How to Improve RTOs & RPOs with Disaster Recovery as a Service (DRaaS)

JULY 1ST, 2021

Disasters come in many forms—global health crises, ransomware attacks on critical infrastructure, floods, wildfires, even basic software malfunctions—but one thing disasters all have in common is the potential to wreak havoc on your business operations and data security.

With the many ways an organization’s operations can be disrupted, a comprehensive, well-tested disaster recovery strategy is not a nice-to-have; it’s a business imperative. 

Proactively planning for business continuity and restoring IT functions during and after a cyberattack or other major outage will help minimize downtime and data loss. This approach will, in turn, protect your organization from the financial and reputational fallout of a breach or service disruption.

RTOs and RPOs: Why They Are Essential Factors in Disaster Recovery Planning

“Prevent downtime and data loss” is a pretty broad goal, and success is impossible to measure. To establish benchmarks for success and quantify acceptable risk during disaster recovery, organizations should set two key parameters: recovery time objective (RTO) and recovery point objective (RPO).

Defining RTOs and RPOs helps ensure critical business operations and IT functions are back up and running quickly after a disaster and that your most valuable data is protected by backups during an outage or security event.

Recovery Time Objective (RTO)

RTO is a metric that defines how long an application can be down before the business is significantly harmed. The goal for this number varies depending on how critical the application is to maintaining business operations: 

  • A near-zero RTO requires failover services for mission-critical applications
  • An RTO of four hours allows time for on-site recovery from bare-metal restore to full application and data availability
  • An RTO of eight or more hours is sufficient for applications that can be down for days without serious damage to the business

Recovery Point Objective (RPO)

RPO is the maximum acceptable amount of data that can be lost before the business is significantly impacted. Again, this number depends on how critical that data is to the business:

  • Near-zero RPO: Mission-critical, use continuous replication
  • RPO of four hours: Use scheduled snapshot replication
  • RPO of 8-24 hours: Use existing backup solution (this data can potentially be recreated from other repositories)

The best methods of improvement for RTOs and RPOs include increased backup frequency, changed block recovery, and replication, all of which can get expensive fast. To make the most of your disaster recovery budget, when calculating RTO and RPO, prioritize applications and data by importance and by risk, and then incorporate these calculations into your disaster recovery strategy planning. 

How Disaster Recovery as a Service Can Improve RTOs and RPOs

There is no one “right” approach to creating a disaster recovery plan (provided you include all of the essential elements). However, in today’s highly distributed, data-driven business environments, disaster recovery as a service is an effective way to ensure RTOs and RPOs are met during a crisis.

Disaster recovery as a service (DRaaS) is a subscription or pay-per-use model that backs up data and IT infrastructure to a third-party cloud environment. This allows the disaster recovery team to orchestrate recovery and regain access and functionality to key IT capabilities, hardware, software, and applications quickly from any location.

DRaaS Capabilities That Help You Meet RTOs and RPOs

DRaaS solutions are delivered based on a service-level agreement. This allows you to define the capabilities you need to meet your organization’s specific disaster recovery plan requirements, including your RTOs and RPOs.

Recovery Time Objectives

  • Orchestrated recovery: This capability automates the recovery process to ensure critical servers, applications, and their dependencies come back online quickly with little IT intervention. This enables fast failover and prevents human error so downtime is minimal and RTOs are met.
  • One-click failover: This feature lets you configure the sequence, order, and timing for restoring each mission-critical system and lets you start a sitewide failover with the push of a button. Fast failover is a key capability for meeting RTO requirements for mission-critical data and applications.
  • Advanced network recovery options: Run your network in the cloud just like you would run it on-site with instant virtualization of your network and data, immediate access to files and folders, and mirroring of all backup images stored in the primary data center to a second data center in a different geographic region. 

Recovery Point Objectives

  • Point-in-time recovery: This capability is invaluable in the event of a ransomware attack or system crash. Point-in-time recovery lets you restore from a point immediately before the data was encrypted, deleted, or otherwise lost rather than just to the time of the last backup file. This minimizes the amount of unusable data and helps ensure RPO requirements are met. 
  • Set backup intervals: This is where prioritization comes in. For example, if your whole system backs up every 24 hours, but a critical banking application has an RPO of two hours, setting an appropriate backup interval is necessary to meet that requirement.
  • Air-gapped backups: With today’s heightened cyberthreat levels, the traditional 3-2-1 backup strategy isn’t sufficient for data protection. To ensure RPOs are met, follow the new best practice of three copies of data stored on two different media, with one copy stored in the cloud and one copy air-gapped off-site and offline.
  • Automated backups: IT teams are historically overworked and understaffed. DRaaS solutions automate backups, which not only ensures you have a current, complete copy of your data to meet your RPOs but also frees up IT resources to work on higher-value initiatives.

How a Customized DRaaS Solution Protects Your Data, Your Revenue, and Your Reputation

Security experts warn that when it comes to ransomware attacks on most businesses, it is now a matter of when an attack will occur rather than if it will. Armed with that insight, it is important for organizations of every size to plan now for a worst-case scenario, so when it happens, you have peace of mind that your data is safe and recoverable. 

Disaster recovery as a service is a reliable, cost-effective way to ensure your business continuity and disaster recovery plans are well in hand before you need them. By covering everything from your RTOs and RPOs to how you will communicate with customers during an event, a customized, thorough, and well-tested crisis plan will minimize disruption and maximize your recovery capabilities.

To take a deeper dive into the process of bouncing back from a breach, outage, or other disruption, download How to Build a Disaster Recovery Plan to learn six best practices for preparing your business for a crisis.