delivering an effective backup and recovery service: how a

Symantec Global Services

Confidence in a connected world.

Delivering an Effective Backup and Recovery Service: How a Proactive Approach Can Be a Real Life SaverA Symantec Global Services Advisory Guide

Who should read this guide:• CIOs, CTOs, and IT directors who are managing backup and recovery operations• Operational budget holders

Advice offered about:• Why backup and recovery is critical to the business• The most common mistakes• Getting it right, with case examples• Comparison of in-house and outsourced approaches

This guide examines why backup and recovery is critical to the business and how a proactive approach can be the key to backup success.

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Why is backup and recovery critical to the business? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Tackling common problems with backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Tackling common problems with recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Winning board backing for investment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Stick or twist? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

What to consider when outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Consultants have been there and done that . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Symantec Managed Backup Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Case example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

What our clients say… . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

About Symantec Global Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

About Symantec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Contents

Delivering an Effective Backup and Recovery Service: How a Proactive Approach Can Be a Real Life SaverA Symantec Global Services Advisory Guide

3

Technical infrastructure manager, leading financial services firmWe spoke to a technical infrastructure manager working for a leading financial services firm. For

corporate reasons, his contributions are anonymous.

Service director, managed service provider, public sector programWe interviewed a service director working on a high-profile public sector engagement. For

corporate reasons, his contributions are anonymous.

Archie Maddocks, Senior Service Delivery Manager, Symantec Global ServicesAn IT professional with 18 years’ experience working in operations, Archie has worked on FTSE

100 and government contracts and has specialized in storage-related service delivery for the past

eight years. When it comes to running backup services, Archie has been there and done it.

Adrian Spink, Head of Technical Architecture & Managed Service, Symantec Global ServicesAfter nearly 20 years of running IT infrastructure services in the automotive, oil and gas, telecom,

and investment banking sectors, Adrian brings broad experience to this guide. A track record of

delivering for clients like JPMorganChase and Sun Microsystems, combined with inside knowledge

of organizations like CSC and IBM Global Services, helps ensure that his insights are from both

sides of the outsourcing fence.

Our contributors

Delivering an Effective Backup and Recovery Service: A Symantec Global Services Advisory Guide

4

What you will get from reading this guide

• An understanding of the business-critical nature of backup and recovery services

• An overview of the most common mistakes

• Advice on getting it right and case examples

• An introduction to services

• Awareness of the key benefits and ROI

What this guide is not

This guide is not another explanation of backup technologies or the future protection technologies

that will revolutionize the customer experience. Neither is it an analysis of the benefits or

shortcomings of online vs. offline protection.

Instead, this guide aims to examine why backup and recovery is critical to the business and how a

proactive approach can be the key to backup success.

Introduction


Like many homeowners, businesses have often been satisfied with just minimal provision and preparation for disasters. It is only when a disaster arrives that it becomes clear how inadequate this approach is.

5

A useful analogy

Businesses tend to view backup and recovery in the same way that property owners view

homeowner’s insurance. Cast your mind back to the devastating floods that hit Britain in the

summer of 2007 or the fires that ravaged Southern California the same year. You will recall that

many of the affected homeowners had insufficient insurance.

Only when houses were flooded or burned, belongings destroyed, and lives turned upside

down did homeowners come to realize the importance of adequate insurance policies—and to

profoundly regret having allowed homeowner’s insurance to sink to the bottom of their priority

lists.

Historically, many IT departments have approached backup and recovery in a similar way. Too

often the budget is spent on the very latest technologies at the expense of protecting the critical

data that allows the business to function.

Like many homeowners, businesses are often satisfied with minimal provision and preparation for

disasters. It is only when a disaster arrives that it becomes clear how inadequate this approach is.

Who should read this guide?

This guide is intended for CIOs, CTOs, and IT directors faced with the challenge of managing

backup and recovery operations. Operational budget holders will also benefit from some of the

financial messages in the guide.

“We believe that a reactive attitude should be replaced with a proactive and assertive strategy,

which attaches much greater significance to the role of backup and recovery. I commissioned

this guide to help organizations make the right decisions about how best to prevent data loss and

potentially catastrophic IT failure.”

— Archie Maddocks, Senior Service Delivery Manager, Symantec Global Services


6

The sad truth is that many businesses do not much care about backup and recovery. The majority

of businesses that do care are often either unaware of the best way to address the issue, or

under the impression that their existing measures are enough. The end result is that vital

services provided by the IT group are often ignored or misunderstood. Indeed, because too many

businesses still see backup as a burdensome drain on their time, organizations that have well-run

backup operations are very much in the minority.

A significant proportion of the problems associated with backup and recovery can be attributed to

this basic reluctance—or inability—to take a firm grip of it.

As a result, very few businesses are adequately organized, and there tends to be a lack of effective

planning behind their strategies. Correct processes and procedures are often missing, and there is

little evidence of root cause analysis when things go wrong.

So it is not surprising that many businesses operate with a false sense of confidence that

everything will turn out alright. In truth, however, they are risking a cycle of perennial fire-

fighting.

“The whole issue of backup and recovery is too low on the list of priorities,” says Symantec’s

Archie Maddocks. “Too many businesses are only interested in storage when they can’t recover

data they desperately need, and it costs them money. Data backup and recovery is very much a

reactive part of the overall end-to-end service.”

The benefits of a proactive approach

What businesses do care about is making profit and the quality of the service they provide to

their customers. While backup and recovery operations are often treated as necessary in an IT

organization, they only become of strategic importance during an IT failure in recovering mission-

critical information.

The outbreak of a blended threat, a natural disaster, or a regional catastrophe such as an oil

refinery explosion, could leave a business without the resources to locate, restore, and recover

each data instance.

Yet any interruption to service—whether IT-related or not—will affect profits, lower customer

satisfaction, and even threaten the long-term prospects of the business.

In Symantec’s experience, those businesses that respond positively with a robust strategy for

dealing with worst-case scenarios can reap substantial business benefits.

Why is backup and recovery critical to the business?


“I think in the past, businesses didn’t always give backup and recovery the attention it deserved. But increasingly, businesses are taking it much more seriously because we all know the potential repercussions.”

Technical infrastructure manager, leading financial services firm

7

The pressure for compliance

Recent high-profile incidents of data loss demonstrate that companies and governments must

understand the procedures and policies they implement and ensure compliance with legal

standards.

Businesses are also under pressure for a variety of other legal reasons. If, for example, a business

is asked to produce data in litigation, it is essential that the data be located quickly and efficiently.

Organizations tend to store data on backup tapes for many years in the belief that it can be

retrieved when necessary. With tape-based backups, however, time can severely compromise

the readability of data. There are at least two reasons. First, tapes begin to degrade over time.

Second, the recording technology becomes obsolete and is replaced, leaving no “playback”

capability.

Moreover, few organizations catalog their data-storage tapes, relying instead on timestamps

to identify likely locations. Many businesses are therefore unable to quickly identify the tape

that contains the data they need—which means that their organizations do not meet current

compliance laws.

Not only can a robust approach to data backup and recovery help lessen the likelihood of such

problems, but it can also be a powerful tool for winning and retaining the trust of investors and

customers.


8

Sarbanes-Oxley, Basel II, and SAS 70 are three of the biggest compliance concerns at present—and they all place significant demands on the recovery of data.

Returning momentarily to the homeowner’s insurance analogy, assuming that nothing very bad

will happen is the most common mistake associated with backup and recovery.

For too many businesses, it seems that only when they stare data loss in the face will backup and

recovery receive the attention and investment it demands. But by that time, it is usually too late.

Understanding what you are backing up and why

The fundamental problem is that businesses do not always know the actual value of their data, so

they do not know what to back up—or why.

“It is not uncommon to find a business that is failing to backup all of the data it really needs,”

says Symantec’s Archie Maddocks. “Backup success rates may appear to be impressive, but the

business may be missing critical data entirely. Moreover, there may have been little thought about

how the data will be recovered and where it will be recovered to.”

Managing business—and data—growth

Business growth is a thorny area, particularly when it comes to justifying costs. As a business

grows, it is almost inevitable that data volumes will also increase—especially if growth is rapid.

In these circumstances, convincing the board to invest will require appropriate and persuasive

reports and metrics.

.

Tackling common problems with backup


There are businesses using snapshot techniques and off-host backup for data sets that aren’t the product of high-volume, mission-critical applications and that don’t need such stringent—and expensive—backup and recovery technology.

9

Absence of a dedicated storage function

The responsibility for ensuring data backup and recovery often falls to platform teams. However,

they generally believe they are employed to perform other tasks. For example, the Wintel platform

team might be asked to manage backups even though their main focus is on the day-to-day

patches and updates of other Wintel services.

As a result, data storage becomes a secondary consideration. By its very nature, this leads to a

reactive environment. Because businesses are unable to formalize responsibilities, it is difficult

for them to prevent, diagnose, or repair problems with backup. Companies may be confident that

they can adequately respond to problems, but they will rarely be able to keep a problem from

occurring.


10

Dis

k st

ora

ge (

TB)

Growth in SAN disk storage in the average Fortune 1000 data center

1H 2H 1H 2H 1H 2H 1H 2H2005 2006 2007E2004

1600

1400

1200

1000

800

600

400

200

0

Figure 1 . Storage capacity, utilization, and anticipated growth for Fortune 1000 companies.

Getting processes right

Another potential pitfall is the general trend to focus too narrowly on technology. When problems

are encountered in the backup and recovery process, organizations often conclude that software

or hardware must be to blame.

However, flawed processes and procedures are often the real issues. More often than not, poor

practice in root cause analysis is the real problem that makes it nearly impossible to get the most

out of the IT infrastructure.

Poor communication is another contributing factor to many backup and recovery failures. If the

appropriate people are not communicating effectively, services are bound to suffer. For example, if

a backup schedule is looking for a particular application but somebody has taken that application

offline for testing, the backup software will not be able to connect to the target files. This will be

logged as a failure, and it is unlikely that anybody will know why.

Approaching the problem with the right attitude

Successful backup and recovery require considerable tenacity. It is too easy to accept a 90 percent

backup success rate as adequate. A truly committed business will be less interested in the 90

percent than in the 10 percent that is missed.

This tenacious approach to backup and recovery will scrutinize the remaining 10 percent carefully

and analyze exactly what has been overlooked. Shrewd businesses will work out why 10 percent of

the data could not be backed up, then come up with a solution to the problem.

And why the need for this intense focus?

“If it is the same 10 percent that has failed every night for two years, you are leaving yourself

open to considerable data loss,” says Symantec’s Adrian Spink.

Even with a good backup success rate of 97 percent, an organization may leave itself exposed.

This is especially true if the 3 percent failure rate includes repeated failures for essential data,

such as a customer database that is accessed and modified on a daily basis. For instance, imagine

that a corruption occurred, and the database had to be restored from tape or disk backup images.

Then imagine that consecutive backup failures meant the backup images from the past 12 to 24

hours were unavailable. It does not take much imagination to realize that the company could face

significant challenges.


Often it is the absence of a dedicated storage team that leaves businesses most exposed. Beyond this, the fundamental problem is that businesses don’t always know what, or why, they are backing up—or what the value of their data actually is.

11

How to back up the right data in the right way

Translate business requirements and align them with backup and recovery requirements. 1.

If the business does not have clear objectives, try to define some of your own and seek

agreement.

Develop a tiered list of backup and recovery requirements (service catalog) that fits the 2.

organization’s business needs. Ensure that this is reviewed and revisited regularly.

Work out the true respective costs of the organization’s backup and recovery operations and 3.

apportion them to the various options.

Predict the impact of data loss and build this into a budget proposal.4.

Build or modify the infrastructure to deliver against the service catalog.5.

Establish service-level agreements (SLAs) to define the expected level of service.6.

Test the recovery process regularly, and perform analysis of the recovery times and recovery 7.

points to ensure that they fit with the business needs.

Proactively manage and analyze backup logs to determine whether jobs are completed 8.

successfully.

Perform effective incident management on backup failures or storage-related issues.9.

Perform root cause analysis on all problems and issues found.10.

Perform service-level management to the agreed service catalog.11.


12

It is important to remember that without the ability to recover data, backing up data is futile.

Too many organizations relax when they have all their data backed up. Inexplicably, many fail to

test their ability to recover the data, This is typically the difference between success and failure.

Disaster preparedness checklist

√ Consider all the stages of recovery and all the components required.

√ Investigate what will happen if a Bare Metal Restore (BMR) is needed—i.e., if a complete

hardware failure demands reinstallation of the operating system and applications.

√ Perform recovery exercises for critical applications to ensure that backups are consistent and

that technologies and processes are in place to recover data to the required level.

√ Consider when recovery may be required and what skills and resources will be available to work

on the problem.

√ Define and document recovery procedures.

√ Develop competency in process adherence and improvement.

√ Test and then test again.

√ Ensure that backup and recovery are part of the IT service continuity strategy, underpinning

your organization’s business continuity plan.

Tackling common problems with recovery


Too many organizations relax when they have all their data backed up. Inexplicably, many fail to test their ability to recover this data. This is often the difference between success and failure.

13

Make testing central to recovery

A failure to test recovery on a regular basis can even disguise the fact that backups themselves

are not working. In a worst-case scenario, it could become apparent that the entire backup

process is flawed only when the business is required to recover critical data or applications.

Testing the recovery process would highlight such a problem at an early stage, allowing

the business to limit the damage. Working under the assumption that data recovery will be

straightforward is extremely dangerous.

When dealing with recoverability, it is particularly important to understand the business

requirements. If these are not known, there is no way of working out how quickly the business will

need to recover the data.

RTOs and RPOs

The recovery time objective (RTO) refers to how much time a business can afford to lose as it waits

for data to be recovered. The recovery point objective (RPO) refers to how much data the business

can afford to lose.

Together, RTOs and RPOs are vital in a corporate environment. Therefore, it is essential that

they be intelligently aligned with genuine business requirements. This is particularly important

in today’s litigious environment, where the inability to recover data can have significant legal

repercussions.

Many businesses believe that they are addressing data security by taking their tapes offsite. How

the data will be recovered and when—and to where it will be recovered—often remain a mystery.

People forget that in extreme cases, the whole recovery cycle could take weeks, not hours. More

and more, we are discovering that businesses do not focus enough on recovery because they are

too obsessed with backup.


14

“The ability to recover data is not necessarily an area of high focus until something goes wrong. Unless something is glaringly wrong, it is easy to take things for granted.”

Service director, managed service provider, public sector program

Data Loss Downtime(Recovery time objective)

Wks Days Hrs Mins Secs Secs Mins Hrs Days Wks

(Recovery point objective)

Figure 2 . Determining your data recovery needs.


15

It is often said that IT experts and business experts speak very different languages. This makes

it extremely difficult for IT experts to impress upon their boards of directors the importance of

effective backup and recovery.

With this in mind, there are ten basic steps that an IT manager or IT director can take to ensure

the board’s agreement to, and support for, a backup and recovery plan.

If you follow these steps and report regularly to the board, they will soon begin to understand how

critical backup and recovery are to the organization.

Find out what regulations affect your business, and assess the impact they will have on your 1.

data retention and protection policies.

Perform a risk and impact assessment of the business from a data loss perspective. Identify 2.

the critical business processes and ensure that these receive appropriate protection.

Define a recovery strategy based on the criticality of the business processes.3.

Establish a set of information and backup and recovery policies explaining exactly what 4.

needs to be done.

Develop a full audit and reporting framework where backup and recovery operations are 5.

tracked and audited for process adherence.

Develop an operational reporting framework for backup and storage. Make it visible to the 6.

organization, highlighting the importance of backup and recovery to the business.

Educate all areas of the organization—including end users—on the importance of good 7.

information management.

Ensure that the backup and recovery strategy effectively underpins a comprehensive security 8.

program. Interestingly, 40 percent of data compromise happens inside the organization. Role-

based access should be used.

Develop a separate, usable archiving policy where information can be searched and recovered 9.

easily.

Practice recovering data.10.

Winning board backing for investment

The secret is to avoid technical jargon and communicate your concerns in real, understandable business terms.

15

Signs that your backup and recovery operations needs to be improved

• Spiraling or unknown costs or total cost of ownership (TCO)

• Unknown operational and business risks

• Unknown or low level of backup success rates

• Struggling to meet audit compliance

(e.g., Sarbanes-Oxley, Statement on Auditing Standards [SAS] No. 70)

• No clear service-level agreements (SLAs)

• Undefined roles and responsibilities (i.e., lack of clear ownership)

• Lack of tiered storage model

• Undefined operational processes

• Recovery issues due to failed backups

Communicating risk

At all times, you need to identify the reduction in risk that your backup and recovery strategy

would provide. If the organization is presented with the end result of the improved service in

terms of productivity or other metrics, skeptics will always take an interest. The secret is to avoid

technical jargon and to communicate your concerns in real, understandable business terms.

For example, if a bank loses encrypted tapes containing customer data, what exactly will the

impact be? Similarly, what if your own business should lose confidential customer data?

It is important to put this information into some form of cost/risk profile. This can then be used

to inform the board that more investment is needed in order to improve the backup and recovery

service.


16

“The media are always looking for things to go wrong. Any mistakes can lead to damning front-page headlines.”


Managing backup and recovery operations can be a daunting task. Businesses are often left

with a simple choice: continue to manage backup and recovery operations in-house, or seek the

assistance of an outsourcer.

The appeal of an in-house solutionIn some circumstances, an in-house backup and recovery team will be attractive for a variety of

reasons:

• The perception that it will be cheaper . Without conducting a thorough investigation of costs,

there will be understandable concerns that obtaining outside assistance is more expensive than

doing the job completely in-house.

• Concerns over security and confidentiality . Organizations are sometimes reluctant to hand

access to their data over to someone else. Security is one of several considerations that may

persuade a firm to keep storage in-house or simply avoid obtaining planning assistance.

• Basic reluctance to pursue outsourcing . Cultural resistance to outsourcing is commonplace.

• A desire to remain independent . There is an element of risk attached to the formation of any

business relationship. Some firms will be reluctant to accept this potential danger.

• Anxieties over flexibility . Some businesses may also fear a loss of flexibility because an

outsourcer will assume some degree of operational control. There may be concerns that

relinquishing even a small amount of control will inhibit the organization’s ability to react to

changing business conditions.

The benefits of outsourcingA strong, reliable outsourcer will bring a range of benefits which may resolve the concerns listed

above:

• Greater visibility of TCO and the assurance of a fixed price . Typically, the budget manager

will be unaware of the total cost of ownership (TCO) of an in-house solution. Consequently, the

manager will be unable to forecast ongoing costs. However, an outsourcer can set a pricing

schedule based on fixed monthly costs. Even better, this may well prove less expensive than

existing methods.

• Guarantees on service levels . It is often difficult to establish, adhere to, or even measure

operational levels internally. Strict SLAs provided by an outsourcer will enable management to

learn exactly how effectively the organization’s backup and recovery operations are performing.

Stick or twist?


Invariably, businesses are left with a simple choice: continue to manage backup and recovery operations in-house, or seek the assistance of an outsourcer.

17

• Greater focus on your core business . An outsourcer will allow an organization to focus on its

core competencies, thus allowing resources to be redeployed to more central concerns of the

business.

• Stronger expertise in supporting your backup process . Many organizations do not have full

knowledge of service management processes. Neither do they have a deep understanding of

backup architecture and technology. An outsourcer will be able to improve service levels by

efficiently applying best-of-breed solutions with strong service management processes.

• A more structured approach to critical business data . The financial repercussions of data

loss or downtime can be devastating. An experienced outsourcer can minimize the risk by

helping the business identify and effectively back up its critical business data. In March 2007,

Symantec research1 found that best-in-class organizations are monitoring and measuring

controls and procedures to protect sensitive data on a weekly basis. In contrast, the average

business only examines these controls and procedures every 176 days.

• A heads-up on RTOs and RPOs . The board will gain reassurance from an outsourcer with

in-depth experience working out RTOs and RPOs. An understanding of RTOs and RPOs will

allow the business to choose between gradual recovery, intermediate recovery, and immediate

recovery.

• An understanding of the importance of compliance . Compliance demands will only increase

in the years ahead. It is important to have experts onboard to deal with these growing concerns.

Symantec’s Archie Maddocks comments: “Organizations are usually aware of the legislation,

but they do not necessarily know how to configure or manage storage to meet the various

requirements.”

• Assistance with the auditing process . When an audit is conducted, it is crucial that everything

is in place and up to date. A third-party outsource provider can offer the skills and experience

needed to help ensure that audits run smoothly.

• Greater accountability and help in the decision-making process . Reporting capabilities of

in-house systems are generally poor, which can limit damage accountability. An outsourcer,

however, should be able to produce effective reporting of their services. This should be scalable

from operations to business owners, and it should relay pertinent information based upon roles.

However, an outsourcer’s customers should ensure that they have a method of independently

verifying the reported information.

1 Symantec: “Taking Action to Protect Sensitive Data” report, March 2007.


18

In March 2007, Symantec research1 found that best-in-class organizations are monitoring and measuring controls and procedures to protect sensitive data on a weekly basis. The average business only examines these controls and procedures every 176 days.

If you are thinking about outsourcing your data backup and recovery operations to a third party,

what factors should you consider?

Finding a trusted third party

There should always be a strong professional relationship between the business and the

outsourcer. The client must be able to trust the third party to do the job more efficiently and

reliably than was previously possible.

Clients want relationships, and they want to know that they can trust the people with whom they

work. They want to know that the third party will deliver on its promises and step up if something

goes wrong. They want a hands-on relationship. And they want to know that the outsourcer will

deliver on its promises.

Getting the right range of services

Because all businesses have specific motivations when outsourcing backup and recovery

operations, it is important that tailored services be available to you.

For those looking for sophisticated metrics and status information—as well as trending and

historical mapping—reporting tools may be the only service they will need.

Some third-party outsource providers also offer a range of onsite and offsite backup and recovery

services. These include providing onsite specialists who work as members of your team for an

extended period of time. These resident specialists can perform services under a statement

of work or under an arrangement where the outsourcer takes responsibility for day-to-day

administration and management under a strict SLA.

Alternatively, managed backup services can also use remote teams and offsite infrastructure

investments to perform 24x7 remote monitoring and remote management, analysis, and reporting

under SLAs.

These services can also work together as a “managed solution,” combining best practices onsite

with remote management capabilities offsite.

Through the use of onsite resident specialists or remote experts, existing internal resources can

be freed to focus on strategic projects and core activities.

.

What to consider when outsourcing


“If you are going to let somebody else run something important for you, it is crucial that you trust them implicitly.”


19

Ensuring cost-effectiveness

Choosing an outsourcing partner with a strong industry reputation should guarantee an improved

service.

“Customers rarely know the total cost of ownership of running backup and recovery in-house,”

says Symantec’s Archie Maddocks. “There is a misconception that the cost of managing backup

and recovery is limited to the salaries of the people actually employed for these purposes. In

reality, you also need to consider the cost of upgrading, the cost of training, and the cost of

managing high-impact failures or even data loss.”

In many cases, businesses taking control of their own backup and recovery services are hugely

wasteful of their resources, simply because they lack the necessary processes and best practices.

This inefficiency invariably has an impact on cost.

Before agreeing to work with an outsourcer, it is important to understand how much you are

currently spending on your backup and recovery operations. In our experience, organizations

spend much more on backup and recovery than they realize—and, in many cases, much more

than necessary.

Setting service levels

When engaging with a business over backup and recovery, outsourcers will typically produce a

proposal based on five pre-defined SLAs:

Backup success rates1.

Restore success rates2.

Response time to incidents3.

Repeat backup failure4.

Reporting5.

By establishing firm SLAs in this way, organizations are able to keep a closer eye on the quality

of services provided. Metrics are made available to test all five SLAs. This means businesses can

expect first-class management of the entire backup and recovery process.


20

“Backup should be a chief priority for all firms and there should be a dedicated team taking control of it. Outsourcers live and die by their success rates, which can give them an edge over in-house teams. They will not be afraid to ask the difficult questions to achieve the desired results.”

Adrian Spink, Symantec Global Services

Often outsourcers are able to raise the bar significantly by setting minimum standards for backup

and restore success rates. Because few businesses have the tools available to measure these

processes, standards tend to be considerably lower when backup and restore operations are

managed in-house.

Organizations need to track existing success rates. They need to understand whether they are

getting better or worse at doing the job. They also need to understand why backup failures are

occurring. It is important to look at this not just from a technology perspective, but from process

and skills perspectives as well. Without proper root cause analyses, backup success can become

a nightly lottery. Yet it is rare to find a business with the skills in-house to carry out the necessary

root cause analysis.

Questions to ask potential outsourcing partners

What cost model do you have for an environment of our size and complexity? (You should 1.

compare the answers with their own internal cost model to establish if outsourcing makes

sense.)

What service delivery metrics will you agree to2. —and in what measurable ways will you

improve the current state of our backup and restore operations?

In which areas will you introduce risk, and where will you reduce it? (This should be matched 3.

against an existing risk profile.)

What resources will you require to deliver the cost, risk reductions, and delivery increases 4.

you have defined?


21

As companies deliberate on whether to do backup and recovery in-house or through an

outsourced solution, they need not face the decision alone. Outside consultants can help advise,

develop, and transform a company’s IT operations to suit its backup and recovery needs.

It is possible to gain many advantages through short- and long-term consulting assistance.

Consultants can provide:

• Third-party assessment of the current state and protection gaps . Using specific expertise

gained in analyzing a wide range of environments, a consultant can identify issues that

in-house resources miss. Because these types of in-depth analysis often take time away from

the core business, they are often skipped, increasing the risk of ineffective backup and recovery

operations. Consultants can let you know what needs fixing before an audit takes place—or let

you know what technologies and processes you need to implement in order to meet your SLAs.

• Assistance with the auditing process . A third-party consultant can offer the necessary skills

and experience to help ensure that audits run smoothly.

• Help designing the right solution and transition plans . A consultant will be able to improve

service levels by creating a solution design that efficiently applies best-of-breed solutions

and processes in order to meet your specific business requirements—and tell you how to go

from where you are now to the desired state, as well. Consultants bring to bear their in-depth

experience working out RTOs and RPOs, and they understand the importance of compliance.

• Ongoing operational assistance, as needed . While handing over complete operational control

to a third party may not always be possible, adding expertise to your team offers distinct

advantages for both short- and long-term projects. Once you determine the changes that are

required, how do you implement them? If you have a recurring task that needs to be done

right each and every time, but is not done that often, how do you maintain consistency? Expert

consultants can provide the extra hands needed to accomplish the project, help ensure that it is

accomplished correctly, and possibly train your in-house staff to take over.

• Residency services . You might want to continue to free up your current resources to

concentrate on the core business, and instead have expert consultants run backup and recovery

operations for you. Residency services provide onsite expert consultants that can take over the

portions of your backup and recovery operations that you designate. These consultants become

part of your team, and you control what they do.

Consultants have been there and done that


22

For many organizations, a managed backup service makes great business sense. Symantec’s

broad experience in the backup arena shows that clients often wish to remove the headache of

managing backups. However, relinquishing all control to an outsourcer is a step too far for most.

Symantec Managed Backup Services allow you to retain ownership of the technology and control

of business critical data, but leave the day-to-day operation to us. Our product and service

expertise will drive optimum operational efficiency with our Managed Backup Services becoming a

seamless extension of your support team.

Because the data stays on your own assets in your own data centers, there is no “lock-in”

agreement with a third-party service provider that could impact data recovery over the long-term.

Symantec Managed Backup Services provide 24x7 remote monitoring and management under

strict SLAs. These can give you world-class success rates for backup and restore.

Moving to a managed service

The four-phase approach—assess, design, transform, and operate—is central to Symantec

Managed Backup Services:

• In the first of these phases, we assess the current backup environment and future

requirements. The goal is to ensure that the operational component is fully understood.

• Once we have completed our assessment, we design a solution that includes improvements to

the architecture. We also develop an operating plan that provides best practices for managing

the backup and recovery environment.

• In the transform phase we implement a series of improvements identified during the

assessment phase. These provide you with a backup and recovery environment that is both

effective and efficient.

• Once all the activities of the transform phase are complete, Symantec will operate according to

agreed SLAs. The benchmark of successful data recovery is backup success rates. A world-class

backup operation should be above 95 percent monthly average for backup success. Symantec

will successfully back up at least 97 percent of in-scope clients.

Symantec Managed Backup Services


Symantec Managed Backup Services allow clients to retain ownership of the technology and control of business-critical data, but leave the day-to-day operation to us.

23

The backup environment is managed night and day by Symantec, using exactly the right

combination of resident and remote expertise for each client. This maximizes your access to

experts while reducing the amount of historically expensive onsite time. For some clients, a

completely remote service may be the best solution. It is based on the following components:

• Service catalog and associated SLAs

• Dedicated service delivery manager

• Real-time event monitoring and alerting via the 24x7 Service Operations Center

• Incident and problem management from the Operations Center

• ITIL process definition and implementation

• Offsite staff for daily operations, change, release, and capacity changes

• Monthly backup reporting and service review

• Vendor management to reduce problem resolution times

Phase: Assess Design Transform Operate

Objectives: • Evaluate operational effectiveness

• Evaluate backup and recovery infrastructure

• Define operating model

• Define technology model

• Implement operating model

• Implement technology model

• Deliver Symantec Managed Backup Services

Deliverables: • Backup assessment plan

• Transition plan

• Service delivery document

• Project plan

• Service manuals

• Run environment on behalf of client 24x7

• Report and manage

Activities: • Determine requirements and desired service levels

• Provide detailed costing analysis and determine potential ROI

• Provide recom-mendations for improvementsl

• Evaluate existing processes

• Design service level and strategy

• Develop transition process and plan around people, process and technology

• Integrate monitoring tools

• Implement changes to reduce risk of data loss and improve SLAs

• Implement standard processes

• Establish change control

• Conduct backup administration and media management

• Conduct backup and restore verifications

• Provide monitoring, alerting and metrics reporting

• SLA adherence

Figure 3 . Symantec’s assess, design, transform, and operate approach to managed service.


24

Because the data stays on your own assets in your own data centers, there is no “lock-in” agreement with a third-party service provider impacting data recovery over the long term.

Reporting

A Symantec expert will be assigned to lead your backup and recovery process, absorbing the

extra workload of incident and problem management. This dedicated Symantec Service Delivery

Manager knows that your time is valuable, so a short face-to-face monthly service meeting will

focus on key issues. Meanwhile, our comprehensive service pack will provide reports that enable

your business to quickly monitor and assess the health of the backup environment.

Our track record

Symantec Managed Backup Services have a proven track record of:

• Significantly improving backup and restore performance

• Increasing backup and recovery success through root cause analysis

• Implementing initiatives to standardize policies, procedures, and measurement

• Achieving world-class service through meeting strict SLAs


25

An international banking group

When clients claim to be “absolutely thrilled” with the service they are receiving, things must be

going well. And that is exactly the case for an international banking group that is using Symantec

Managed Backup Services.

Frustrated by the lack of management from its existing managed backup service, the bank

made the strategic decision to transfer the ongoing management of its backup environment to

Symantec. The goal was to effectively meet demanding service levels.

By using Symantec for day-to-day operational backup management and end-to-end data

protection, the bank is significantly increasing its backup success rates. In addition, it is reducing

the costs and IT risks associated with unmet recovery objectives, data loss, and business

disruption. Symantec is also helping the bank ensure that it meets its SLAs each time, every time.

Business drivers• Improve operational efficiency

• Keep control of the spiraling cost of data protection operations

• Adhere to stringent SLAs

• Enable the bank to focus on core business areas and strategic priorities

Technology challenges• Excessive time and resources devoted to managing data protection environment

• Risk of data loss or data corruption associated with a poorly managed data protection

environment

Solution• Managed Backup Services using expertise from Symantec

• Incremental backup of 1.5 terabytes of data every other day, with full backups taking place

every week across 300 servers (mainly “Wintel”)

Business value and technical benefits• Provides real-time day-to-day operational management and end-to-end data protection

• Helps the bank to significantly increase backup success rates

• Reduces the costs and IT risks associated with unmet recovery objectives, data loss, and

business disruption

• Provides comprehensive daily, monthly, and capacity reporting

• Ensures that the bank meets its SLAs every time

Case example


26

“The bank is barely involved in backup now. Symantec manages the entire backup environment, but we have the satisfaction of knowing exactly what is going on, thanks to comprehensive daily, monthly and capacity reporting. The net result is that we are hitting our SLA each time—every time.”


Client A: Service director, managed service provider, public sector program

“The thing to remember about public sector data is that the media are always looking for things

to go wrong. Any mistakes can lead to damning front-page headlines, which is why it is important

to work with organizations that you can trust implicitly to deliver against objectives. This is a key

reason for the ongoing success of our relationship with Symantec.

“Working with Symantec makes perfect sense, from my perspective, as we do not have the internal

resource available to deliver the kind of capability we are now enjoying. We need Symantec’s

expertise and experience if we are to deliver a high-quality service.

“Any form of data loss is unacceptable to our customer and the backup and restore capability

we deliver in partnership with Symantec is a vital service, underpinning the customer’s data

availability strategy. We also use industry benchmarks, such as Gartner, and expect an extremely

high rate of backup success.

“I have a great deal of faith in Symantec as an organization, and I am confident in their ability to

deliver a world-class backup solution. In the past, when we have had any issues, they have been

taken very seriously and resolved appropriately, and this is important when building up trust.

“Symantec brings order and predictability to the table, which is a huge advantage to all

businesses. The ability to recover data is not necessarily an area of high focus until something

goes wrong. Unless something is glaringly wrong, it is easy to take things for granted. Symantec

does not allow this to happen.”

.

What our clients say…


“Working with Symantec makes perfect sense, from my perspective, as we do not have the internal resource available to deliver the kind of capability we are now enjoying. We need Symantec’s expertise and experience if we are to deliver a high-quality service.”


27

Client B: Technical infrastructure manager, leading financial services firm

“We have been working closely with Symantec since January, 2007, when we brought them in to

do some work for us on the performance of our backup systems. We were impressed with their

work and decided to call them in to take over the management of our entire backup and recovery

services.

“We knew that we did not want to employ our own backup administrator internally. We simply

wanted to get somebody involved who had the expertise and experience to do an excellent job for

us.

“More importantly, we wanted somebody who really understood the products we were using.

Because Symantec designed the backup products in the first place, they were the obvious choice

to manage them for us.

“Trust is also very important, and this is true of all outsourcing relationships. If you are going to

let somebody else run something important for you, it is crucial that you trust them implicitly.

Because Symantec had already done work for us, we knew they would do the job properly, and

this was extremely reassuring.

“The value-add of working with Symantec is that they can delve deeper into our backup and

recovery processes. They don’t just run it for us; they identify what the problems are and fix them

immediately.

“With Symantec Managed Backup Services, we get straight through to whomever we need to. They

ask a few questions, and take responsibility for sorting any issues immediately.

“We’re absolutely thrilled with Symantec Managed Backup Services. If I had to make a choice

about renewing the contract with Symantec tomorrow, I wouldn’t hesitate.”


28

Symantec Global Services offers deep technical knowledge and proven expertise to help clients

manage IT risk, performance, and cost. Our consultants have helped IT teams from over 95

percent of Fortune 500 companies enhance and maintain the security, availability, performance,

and compliance of their information and infrastructures. With over 1,000 consultants worldwide,

we provide consulting services to clients in more than 60 countries and participate in more than

4,000 engagements per year. Our consultants average 15 years of experience across all major

operating systems, storage hardware, and application environments.

For information on Symantec Global Services, go to:

www.symantec.com/globalservices

For information on Symantec Managed Services, go to:

http://go.symantec.com/managed_services

.

About Symantec Global Services


29

For specific country offices and

contact numbers, please visit

our Web site. For product

information in the U.S., call

toll-free 1 (800) 745 6054.

Symantec Corporation

World Headquarters

20330 Stevens Creek Boulevard

Cupertino, CA 95014 USA

+1 (408) 517 8000

1 (800) 721 3934

www.symantec.com

Copyright © 2008 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Printed in the U.S.A. 03/08 13773570

About Symantec

Symantec is a global leader in

providing security, storage, and

systems management solutions to

help businesses and consumers

secure and manage their information.

Headquartered in Cupertino, Calif.,

Symantec has operations in more

than 40 countries. More information

is available at www.symantec.com.

delivering an effective backup and recovery service: how a

Documents