Disaster Plan for off site storage and virtulization

Hello:
Need some information and direction to go to figure out how I could virtulize one or two servers offsite that could be ready if our facility would or just server room would burn to the ground. We really can't afford to purchase all new hardware and keep it functioning offsite, I thought if there were some companies that did something like this I could have a server ready to have our data and function if a mishap occured. We are a small health care facility and have an obligation to patient data. Currently we are housing our backups on site (I got voted down to remove the tapes weekly because of cost, but now we have to make a disasster plan and include it in the budget for this coming year), so hopefully that will be an included step.
Thank you all in advance for taking the time to respond.

Hi there, could you let us know what your current backup strategy looks like? And if you have any special data privacy/security issues to consider (I'm guessing yes since you are in the Health Care industry)?

You mention on site backups. At the very least, you should have some of that media stored or rotating off site. There are expensive and inexpensive ways to do this. I personally bring my 'off site' tapes home with me and put them in a firebox in my closet. Cost to the organization? 50 bucks? Or however much a cheap lock box costs these days. Then there are off site physical archiving services, like Iron Mountain who will store them for you.

A degree up from this will probably have you looking into online archiving/backup solutions (such as vaultlogix, Mozy, and the like) or disaster recovery imaging software/appliances, but the latter can run up a budget.

With some more info the posters here can probably help point you in the right direction - but as I said, at the very least, your backup media need to start rotating off site.

Hi "dbarlamas"

Thanks for visiting TechSoup forums and I hope whatever you decide on will be a cost-effective one and your experiences can inform others.

I think there are fundamentally three parts to your question, and I am not sure which of them - or maybe all of them - has already been decided on by your board or administration. It seems as if cost is the biggest concern so perhaps I'd like to know more.

* Virtualization - I am a big fan of virtualization for its green IT aspects as well as ease of management. Are you using VMWare or Virtual Server technologies? The former can get costly if you opt for a enterprise level option, and if you use the latter it may behoove you to wait even a bit longer, because Microsoft is doing a lot to make virtualization part of the OS, and for specifically Windows Server 2008 it's built-in, AFAIK

* Offsite storage - In your case redundancy and a timely restore, as well as HIPAA compliance is crucial. However, is there a compelling reason to serve on site, rather than opt for a off-site shared hosting, whose security is uptime is guaranteed, and perhaps make visit to take backups off the off-site? I suspect that this is probably the most cost-effective solution, but then again you may have a compelling reason so do elaborate on the data situation.

* Backup/disaster recovery plan - tied to all that is what are the aspects you deem most important in your disaster recovery plan. As the previous poster stated we'd love hear more about your current plan. Virtualization does make disaster recovery easier in the physical sense, but it takes a lot more planning, and more complexities can arise.

all the best

-Kevin

We use to use backup tapes, but I've stopped using them - mostly because it would not be easy to restore or get to the data in an emergency.

We have about a total of 60 gig of data from all our servers. (40 gigs is mostly archive stuff)

We we purchased 4 100gig Iomega USB Portable Hard Drives. 1 is used for nightly backups, while being rotated off-site.

These are good. Small & are "portable" so can transport back and forth offsite easily. They connect through USB - so in a recovery situation, I could connect it to a regular laptop or desktop and recovery data from it.

What we do for backups:

Nightly, my work PC will run some simple batch scripts to copy data from all the servers to my work PC's hard drive. (This takes up to 3 hours).

Why? Well this lets me keep an on-site copy of data so if a servers hard drive fails, I have the data already there ready. (no need to retrieve backups) At least every couple of months I will have someone call and say "I think I deleted a file on the server that I need", and within a minute - *poof* - I copy it back. If the servers die, and someone needs an important word document for a meeting, I can quickly get it for them while the server is down.

Step 2 - with the data on my hard drives, I have it automatically winrar it - encrypting it while it goes.

Step 3 - Copy encrypted data to USB drive.

Since I want to use my PC, during the week I usually only do that with the non-archive date - and every weekend, I do a full backup of even the archive data (in case it does change) [but I'm thinking about getting a "backup" PC/server that will just run during the day encrypting and doing the job my PC is currently doing - that way I can get a full backup nightly without it taking the resources of my PC]

- - - - -

Other things to think about - Make sure you have the software (windows server 2003/7), and codes you need stored off site in case you need to rebuild a new server(s).

Hi dbarlamas,

Other posters have offered a range of excellent advice and options for data recovery and restoration, so rather than focus on these aspects I would like to raise the fundamental (and preliminary) matter of risk analysis for consideration.

Too often have I seen extensive (and expensive) hardware data redundancy systems (tape units and virtual servers etc.), tied to computing systems with far more fundamental flaws tending to cause repeat failures and data loss. In one case it was a server rack powered by a $2.00 power board that continually overheated and tripped-out causing real-time data loss. The company had invested tens-of-thousands of dollars in an offsite data center virtual farm, yet continually lost live data due to 'mysterious' server reboots (power board trips). In another case, most of the company servers were web-facing so the greatest risk was of data corruption through malicious intent (viri and hacks), yet their backup strategies were designed in such a manner that malicious code actually became part of the backup, so recovery systems were likewise infected and ultimately proved useless.

Both these company's failed the fundamental task of firstly assessing risk before developing and implementing disaster recovery plans. What is most likely to go wrong? What priorities can we place on projected risks and failures? What measures should we take to mitigate the risk?

My advice is to firstly spend a few hours walking around your computer infrastructure looking for points of weakness. It's a good idea to take someone with you who is not 'close' to your systems to also help with this (familiarity can sometimes make us blind to obvious risk). An electrician or someone with an engineering background would be an ideal candidate. Afterwards spend another few hours looking objectively at how your systems sit within your organisation. How are they exposed? What can really hurt them? Develop a risk analysis specific to your circumstance that can be used as basis for your disaster plan. Keep both regularly updated and you should be well on the way to properly protecting your orgs second most valuable asset (data) - in fact you will often find the risks to data are not that different from the risks facing your most important asset (people) . There is usually a lot of tie-in between human and systems risk management plans.

Good luck!
Don

You have all given me alot of good things to think about. We are tied into a consulting company that is into selling their products at a very big ticket value. They want 15,000 for the analysis and about 50,000 more for the implemataion. It gets a little out of hand. Just so much to think about. Thanks again.