hours)
11
12
Impact of Disaster Recovery Testing
Improvement In Testing Frequency and Success
• 82% test more frequently than once a year
• Significant increase from 66% who reported same in 2009
• 40% of tests fail to meet RTO/RPOs
13
Reasons for not testing
• Budget (60%)
• Disruption to employees (59%)
• Disruption to customers, sales & revenue stream (24%)
• Lack of people’s time (26%)
• Cost of testing: $606,948
14
15
Symantec Recommendations
Recommendations
• Ensure that mission-critical data and applications are treated the same across environments (virtual, cloud, physical) in terms of DR assessments and planning
• Use integrated tool sets for managing physical, virtual and cloud environments to save time, training costs and help better automate processes.
• Embrace low-impact backup methods and deduplication to ensure that mission-critical data in virtual environments is backed up, efficiently replicated off campus
• Prioritize planning activities and tools that automate and perform processes which minimize downtime during system upgrades
• Implement solutions that detect issues, reduce downtime and recover faster to be more in line with expectations
• Don’t cut corners on basic technologies and processes that protect in case of an outage
17
AppendixAll questions included
Demographics
Company titles
24%
43%
7%
17%
7%
2%
0% 10% 20% 30% 40% 50%
Chief Information Officer (CIO) / Chief Technology Officer (CTO)
VP / SVP
Data Center Maanger or Data Center Director
IT Manager
IT Staff
Other (Please specify)
D: What is your title?
Industries
10%
10%
10%
9%
8%
7%
7%
7%
7%
4%
4%
3%
3%
3%
3%
2%
2%
1%
0% 5% 10% 15% 20% 25%
Financial
Manufacturing
Technology
Telecommunications
Healthcare
Automotive
Consumer
Insurance
Retail
Education
Energy
Media
Online
Public sector
Transportation
Real estate
Other (Please specify)
Hospitality
E: What is your market?
Data Center Questions
Downtime
72%
70%
69%
64%
63%
63%
63%
48%
47%
46%
46%
45%
44%
42%
42%
1%
0% 20% 40% 60% 80% 100%
System upgrades
Power outage / failure / issues
Fire
Configuration change management issues
Cyber attacks
Malicious employee behavior
Data leakage or loss
Flood
Hurricane
Earthquake
Tornado
Terrorism
Tsunami
Volcano
War
Other (Please specify)
Q1: How many of each of the following has caused your organization to experience downtime in the past five years?
(Mark all that apply.)
Downtime
52.7
50.9
15.1
15.0
11.3
10.4
9.6
9.3
9.1
8.3
7.8
7.4
7.2
6.9
6.9
1.6
0.0 10.0 20.0 30.0 40.0 50.0 60.0
Cyber attacks
System upgrades
Configuration change management issues
Fire
Power outage / failure / issues
Malicious employee behavior
Terrorism
Earthquake
Data leakage or loss
Flood
Hurricane
Tornado
War
Volcano
Tsunami
Other (Please specify)
Q2: How many hours of downtime has your organization experienced in the past 12 months for each of the following?
(Means shown)
Downtime
48%
13%
8%
6%
4%
4%
4%
2%
2%
2%
2%
2%
1%
1%
1%
1%
0% 10% 20% 30% 40% 50%
System upgrades
Cyber attacks
Power outage / failure / issues
Fire
Flood
Configuration change management issues
Data leakage or loss
Earthquake
Malicious employee behavior
Tsunami
Volcano
Terrorism
Hurricane
Tornado
War
Other (Please specify)
Q3: As measured by hours of downtime, what is your number one cause of downtime?
Threat assessments
69%
67%
48%
48%
44%
26%
26%
25%
24%
23%
16%
6%
6%
5%
4%
1%
0% 20% 40% 60% 80% 100%
Cyber attacks
System upgrades
Earthquake
Terrorism
Hurricane
Power outage / failure / issues
Data leakage or loss
Configuration change management issues
Fire
Malicious employee behavior
Flood
Tsunami
Tornado
Volcano
War
Other (Please specify)
Q4: Which of the following threats has your organization conducted an impact assessment?
DR responsibility
61%
12%
9%
6%
4%
3%
2%
1%
1%
0%
0%
0% 20% 40% 60% 80% 100%
Chief Information Officer (CIO) / Chief Technology Officer (CTO)
IT Manager
Disaster Recovery Manager (DRM)
Data Center Manager or Data Center Director
VP / SVP
Business Continuity Manager (BCM)
IT Staff
External consultant / outsourcer
None - we do not have a disaster recovery committee
Other (Please specify)
Don't know
Q5: Which person in your organization has the ultimate responsibility for managing the disaster recovery plan?
DR committees
65%
56%
32%
25%
25%
21%
18%
15%
11%
8%
8%
7%
1%
1%
1%
0% 20% 40% 60% 80% 100%
Disaster Recovery Manager (DRM)
Systems / infrastructure manager
Chief Information Officer (CIO) / Chief Technology Officer (CTO) / IT Director
Chief Executive Officer (CEO)
Chief Security Officer (CSO)
Divisional / Departmental IT manager
Chief Financial Officer (CFO)
Business Continuity Manager (BCM)
Line of business executives / managers
Other directors
External consultant
Non-IT senior managers
None - we do not have a disaster recovery committee
Other (Please specify)
Don't know
Q6: Which of the following people are on your organization's disaster recovery committee?
(Mark all that apply.)
DR plans
55%
50%
40%
23%
18%
16%
11%
0% 20% 40% 60% 80% 100%
HP-UX
AIX
Windows
Solaris
RedHat
VMware
SUSE Linux
Q9: What of the following are covered by your DR plan?(Mark all that apply.)
Replication
Yes92%
No8%
Q10a: Do you replicate critical applications between data centers?
Replication
69%
68%
65%
34%
0%
0% 20% 40% 60% 80% 100%
Database-based replication
Application-based replication
Array-based replication
Host-based replication
Other (please specify)
Q10b: What replication technologies are used?(Only asked of those who replicate critical applications between data centers)
(Mark all that apply.)
Replication challenges
55%
25%
17%
3%
0% 20% 40% 60% 80% 100%
Complexity of replication solutions
Cost
Limited WAN bandwidth (too much data)
Hardware lock-in
Q11: What is your primary challenge with storage array-based replication?
Disaster impact
4% 5% 5% 5% 5% 6% 6% 7% 6%12%6% 7% 7% 8% 9% 7% 10% 11% 10%
10%
29%32% 32% 33% 32% 34%
32%32% 34%
31%
41%42% 44% 41% 39% 42% 37% 36% 40% 37%
19%14% 11% 13% 14% 11% 15% 14% 10% 10%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Data loss Cost of downtime
Reduction in profits
Reduction in revenue
Damage to competitive
standing in the marketplace
Configuration drift issues
Damage to brand
reputation
Damage to customer
loyalty
Damage to supplier
relationships
Decreased employee
productivity
Q13: How would you rate the potential impact that could results from a disaster your organization is concerned about?
1 - Absolutely no impact 2 - Low impact 3 - Neutral 4 - Somewhat high impact 5 - Extremely high impact
Downtime costs
$62,063
$55,324
$47,769
$42,265
$41,117
$39,590
$24,571
$21,748
$18,409
$10,523
$0 $10,000 $20,000 $30,000 $40,000 $50,000 $60,000 $70,000
Web servers
Custom line of business applications
Databases
ERPs / CRMs
Web commerce applications
Application servers
Messaging applications
Collaboration software
Other (Please specify)
Q14: What would you estimate is the cost of an hour of downtime for each of the following in your organization?
(Means shown)
Outages
Q15: How many outages did you have in the past 12 months?
Mean 13.8
Downtime
Q16: In your estimation, how long was the average time of downtime per incident in hours?
Mean 20.4
Disaster recovery budget
Q17: What is your annual disaster recovery budget?
Mean $964,599
Disaster recovery budget
31% 31%
67%
26%
3%
43%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Over the past 12 months In the next 12 months
Q18: In your opinion, which of the following best describes your disaster recovery budget?
1 - Increasing 2 - Staying the same 3 - Decreasing
Recession impact
12%
23%
17%
46%
2%
0% 10% 20% 30% 40% 50%
Extremely negative impact
Some negative impact
No impact whatsoever
Some positive impact
Extremely positive impact
Q19: How has the global recession impacted the resources available for your disaster recovery planning?
Annual IT budget
Q20: What is your total annual IT budget?
Mean $13,573,258
IT budget allocation
Q21: What percentage of your IT budget is allocated towards disaster recovery initiatives including backup, recovery, clustering, archiving, spare servers, replication, tape, services, DR plan development and offsite costs, etc.?
Median 26%
DR site status
72%
63%
17%
3%
0% 20% 40% 60% 80% 100%
It is hot standby
It is managed by an outside vendor
It is cold standby
We don't have a disaster recovery site
Q23: What is the status of your disaster recovery site?(Mark all that apply.)
Failover / recoveries
31%
29%
22%
18%
0% 10% 20% 30% 40% 50%
Same-site failover / recovery
Cloud failover / recovery
Campus failover / recovery
Global failover / recovery
Q24: What percentage of your failover / recoveries you perform is each of the following types?
(Means shown)
Recovery time
2.1
2.22.2
2.4
1.8
1.9
2.0
2.1
2.2
2.3
2.4
2.5
Skeleton operations Mostly back up and running 100 percent up and running Operations would be able to continue as normal despite the disaster
Q25: If a significant disaster were to occur at your organization that destroyed the main data center, how soon would the organization be
able to do each of the following?(In hours)
(Means shown)
Recovery objectives
Q26: for the Tier 1 applications in your disaster recovery plan, what are your recovery time objectives? What are your recovery point objectives? (Medians shown)
Recovery Time Objectives 4
Recovery Point Objectives 5
Recovery objectives
Q27: For virtualized applications in your disaster recovery plan, what are your recovery time objectives? What are your recovery point objectives? (Medians shown)
Recovery Time Objectives 4.0
Recovery Point Objectives 5.0
Reevaluation
14%
16%
52%
10%
4%
1%
1%
1%
1%
0% 20% 40% 60% 80% 100%
Monthly
Quarterly
Every 6 months
Once a year
Every 1 - 2 years
Every 2 - 3 years
Less frequently than every 3 years
On an ad-hoc basis
Never
Q28: How often do you reevaluate your TO / RPO requirements or change them for new applications?
Full scenario testing
16%
15%
51%
11%
3%
1%
1%
1%
1%
0% 20% 40% 60% 80% 100%
Monthly
Quarterly
Every 6 months
Once a year
Every 1 - 2 years
Every 2 - 3 years
Less frequently than every 3 years
On an ad-hoc basis
Never
Q29: How frequently does your organization carry out full scenario testing of its disaster recovery plan, involving relevant people,
processes, and technologies?
DR testing cost
Q30: How much did you spend in the past year on DR testing?
Mean $606,948
DR testing cost
Q31: What was the cost of testing your disaster recovery plans in the past year?
Mean $769,686
Successful tests
Q32: What percentage of disaster recovery tests successfully recovered critical data and applications within RTOs / RPOs?
Median 70%
Recovery barriers
3
3
3
3
3
2
0
0 1 2 3 4
Insufficient IT infrastructure at the DR site
Configuration issues
Discovery that the plan has become out of date
People do not do as they are supposed to
Processes turn out to be inappropriate
Technology does not do what it is supposed to
Other (Please specify)
Q33: How many times did each of the following challenges prevent you from recovery within the RPOs / RTOs?
(Medians shown)
Testing barriers
60%
59%
26%
16%
15%
14%
13%
4%
3%
0%
0% 20% 40% 60% 80% 100%
Resources, in terms of budget
Disruption to employees
Resources, in terms of people's time
Disruption to customers
Lack the technology to run the test
Disruption to sales and the revenue stream
Other IT projects taking a higher priority
Not seen as a priority by top management
None
Other (Please specify)
Q34: Which of the following do you consider to be barriers to running a full scenario test on your disaster recovery plan?
(Mark all that apply.)
Deduplication
20%
19%
10%
48%
1%
1%
0% 10% 20% 30% 40% 50%
Considering / planning, but have not yet purchased capabilities
Purchased capabilities, but have not yet implemented
Implemented, but have not been able to see ROI
Implemented, able to demonstrate ROI
Implemented, fell short of ROI
Implemented, but too soon to demonstrate ROI
Q35: How far along are you in implementing deduplication?
Deduplication
Q36: How much budget would you estimate you save / would save by implementing deduplication?
Mean $893,405
Deduplication
Q37: How much storage space, in terms of gigabytes, would you estimate you save / would save by implementing deduplication?
Mean 45,735 GB
Appliance form vs. Software model
Appliance with software44%
Software delivery model56%
Q38: Do you prefer an appliance form factor with software for deduplication or a software delivery model built into existing backup
software that lets you use commodity hardware?
Reevaluating
Yes85%
No16%
Q39: Has implementing server virtualization caused you to reevaluate your disaster recovery plan?
Virtual servers
Q40: What percentage of virtual servers is covered in your disaster recovery plan?
Median 40%
Virtual applications
26%
25%
25%
23%
23%
22%
0%
0% 10% 20% 30% 40% 50%
Databases
Application servers
Web servers
Messaging applications
ERPs / CRMs
Custom line of business applications
Other (Please specify)
Q41: What percentage of the following applications are being put into virtual environments at present?
(Medians shown)
Virtual applications
26%
25%
25%
24%
22%
22%
0%
0% 10% 20% 30% 40% 50%
Databases
Application servers
Web servers
ERPs / CRMs
Custom line of business applications
Messaging applications
Other (Please specify)
Q42: What percentage of each of the following applications will be put into virtual environments 12 months from now?
(Medians shown)
Virtual servers
30%
30%
30%
30%
0% 10% 20% 30% 40% 50%
Application test environment
Patch testing environment
Application development environment
Production environment
Q43: What percentage of the servers in your data centers are being virtualized in each of the following?
(Medians shown)
Backing up virtual environments
50%
30%
30%
24%
0% 20% 40% 60% 80% 100%
We utilize off-host technology (e.g., VMware VCB / v-Storage API) for "client-less" backups of VMs
Like a physical machine - standard Client (non deduplication) inside each virtual machine
Like a physical machine - except with deduplication client inside each virtual machine
Not backing up virtual machines
Q44: How do you back up virtual environments?(Medians shown)
Virtualization
60%
60%
53%
29%
25%
13%
10%
8%
2%
0% 20% 40% 60% 80% 100%
Performance
Manpower / human resources
Application vendor support issues
Cost
Skills
Storage inefficiencies / storage costs too high
Inability to meet service levels / availability requirements of the business
Ability to recover and manage virtual environments
Haven't though much about it
Q45: What are the main reasons you have not virtualized more applications?
(Mark all that apply.)
Virtual server testing
9%
50%
14%
13%
7%
5%
2%
2%
0% 20% 40% 60% 80% 100%
Daily
Weekly
Monthly
Quarterly
Semi-annually
Yearly
Less than once a year
Never
Q46: How often do you test virtual servers as part of your disaster recovery plan?
Challenges
60%
57%
55%
39%
37%
19%
15%
7%
1%
0% 20% 40% 60% 80% 100%
Lack of available backup storage capacity
Lack of primary storage capacity
Lack of automated recovery
Insufficient backup tools
Lack of enterprise high availability
Lack of enterprise storage management
Different tools for physical and virtual environments
Lack of scalability
Other (Please specify)
Q47: What challenges have you faced in protecting mission critical data and applications in virtual environments?
(Mark all that apply.)
Challenges
38% 35%30%
35%30%
49%
20% 16%
38%
28%30%
30%29%
30%
21%
23% 30%
44%
34% 36%40%
36%40%
30%
58% 54%
19%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Lack of available backup storage
capacity
Lack of primary storage capacity
Lack of automated
recovery
Insufficient backup tools
Lack of enterprise high
availability
Lack of enterprise
storage management
Different tools for physical and
virtual environments
Lack of scalability
Other (Please specify)
Q48: How much of a challenge do each of the following present in protecting mission critical data and applications in virtual
environments?
1 - Small Challenge 2 - Neutral 3 - Large Challenge
Virtual applications
25%
23%
22%
21%
20%
20%
20%
20%
0% 10% 20% 30% 40% 50%
Disk backup
Continuous data protection
Tape backup
Online / cloud storage (ie online)
Optical removable media (CDs, DVDs, Blu-ray, etc.)
Data replication
High availability failover
Global or wide area failover
Q49: What percentage of your organization's data and mission critical applications in virtual environments are protected by each of the
following?(Medians shown)
Data backup
Q50: What percentage of the data on your virtual systems isregularly backed up?
Median 56%
Virtual backup
18%
54%
12%
9%
4%
2%
0%
1%
0% 20% 40% 60% 80% 100%
Daily
Weekly
Monthly
Quarterly
Semi-annually
Yearly
Less than once a year
Never
Q51: How often do you back up the data on your virtual systems?
Virtual backup challenges
59%
16%
16%
5%
4%
0% 20% 40% 60% 80% 100%
Resource constraints (people, budgets, and space)
Application-consistent backups
Lack of efficient technology / hardware / software
Lack of efficient restore options
Too much time required
Q52: What is the top challenge with backing up virtual machines as opposed to physical ones?
Email recovery
34%
26%
16%
14%
5%
4%
1%
0% 10% 20% 30% 40% 50%
Continuous data protection
Email as a service
Global failover
Local failover
Regular backup
Cloud-based hosting
Protecting data with snapshots
Q53: In terms of email or Exchange, which of the following is your primary disaster recovery strategy?
Multi-tiered services
62%
57%
25%
18%
14%
9%
2%
0% 20% 40% 60% 80% 100%
Failure to protect all components of the IT service
Lack of coordination between application and data recovery solutions
Having inconsisten levels of protection for different components of the IT service
Lack of understanding application dependencies
Using manual recovery of the application, which is slow and increases the risk of error
Cross-functional teamwork and communication is lacking
Other (Please specify)
Q54: What challenges does your organization have with managing high availability and disaster recovery for multi-tiered IT services?
(Mark all that apply.)
Multi-tiered services
Q55: How many hours does it take to recover your multi-tiered services?
Mean 22.8
Cloud storage
61%
23%
7%
8%
0% 20% 40% 60% 80% 100%
Considering / planning, but have not yet purchased capabilities
Purchased capabilities, but have not yet implemented
Not considering
Already implemented
Q56: How far along are you in implementing cloud storage?
Cloud storage
14%
65%
11%
9%
0% 20% 40% 60% 80% 100%
Have not been able to see ROI
Are able to demonstrate ROI
Fell short of ROI
Too soon to demonstrate
Q57: Have you been able to measure an ROI for cloud storage?
Cloud computing
57%
17%
11%
6%
6%
4%
0% 20% 40% 60% 80% 100%
Software as a service
Backup to the cloud
Failover to the cloud
Not using cloud computing
Recovery from the cloud
Deploying cloud applications
Q58: How are you using cloud computing initiatives to help with your data center's disaster recovery plan?
Cloud computing impact
16%
67%
13%
4%
0%
0% 20% 40% 60% 80% 100%
Extremely easier
Easier
No change
More difficult
Extremely difficult
Q59: What has been the impact of cloud computing to your disaster recovery plan?
Cloud computing challenges
55%
14%
14%
12%
4%
1%
0% 20% 40% 60% 80% 100%
Control failovers / make resources highly available
Control of management of resources
Ability to backup
Security
Expertise
Other (Please specify)
Q60: What are the biggest disaster recovery challenges you face when considering implementing cloud computing / cloud storage?
Cloud computing policies
Yes85%
No15%
Q61: Do you have written guidelines or policies in place for approving cloud applications that use business sensitive or confidential
information?
Cloud computing
55%
25%
14%
5%
1%
0% 20% 40% 60% 80% 100%
CEO
CIO / CTO
IT managers
Employee end users / business managers
Employees who implement their own
Q62: Who drives cloud computing initiatives?
Cloud computing
50% 50%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Mission-critical applications Non-mission critical applications
Q63: What percentages of the following types of applications are you putting into the cloud?
(Medians shown)
Cloud computing concerns
66%
14%
12%
6%
3%
0% 20% 40% 60% 80% 100%
Security
Accessibility
Control
Management
Backup
Q64: What is the biggest concern with putting mission-critical applications in the cloud?