In-Depth

Black Outs and Virii and Worms, Oh My!

Imation Corporation survey shows IT infrastructure poorly safeguarded, despite recent natural and man-made events

• By Jon William Toigo
• 09/04/2003

While Imation Corporation, noted makers of magnetic media, may not have intended it to be the case, they released an interesting survey of 202 IT directors and “network storage managers” about the state of their disaster recovery capabilities just in time for the recent blackout in the Northeastern US and the latest crop of annoying viruses and worms currently plaguing the Internet.

Results of the survey, which can be viewed from Imation’s web site at http://www.imation.com/dataprotectionsurvey, revealed facts that many of us already know.

First, only one in three companies surveyed reported that they had taken any measures whatsoever to safeguard their IT infrastructure, or to replicate their data for offsite storage and retrieval.

Second, 32 percent of those who indicated they had a disaster recovery capability also said that they did not test their plans on anything like a routine basis, and 64 percent said they did not audit their data storage or backup processes on a regular basis.

That’s good news! If you are a virus writer, a hacker, or a firm that specializes in liquidating the assets of failed companies. For the rest of us, it is a pretty scary result.

The events of 9/11 and other mishaps, natural and man-made, that have occurred over the past couple of years should have underscored the need to do some preparing in advance for the possibility of disaster. The Imation survey shows that these events did have some effect. Following 9/11, about half of the folks reporting DR preparedness in the study said they had implemented regular testing procedures for the first time, and 26 percent said that they had implemented a disaster recovery plan for the first time in the wake of the calamities. According to Imation, 42 percent had established regular update procedures and 43 percent had begun moving copies of critical data off-site for the first time after the terrorist attacks.

These are all good signs, of course. But they are offset by the fact that only 39 percent of respondents said their companies had increased budgets for backup. Apparently, senior management in the rest of the respondent companies had no budget resources to spare for protecting their most critical corporate asset (next to trained personnel): data.

Other hurdles that doubtless get in the way of effective data protection planning include the ongoing fight within the industry over tape and disk-based approaches and between the tape guys, over “native Fibre Channel” versus “GigE with Jumbo Frames” approaches, and the disk guys over mirroring versus other replication methods. In short, the widening field of alternative approaches to data protection has the unfortunate consequence of muddying the waters and confusing IT managers about the best approach for them to use.

In past columns, I looked to the Enhanced Backup Solutions Initiative (EBSI) to bring some sort of sanity to this technical confusion. (I even agreed to sit on its Board of Directors in the role of a “consumer advocate” to help steer discussions toward greater vendor neutrality.) Now that the organization is in the process of being absorbed by the Storage Networking Industry Association, which effectively put up a blockade around EBSI this summer to discourage any SNIA-member companies from throwing money at the effort that was “better spent at SNIA,” my optimism has waned a bit. SNIA, after all, had talked about doing a backup-related storage networking information forum (SNIF) for five years before the appearance and popularity of EBSI finally forced them to actually do anything about it. It remains to be seen whether the current initiative will produce any results in the form of vetted configurations or reference standard approaches.

The more nagging question is whether any solutions, vetted or not, will meet the economic criteria of corporate bean counters. Once the technical issues are worked out and a suitable strategy for data protection has been worked out, funding the strategy is an entirely different matter. CFOs seem reluctant these days to spend money on IT, and especially on IT capabilities that in the best of circumstances will never need to be used.

In the final analysis, data protection is difficult but necessary work. There is no “silver bullet” approach that meets every set of application requirements. Next time, we’ll look at some burgeoning tape-based solutions from Spectra Logic, Quantum and other players in the field. But readers of this column should not wait for a series of words from me begin their foray into the data protection jungle.

The time to plan is now.