Choosing the right DR service provider

Corporates have to be prepared to face disasters. The better the Disaster Recovery plan, the better the chances of survival in business. Sudipta Sen has some tips when it comes to choosing a DR service provider

In this competitive environment, organisations have recognised the importance of integrating their infrastructure and enabling key applications to be accessible to stakeholders on a 24x7 basis. Businesses are deploying integrated applications like ERP to improve their supply chain efficiencies, have resource optimisation, better control and management. Most importantly, there is faster decision-making. It makes the company more agile and responsive to business challenges and opportunities.

However, with centralised architecture, enterprises also throw themselves open to the ‘all eggs in the one basket’ challenge. What if something were to happen to the ‘basket’ itself? According to Gartner two out of five enterprises who experience a disaster go out of business within five years.

Since prevention of disaster or managing the same is so critical for the survival of the business, let us start by defining a disaster. Often, we have notion about disasters being something spectacular in nature, occurring once in 25 years and with an impact so huge that it is futile planning for it. However, reality is quite different. Disasters could be fires, riots (making key personnel inaccessible), earthquakes (may damage the data centre), strikes/ bandhs, or even the small spark from a poor quality power system that destroys a key server. Any event that has the ability to prevent business from operating normally is a potential disaster.

Having zeroed in on the requirement of having a Disaster Recovery (DR) plan in place, the key question is whether to build it in-house or outsource it to a Disaster Recovery service provider. The decision to build or buy is a critical one and must be taken after doing an elaborate business impact analysis. It is important to define the RTO (Recovery Time Objective) and RPO (Recovery Point Objective); how much data can you afford to lose and how fast should businesses be able to recover critical resources in the event of a disaster. Large banks and financial institutions who can’t afford even a second of downtime should have their own DR centre whereas enterprises with relatively lesser critical applications should go for a DR service provider.

The DR service provider is the most important partner for an enterprise as they are entrusted with managing the most critical component of business. Hence it is critical that proper analysis is done before zeroing in on the service partner. When seeking to contract services for disaster recovery, an enterprise decision-maker should always evaluate the following issues:

* Service provider’s focus on the DR business—The service provider should be dedicated to Disaster Recovery services. Enterprises entrust their business survival to their DR services partner. If the service provider is distracted by other business priorities, it will be difficult to retain the level of dedicated support required.

* World-class infrastructure—The DR service provider should have world-class infrastructure. It includes a robust data centre, power distribution system; FM-200 based fire-suppression system; precision air conditioning, etc. The data centre should have multiple Internet gateways and basic operator exchanges co-located in the premises. This would ensure that hosted applications are available on a 24x7 basis.

* Quality accreditation—It is desirable that the service provider, and in particular their disaster recovery business, be certified for quality. International quality accreditations certify that the service provider will deliver international standard services. It is also important that the service provider takes steps to keep abreast of developments in the industry.

* Experience—Service providers should have the expertise to manage ‘live’ disasters. The critical things to look out for are the years they have been in business, recovery tests performed annually, ‘live’ disaster cases successfully managed, satisfactory reference sites, etc. It is very important that the service provider has the necessary skill-sets to understand mission-critical applications. They should genuinely understand the technology involved in maintaining and restoring vital documents and equipment. There are instances where many businesses have lost critical capacity and data through the naïve efforts of office-cleaning companies masquerading as salvage services.

* Scope of service—Service providers should understand and fulfil the full range of an enterprise’s critical service requirements, e.g. different operating platforms, communication services, integrated applications, etc. Remember, it is not just replication of software or storage of data; Service providers should have the capability to converge the entire infrastructure to an alternate site.

* Stability—It is important to understand the business objectives of the service provider before choosing the partner. A service provider may drop DR from their portfolio of services if business objectives are not being met. One should be careful to choose a partner who is financially stable.

* Growth—In a dynamic environment, enterprises are constantly evolving to keep pace with the market and stay competitive. It is imperative that the service provider grows with them and is able to support changing technologies. Enterprises should assess their investment plans and their continuing ability to support older systems, software etc., which may be critical to their operations.

* Fire drills—An untested recovery plan is useless. The service provider should have a proper plan to do fire drills and test resources under conditions that meet an enterprise’s recovery planning requirements.

* Human capital—The service provider should maintain a dedicated support team who understand their role in the recovery process. The support team should have proper understanding of their client’s business.

* Security at the data centre—Service providers should have proper security arrangements where the critical servers and applications are hosted. The security should be at two levels, physical, which includes surveillance cameras, biometrics, etc, and the network level, which includes firewall and IDS, monitoring all incoming data on the network, password protected server access, etc.

* Location of the DR site—The location of the alternate site is crucial for efficient recovery. While it should not be at a remote place, enterprises should ensure that the service provider isn’t likely to be exposed to the same risk as them. e.g., a service provider in the same building as the enterprise will be of little use if the premises are destroyed by fire.

* Client references—This is a sensible but often altruistic test. Enterprises should perform the due diligence of doing a reference check to determine the quality of the DR partner’s service levels.

* SLA—The service level agreement (SLA) should be read carefully. It is important that expectations in terms of RPO and RTO are defined clearly and stated in non-ambiguous terms. The penalty for non-conformance should also be outlined clearly. The contract should reflect clearly those services to be sub-contracted. It is important that service providers share their contracts with third parties.

* Price—Price is the most important component of any decision making process and the most negotiated one. However, a word of caution: Do not buy on price alone, but rather, seek value for money. Disaster Recovery services are not cheap. Enterprises should look realistically at the cost of people, equipment, environment, maintenance, power, software licenses, communications, etc. A decision based solely on price will have implications on the vitality of the disaster recovery plan.

These are some of the critical issues that must be kept in mind while evaluating a DR service provider. While the list in itself is not exhaustive, it would provide reasonably good parameters to pick the right DR service provider.

The author is managing director of Comsat Max