Reducing Risk in Your Data Protection Environment with EMC Data Protection Advisor

Transcription

1 Reducing Risk in Your Data Protection Environment with EMC Data Protection Advisor Applied Technology Abstract EMC Data Protection Advisor provides a comprehensive set of features to improve compliance with business and regulatory requirements for protection and retention of data, while reducing the risk of data loss. This white paper outlines how Data Protection Advisor helps avoid the costs associated with lost data, both from legal and governmental fines and reduced customer satisfaction. July 2009

2 Copyright 2009 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com All other trademarks used herein are the property of their respective owners. Part Number h6446 Applied Technology 2

3 Table of Contents Executive summary...4 Introduction...4 Audience... 4 Overview...4 Industry statistics...5 Centralize monitoring and control across domains... 6 Improving IT efficiency... 8 Trusted independent verification...11 Example of regulations...12 Sarbanes-Oxley Conclusion...13 References...13 Applied Technology 3

4 Executive summary Compliance with business and government data protection requirements is not a revenue-generating activity. However, the converse (non-compliance) can be costly and have a negative impact on the business. Data is central to all businesses, and protecting this data is very important. The inability to recover company data after a critical failure at a primary site can put an entire company at risk, with catastrophic consequences for employees, shareholders, and customers alike. As a result, almost every company today is subject to one or more sets of data protection regulations, be they industry, government, or internal requirements. It is not only important for backups to meet stated Service Level Agreements (SLAs) on a daily basis but for companies to be able to prove compliance when audited. Failure to do so can lead to fines and in the worst case, irrecoverable data that can put a company at risk. Requirements such as HIPAA, Sarbanes-Oxley, FDA, and SEC regulations can impact already overloaded IT budgets. EMC Data Protection Advisor is a proven solution that compares established policies with the enforcement of those policies. Data Protection Advisor alerts when gaps in protection are found, so that you can make corrections, get back on track, and in many cases avoid problems before they arise. Data Protection Advisor can also accelerate the time required to satisfy audits, thereby reducing the time needed to get back to business. Introduction This white paper gives an overview of EMC Data Protection Advisor and provides an outline of how Data Protection Advisor helps avoid the costs associated with lost data, both from legal and governmental fines and reduced customer satisfaction. Audience This white paper is aimed at mid- to high-level management responsible for storage technology costs, IT operations, legal counsel, and CIO level management. Overview The primary requirement for compliance management is an audit trail of all data protection activities that take place. The information on these activities must be retained and made available for inspection if required, with the ability to obtain data for a specific subset of protected systems over a given time period. Complying with SLAs and regulations is a drain on IT resources, first to protect the data as specified and then to report back to the business and regulators on how well the requirements were met. Regulations such as Sarbanes-Oxley (SOX) direct companies to define their own best practice and then adhere to that best practice. There are thousands of regulations that companies may be subject to beyond SOX. To improve attainment of SLA goals, IT follows a cyclical process of finding issues, fixing them, reporting back, and looking for the next protection gap. Reporting back to the business and auditors is a continuously changing requirement. As the environment grows, companies are acquired, new regulations are imposed and new technologies are adopted; many companies adopt third-party reporting solutions as a way of eliminating scripting. Third-party solutions also have the benefit of being unbiased, something that is critical when responding to audits. The business and auditors can request information on all aspects of the Data Protection Management process, such as success rates, data retention, unprotected data or clients, missed backups, and where data is retained (what tape in which location). The variations of each request are endless. Lastly, the need for compliance is continuous and must be sustained over time. Applied Technology 4

5 To minimize the impact on an environment, a Data Protection Management solution must meet several criteria: Provide heterogeneous support for data protection solutions and the surrounding infrastructure Improve IT operations, and the resources used to manage and report on achievement of service levels Maintain an unbiased record of events for reporting to the business and auditors, including changes to the policies and retention of data The end goal for this process of establishing, maintaining, and reporting is to ensure that data is protected and recoverable. Industry statistics As IT struggles to maintain compliance, the amount of data produced is growing at 60 percent CAGR, and the percentage of data that has intense protection requirements will increase by 50 percent. Some industry statistics relating to data protection activities are as follows: Over 40 percent of all companies that experience a disaster never reopen, and more than 25 percent of those that do reopen close within two years. 1 After a major disaster, an average company will lose at least 25 percent of the daily revenue in the first six days, while over 40 percent will be lost if a disaster lasts up to 24 days percent of companies that suffer a significant data loss are out of business within five years. 1 In a recent court case a service provider was fined $900,000 for failure to back up 27 GB of data, after a system upgrade lost the original 27 GB of data. 2 In another case, a European service provider was fined $3 million for failure to protect data. The percentage of data that will be Security, Compliance, and Preservation Intense will grow sharply between 2008 and 2012: Compliance Intense will grow from 25 percent to 35 percent. Preservation Intense will grow from 22 percent to 38 percent. Security Intense will grow from 33 percent to 45 percent. 3 During the economic downturn, companies will focus on consolidating IT, helping the company achieve regulatory compliance and securing the company s sensitive data 4 Risk to your data can come from current protection practices, as well as growth of data and an increase in the percentage of data requiring increased protection. Loss of data can lead to severe fines or even failure of a business. During the economic slowdown, many companies are focusing on improving data protection and compliance. To get an idea of the level of effort required, let us do a quick calculation: Assume 1,000 hosts, averaging three backups per day, and a 90 percent success rate. This results in 300 failed backups per day. Use an average of 15 minutes to resolve a failure and record your actions: 300 failures * 15 min each = 75 hours per day, or roughly 10 people full time Clearly this is not achievable, so something has to give. This strongly suggests the need for automation to reduce workload, highlight critical failures, improve success rates, and catch developing issues before they become a fire drill. 1 IBM, Disaster Recovery Journal, Global Disaster Recovery Preparedness Online Survey, October 2007; Forrester Research, What Your Business Can Learn about Disaster Recovery from Financial Institutions, June Information Week, IBM Fined $900,000 for Failing to Backup, October IDC Digital Universe white paper, sponsored by EMC, May Forrester Consulting, 2009 Data Protection Budgets, Priorities, and Technology Adoption, February 2009 Applied Technology 5

6 Centralize monitoring and control across domains Why centralize monitoring and control through a Data Protection Management (DPM) solution? As companies grow and expand they acquire new data protection technologies, open new locations, and get into areas with new regulations. This growth results in a conglomeration of products and policies, scripts, and reporting mechanisms. Even in an environment with a single solution, it is not easy to get all the data required. To meet this need, many environments write scripts to extract data for each purpose, backup solution, location, or business unit. This provides an incomplete picture, is tough to maintain, and rarely helps move the business forward. Having a solution that collects data from across all locations, all backup solutions including the supporting infrastructure, and clients creates a central repository and console to monitor, alert, and report on all aspects of your data protection environment. Broad heterogeneous support is critical; otherwise you end up with multiple products and increased effort. Products in this space are known as DPM products. EMC Data Protection Advisor is a DPM solution that supports all major backup applications, as well as collection from SAN/LAN, disk/tape, clients, switches and more; providing status, configuration, and performance data. This approach improves visibility and allows a holistic, yet granular view across locations and data protection topologies. Consider this example: A business has locations in London, Boston, and Sydney with finance in each location, utilizing different backup products for each site. Data Protection Advisor could seamlessly run a report against all three locations combining TSM, NBU, and NW into a single report for financial reports. Then in a matter of a couple clicks, the business could broaden the same report to the entire data center in each location. Figure 1 summarizes the backup and restore activities across five backup applications for the last week. Figure 1. Summary of the backup and restore activities across five backup applications Figure 2 shows those clients that have failed three times in the last week. Figure 3 shows the number of clients with one, two, or three failures in the last week. Applied Technology 6

7 Figure 2. Clients that have failed three times in the last week Figure 3. Number of clients with one, two, or three failures in the last week Figure 4 summarizes configuration change activity for the Amazon backup server for the last week, showing what was changed and when. Applied Technology 7

8 Figure 4. Configuration change activity for the Amazon backup server for the last week Improving IT efficiency The drain on IT resources relating to achieving service levels for data protection falls into two main categories: First, the ability to actually achieve a successful backup of the information, and second, the ability to record and report on achievement. Successful backups are critical to the recoverability of data and systems enabling the business to run. A successful backup is one that enables a system or application to be recovered. Policy failures occur when backup operations complete without errors, but do not enable recovery of the company s data. Making this more challenging is differentiating the critical systems from those that are less than critical. Unsuccessful data protection strategies treat each failure individually, resulting in repeated failures and high levels of business exposure. Basic backup failure information must be augmented with business- and application-specific SLAs to ensure that critical failures are given precedence over those that do not directly affect the business. Applied Technology 8

9 Almost as important as understanding the criticality of a system is the ability to resolve problems quickly. It is the heterogeneous support for hardware and software in Data Protection Advisor that gives operations access to the needed information quickly to determine which component is the bottleneck or point of failure. Combining fast problem resolution, with a focus on critical systems failures, ensures that operations treat systems appropriately. By quickly resolving issues on key systems first, Data Protection Advisor accelerates achievement of service levels. The second challenge is reporting on how well IT is performing against its data protection goals. Reporting is a daily activity, and so are changes to the number and types of reports requested. Relying on scripts to generate reports for each backup solution or location puts a heavy manual burden on each environment. More complex requests like how long is data retained, where is data located, when was the last successful backup, and so on will drive more scripts creation. When auditors are involved, the number and type of reports can be dramatically higher. EMC Data Protection Advisor directly addresses reporting on the achievement of the stated goals. Data Protection Advisor can very quickly generate reports that capture the entire environment or focus on a specific subset of systems and data. Having comprehensive reporting that is extremely flexible eliminates the need for scripts and the associated writing and rewriting. Having simple, flexible, comprehensive reporting accelerates the completion of audits by enabling you to answer requests in minutes. Consider another example: A service provider that uses Data Protection Advisor to manage its environment gets audited regularly to satisfy contractual requirements. Audits typically took about two weeks to complete, with activities such as writing reports, digging through logs, and explaining why failures happened and how they were resolved. After deploying Data Protection Advisor, an audit now takes 1 2 hours instead of hours previously, resulting in a 95 percent reduction. A central repository with information from across the environment enables running analysis to detect changing or developing conditions; these are situations that you would not normally look for due to the level of effort. Data Protection Advisor constantly monitors for the following: Backups with a big swing in the amount of data protected Changes in performance Extending backups that threaten to exceed the window Backups slowing down Capacity shortage Waiting for these situations to appear results in fire drills, but Data Protection Advisor can alert on these conditions to proactively address the issues. Figure 5 summarizes the configuration change activity for the Amazon backup server for the last week, showing what was changed and when. Figure 6 shows the exposure details for clients for the last week. Applied Technology 9

10 Figure 5. Configuration change activity for the Amazon backup server for the last week Figure 6. Exposure details for clients for the last week Applied Technology 10

11 Trusted independent verification The need for independent verification exists even when IT operations have a handle on how well data protection operations are meeting stated goals. Custom written scripts can be subject to manipulation to reflect a higher success rate than what is actually achieved. One of the most elusive aspects of managing a data protection environment is capturing change. As we all know, change is the one constant, but there is no tie between the backup solutions and any change control software that may be deployed, even if the change control captures the proposed changes. Some of the changes that are captured by Data Protection Advisor include new backup policies, changes to retention periods, and changes to media pools, which directly impact the retention of data. Capturing the actual changes is critical to understanding what was changed, by whom, and when the change occurred. This change information can be leveraged to support claims that policies have been consistently applied and maintained. To make an audit go much more smoothly, having a solution outside of the backup application that can validate the success of backups can be a real timesaver. Data Protection Advisor provides comprehensive reporting to customers, allowing them to validate if the SLAs stated in the contract were achieved. DPM solutions such as Data Protection Advisor provide an independent third-party solution to validate the successful achievement of the stated SLAs. Knowing that your data is protected and recoverable is critical to any business recovery plan. A recent Data Protection Advisor customer had its environment outsourced and was receiving status reports from its service provider. Since the service provider had incentive to achieve certain success rates, the idea existed that its custom scripts might be manipulated. This was not the case, but the conflict of interest existed and without third-party verification, there was no way to distinguish accurate reporting from manipulated reporting. By leveraging DPA, the customer was able to verify that SLAs were met, and can now track the recoverability of systems and which systems are at risk. The dashboard in Figure 7 shows a summary of backup activity over the last week, showing success rates, clients most at risk, and changes to configurations. Applied Technology 11

12 Figure 7. Summary of backup activity over the last week Example of regulations Although much has been written around the area of compliance, it can be hard to pin down specific requirements, much less ways of meeting those requirements. Data Protection Advisor contains alerts and reports that help meet these requirements as well as best practices to ensure that audits against such regulations are successful. In addition, Data Protection Advisor allows companies to define their own best practices, which are enforced in the same way. Sarbanes-Oxley Sarbanes-Oxley is one of the most wide-reaching and yet one of the vaguest regulations that affects data protection touching public companies in the U.S. Rather than mandate specific practices it suggests that companies implement their own best practices. The result is that many companies are unsure of what to do in this critical area. Critical to SOX is the ability to show consistency consistency in the establishment and application of backup and retention policies, as well as the success of those policies. Auditors will want to see that policies have been established and have remained consistent over time, and that the protection of the data was successful. Without tremendous efforts it is difficult to do this without a DPM solution such as Data Protection Advisor. Figure 7 provides a quick snapshot, while the data behind this chart can be examined in much greater detail for further satisfaction. Figure 8 shows how Data Protection Advisor categorizes Applied Technology 12

13 reports for fast access and categorizes hosts by their priority. Grouping similar clients accelerates running reports against systems at the same tier of importance to the business. Figure 8. Data Protection Advisor categorizes reports for fast access, and similarly hosts can be categorized by their priority Conclusion When selecting a product, ensure that it is truly heterogeneous, otherwise you will simply be creating more work to deploy and manage multiple products, and then to rationalize them to auditors and create common reports for the business. EMC Data Protection Advisor enables you to automate a great deal of your DPM process, maximizing the effectiveness of your data protection solutions, exposing gaps in compliance, tracking changes to policies, validating independent third-party protection, reducing risk of fines and litigation resulting from lost data, and reducing the level of effort to meet these requirements. References The following can provide additional information and can be found on Powerlink, EMC s passwordprotected customer- and partner-only extranet. Note that EMC Backup Advisor version 3.1 has been renamed and released as EMC Data Protection Advisor 5.0: EMC Data Protection Advisor Reference Guide EMC Data Protection Advisor Administration Guide EMC Data Protection Advisor Installation Guide EMC Data Protection Advisor User Guide EMC Data Protection Advisor Compatibility Matrix For access to Evaluation licenses, go to the Data Protection Advisor page on EMC.com: and Recovery/Data Protection Advisor Applied Technology 13