By Richard McElroy ( and Morten K. Mikkelsen ( 

Backups Disaster Recovery and Business Continuity; the words are bandied about with regularity but, as many business owners know, the definition of the terms can vary from publication to publication and IT Service Provider to IT Service Provider. 

Like many technical areas, IT has more than enough jargon. Sometimes people use jargon to be deliberately obtuse or perhaps make something simple seem complex. In the case of backup, disaster recovery and business continuity, it is more likely that these phrases get used interchangeably because each term describes a physical process(es) that contains some or all of the features of the other. Backup – In terms of information technology, backup is the act of copying files and/or programs to a location or device that is physically separate from the original files or programs.

The main goal of a backup is to be able to recover data that has been lost either by accidental deletion, physical disk failure, or some other corruption. Virtually all computer users have lost or deleted files on their personal or work machines at some point.

The secondary reason for a backup is to create an archive copy and thereby be able to restore previous version of a file. The number of versions of a file or the retention time of files is set within the data retention policies configured within the backup application or process. Many organizations have regulatory requirements such as HIPAA, SOX, FDA Title 21 CFR Part 11, etc. that requires them to keep a copy of their data for seven (7) or ten (10) years or, in case of HIPAA regulated entities in CA, for up to 28 years.

Keep in mind this, often overlooked, fact: The backup software and tape drive you use today need to be available and functional for as long as you plan to keep your data, should you ever need to actually restore your data. Without the software and a functional tape drive, your valuable data cannot be restored.

Backup data can be stored on tape, disk, at an off-site location, or in the cloud. The main concept to remember when considering backup is that backup solutions are about data – not systems. After a disk crash, system failure or physical disaster, all systems will need to be rebuilt and configured from scratch and only then can the data be loaded onto the systems.

Replication – Within IT, and especially when discussing Disaster Recovery and Business Continuity, replication refers to the act to sending an exact copy of live data to another system or location. Replication can be synchronous or asynchronous – With synchronous replication, the data is sent to the other system or location in real time and the other system acknowledges the receipt of each piece of data. This is used only in very high capacity systems (credit card processing, stock market etc), has distance limitations (~60 miles) and will rarely be encountered at the customers we usually deal with. When the replication method is asynchronous, there is a delay (typically seconds to minutes) from when the data is written on the originating system until it is sent to the secondary system and no acknowledgement of receipt of the data by the secondary system is required. Distance limitations and not a concern for asynchronous replication and it can be performed over a VPN connection on the public Internet as well as MPLS and Point-to-Point connections.

Replication can be used to send backup data or live system data to a secondary failover location. The key to understanding where replication fits in your DR or BC plan is that replication is a (more or less) live copy of the original data, so when the original file or folder is deleted or corrupted, that deletion or corruption is also replicated to the failover system. Therefore, replication is NOT a replacement for regular backups, but simply a tool for getting data from the production site to the failover site in nearreal time so that the failover site is up-to-date when the disaster happens. 

Disaster Recovery – While backup and replication can be thought of as simple forms of disaster recovery and are components of any good disaster recovery plan, they are not, in and of themselves, disaster recovery. In Information technology, the term Disaster Recovery is used to describe how the IT portion of a business can recover their physical systems, applications, and data in the event of a disaster to the physical infrastructure such as fire, flood, earthquake, etc 

The Disaster Recovery Plan is built around two pre-determined parameters:

(1) How long is an acceptable recovery period for this particular organization and their budget parameters? This is also known as the Recovery Time Objective or RTO – in other words, “how long can you afford to be down?”

(2) What is an acceptable recovery point for this particular organization and their budget parameters? This is also known as the Recovery Point Objective or RPO – in other words, “how much data can you afford to lose?”

Typical Disaster Recovery strategies employ a variety of Data Backup, replication and equipment availability solutions such as:

– Replication of data to a second site where failover hardware is available. The secondary site may need to be started up before internal and external customers can connect to the recovery systems, or it may be deployed in a High Availability configuration and failover can be near immediate. 

– Subscription-based disaster recovery agreements

– Disaster Recovery-as-a-Service (DRaaS) agreements

– Bare Metal Restores to new hardware (BMR allows for an image of one machine to be overlaid onto a physically different machine).

The main concept to remember is that Disaster Recovery is about both data and systems. The goal of Disaster Recovery is to get the IT assets of an organization up and running within a specified time parameter and with a specified limit to the amount of data lost.

Business Continuity – While Disaster Recovery aims to allow an organization to recover its IT systems and data within a specified time frame that may be hours, days or even weeks, Business Continuity encompasses much more than just IT. The goal of Business Continuity is the continual availability of critical business functions to customers and suppliers, and this goal is met by implementing standards, programs, and policies that are implemented on a day-to-day basis to maintain service, consistency, and recoverability.

A Business Continuity Plan (BCP) is usually developed from a Business Impact Analysis (BIA) that, depending on the size and complexity of the business, may take weeks and months to complete. Often a BCP professional consultant is brought in to manage the BIA and develop the BCP.

DR is an important subset of BC, but DR is event-based and IT specific, whereas BC is a continual, ongoing process that encompasses people, buildings, supply chain, crisis communications, transportation, security, public relations, etc., etc. An organizations reaction to events we would not associate with DR, such as BP’s oil spill in the Gulf, the Bhopal accident in India, or a plane crash that takes the life of the CEO are covered by implementation of a proper BC plan.

– Backup is an archive copy of your data
– Replication is a live copy of your data and applications
– Disaster Recovery is IT-centric and event-based
– Business Continuity is a mindset and process that covers the entire organization, not just IT

Each concept listed above has its benefits and drawbacks. Each organization needs to look at its budget, how much lost data and downtime that it can realistically afford and make its decision accordingly.