By Mike Talon
In a previous column, I discussed the importance of determining an acceptable recovery time objective (RTO), the amount of time you have to bring a system back online before it significantly impacts business ("Determine an acceptable recovery time objective"). But RTOs aren't the only metrics that are essential to effective disaster recovery planning.
Along with deciding your organization's RTOs, you must also determine acceptable recovery point objectives (RPOs), the measurement of how much data the organization can conceivably lose during an emergency before it meaningfully affects business.
The concept of RPO isn't new; protecting data is what DR planning is all about. However, many corporate executives—and even some technical staff—have no idea what their current RPOs are or what they should be to protect the organization.
In general, base your organization's RPO simply on how much data the company can afford to lose. Companies typically express this metric in terms of hours of data.
For example, many tape-based DR systems have an RPO of at least 24 hours. While it's possible to lose less data than that, the worst-case scenario is a daily backup that someone didn't perform in time.
So if you suffer a disaster at the end of the day, and you haven't yet completed the tape run (which is unfortunately not an uncommon occurrence), you'll lose one business day's worth of data.
It's vital that organizations determine exactly how much data they can afford to lose in a disaster. How an organization determines this number is a combination of art and science, in much the same way as deciding RTO numbers.
First, go to users of the data systems in question and the management of these areas, and ask how much data they can afford to lose in the event of a disaster. As I mentioned last week, the answer you receive will almost always be unrealistic; typical responses will more than likely be "zero data loss."
While it's possible to achieve this RPO, the enormous infrastructure, bandwidth, and software costs incurred will make it cost-prohibitive in all but the most extreme cases of highly expensive data. If "zero data loss" is indeed necessary, take heart—there are several choices for DR planning available, but keep in mind that most require large-scale, hardware-based replication systems over dark-fiber connections.
If you can negotiate a more flexible RPO, there are several available options at different price points. Software-based replication systems, hardware-based mirroring, Business Continuance Volume (BCV) and other snapshot tools, and a myriad of tape-based systems enter the mix.
You can mix and match these types of systems to create a solution that can meet RPOs that range from a few minutes to several hours. You can also apply many to individual data systems, acquiring the ability to handle different systems with different RPO estimates.
In addition, you can combine many of these systems (even hardware-based replication tools) with tape-based and other point-in-time copy systems to create multiple DR levels for each system. For example, if a virus destroys your real-time replication copies, the point-in-time copies restored from tape may not meet the RPO, but they'll at least allow you to recover as much data as possible.
RPO numbers are one of the more difficult metrics to properly define and quantify. However, your RPO estimates will determine the types of DR solutions your organization can use—and how much money your DR solution will end up costing.
Mike Talon is an IT consultant and freelance journalist who has worked for both traditional businesses and dot-com startups.