The Case for Disaster Recovery Validation

The Case for Disaster Recovery Validation

Disaster Recovery Planning (DRP) has gotten much attention in the wake of natural and man-made disasters in the recent years. But Executives continue to doubt the ability of IT to restore business IT infrastructure after a serious disaster. And this does not even include the increasing number of security breaches worldwide. By many reports, the confidence level in IT recovery processes is less than 30%, bringing to question the vast amounts of investment poured into recovery practices and recovery products. Clearly, backup vendors are busy – see compiled list of backup products and services at the end of this article (errors and omissions regretted).

Most enterprises today have some backup processes in place with the minimal staff needed or outsourced (as may be) in many instances. But the implementation is largely “unconscious” – a part of the job description. It begins with a purchase and is followed through with vendor suggested practices. There is little (if any) validation effort and poor communication from backup staff to management. Let’s pause and reflect ….

“Backups have two distinct purposes. The primary purpose is to recover data after its loss… The secondary purpose of backups is to recover data from an earlier time, according to a user-defined data retention policy…” [Wikipedia]

In this article, I focus on the former purpose. In a later article, I will cover data retention and the difficulties therein.

Validation trumps reliability

Drumming to the management beat, backup vendors have become “data protection” vendors because protection conveys the idea of reliability in backups [translation: 100% backup success = 100% data reliability]. This is indeed a good attempt by vendors but does not solve the perceived problem of confidence in the restore (recovery). And that is because reliability is only a pre-requisite for validity. Reliability provides consistency in measurement. Validity confirms whether you are measuring what you say you are measuring. Hence, the need for restore (recovery) validation (assurance).

A typical assurance process for restores would include the following steps:

  • Determine what needs to be protected (to reproduce business functions)
  • Protect it (back it up) from primary environment
  • Test the restore (recovery) in a secondary environment
  • Let business and application owners confirm
  • Document the observation
  • Report the recovery results to management

Notice that the above is not about testing the restore (recovery) of a virtual machine or a physical server or some shared files on enterprise storage. It is the sum total of it all from an application perspective. It is business function validation.

Remember: nothing succeeds like success.

Repeat validation builds confidence

Once proven, it must be repeatable. Businesses gain confidence when the business (application) functions are tested to satisfaction post restore(s) – again and again. And the recovery validation (testing) should not be limited to verifying successful restores. Feedback is essential. Observations are valuable. Applications deemed “legacy” should not be excluded. Here are some questions worth asking during recovery validation:

  • Are there opportunities for simplifying the underlying infrastructure for any of the applications?
  • Is each application completely defined by the data sets restored or are there undocumented dependencies?
  • Are applications co-existing on the same systems unknown to the business or application owners?
  • Do applications depend on shared data or time consistency in data?
  • If a configuration change is made in one application, does that impact any other related or unrelated application?
  • Can one application be restored independent of another that has lower priority?

Auditing lends credibility

The above is really an outline of an audit process and does not have to wait for an external audit event. IT improves credibility even with internal auditing. IT organizations must include resources and budget to perform this task on a regular basis. Business units should be systematically involved as stakeholders. The benefits are multi-fold:  improved infrastructure, contained IT budgets, and (most crucial) Executive trust and confidence.

This is also a case where partnering with external consultants is highly recommended. Companies like IDS go beyond a specific backup product expertise and are able to provide an independent external perspective. By communicating with application teams, systems teams, outsourcing vendors and the management, doubts and questions are quickly addressed. And remediation plans (if needed) are easily formulated.

Major Backup Products
Acronis True Image, Amanda, Apple Time Machine, ARCserve Backup, Areca Backup, Argentum Backup, BackupAssist, Back In Time, BackupPC, Bacula, Barracuda Yosemite, Bitser, Box Backup, 2BrightSparks SyncBack, Catalogic DPX/BEX, Cobian Backup, CodeLathe Tonido Backup, CommVault Simpana, Comodo Backup, Cortex BackupAssist, Crashplan, DAR, Dell NetVault Backup, DirSync Pro, Dmailer Backup, Dolly Drive, Double Image Backup, Druva InSync, Druva Phoenix, Duplicati, duplicity, EaseUS Todo Backup, Econ ChronoSync, EMC Avamar, EMC Mozy, EMC NetWorker, EMC RecoverPoint, Enter Srl Iperius Backup, FarStone TotalRecovery, FlyBack, Genie Backup Manager, HP Data Protector, IASO Backup, IBM Tivoli Storage Manager, InMage DR-Scout, KeepVault, Langmeier Backup, LazySave, luckyBackup, @MAX SyncUp, Memopal, Microsoft NTBackup, Microsoft SyncToy, Microsoft System Center DP Manager, Microsoft Windows Backup and Restore, Mondo Rescue, NovaStor Novabackup, Novosoft Handy Backup, obnam, Paragon Backup & Recovery, Paramount Macrium Reflect, Pipemetrics Bvckup 2, QtdSync, rdiff-backup, R1Soft SMB, Redo Backup and Recovery, Retrospect, Softland Backup4all, SpiderOak, star/gtar, StorageCraft ShadowProtect, Tarsnap, teraByte Image for Windows, UltraBac, Vembu BDR, Ventis BackupSuite, Veritas (Symantec) Backup Exec, Veritas (Symantec) NetBackup.

Online Backup Services
AmeriVault, Carbonite, CrashPlan, DataBarracks, DriveHQ, eVault, Data Storage Corporation, Global datavault, IBackup, IDS, Intronis, Jungle Disk, KeepVault Pro, MozyPro, Novosoft Remote Backup, Oncore IT, Remote Data Backups, SecurStore, SpiderOak, Storage Guardian, Storagepipe, Syncplicity, Unitrends Vault2Cloud, VaultLogix (, Vembu OnlineBackup, Yotta280,, Zmanda Cloud Backup.