A Disaster Recovery Site (DRS) is typically a small part of an organization’s overall Continuity of Operations Plan (COOP) or Contingency Plan. Its purpose is simple: to maintain or resume business operations in the event of disruption. It’s important to note that a Disaster Recovery Plan (DRP) is inherently not a technical document and in most cases, includes substantial input from management through a Business Impact Analysis (BIA). A BIA identifies the sensitivity of an organization’s data, along with risk analysis. While a DRP can encompass contingencies for many scenarios, this blog will focus more on the technical contingencies an organization can use.
Depending on the organization’s mission, data, and resources available to the IT budget, one can implement minimal or maximum measures to mitigate potential downtime. The two main inputs on which to base a DRP are the Recovery Point Objective (acceptable level of data loss) and the Recovery Time Objective (acceptable level of downtime). Once management answers these questions, the technical portion of the DRP can be explored. While there are other economical means that can be executed to resume business operations (data retrieval through backup, local clusters, etc.), a DRS can offer an organization almost complete protection from an unexpected disruption. Some organizations consider this extremely valuable and worth the cost, time, and manpower required to operate. Once the choice has been made to implement a DRS, an organization must decide on which variation of the DRS they need.
Hot Site vs. Cold Site
A Cold Site is defined as a location separate from your main operating environment that includes the necessary space, power, and network infrastructure with which to setup your new operating environment. The thought is that if a disruption occurs, the IT staff can relocate and set up hardware at the Cold Site, along with data backups, and have the organization up and running within one day. The main advantage of this configuration is that it’s economical to many organizations. The costs associated with maintaining a Cold Site are substantially less than a Hot Site, and it is typically just an added layer of protection secondary to any existing local solutions they may have. As such, a Cold Site is an acceptable level of protection to minimize a disaster.
A Hot Site is also defined as a separate location that not only includes the space, power, and network infrastructure, but also includes a replication of your source hardware and data. This is essentially a mirror configuration and means that data between your main operating environment and the Hot Site is generally replicated in real time. Many refer to this as an active/standby environment. If a disruption occurs, an organization can relocate traffic to the Hot Site and resume operations typically within minutes. This level of protection, as you might expect, is fairly expensive. However, for organizations with large IT budgets and critical operations (Federal Government, DoD, Large Private Companies), this level of protection may be necessary.
Maintaining a DRS should include regular DRP exercises (at least annually), among other things. Assigning participants to the exercise and documenting the results will allow an organization to understand what corrections to the DRP need to be made and to validate existing capabilities. The goal of the exercise is to assess effectiveness, preparedness, and the system posture of the DRS. Additionally, for those in the Federal Government and DoD communities, the DRS system must adhere to the same security requirements and security audits as the main operating environment. This adds to the overall workload, but is necessary to ensure that should operations relocate to the Hot Site, the security posture remains the same.
A DRS is an important preventative measure that can provide an organization necessary protection from various interruptions. This protection goes beyond just your technical assets; it also protects an organization’s business processes, mission, and even the confidence level of their customer base. While adding a DRS adds to the overall IT budget and requires additional manpower, finding a balance between risk, cost, and downtime should provide the right answer in deciding what to implement.