Storage Peer Incite: Notes from Wikibon’s February 5, 2008 Research Meeting
This week's subject is the latest in backup, restore and recovery options, the new generation of online backup and recovery services, in some cases fielded by very large vendors including Hewlett-Packard and IBM. These kinds of services started to take off in the consumer marketplace with firms like Carbonite, IDrive and Mozy offering backup of home computers. However, the Internet has become reliable enough that today it can support efficient transfer of very large amounts of data, and this has become the foundation of these new backup services. Instead of maintaining a data protection facility and staff, with nightly backups to tape, and a vault or other off-site storage location to guard against a data center disaster, today companies of all sizes can simply contract with a backup vendor and ship their data off site electronically automatically.
Besides freeing capital and staff for more important assignments, this can provide a convenient answer to the demands of new business regulations, which include security and privacy requirements for individually identifiable medical information and long-term archiving with proof that data remains unchanged for corporate financials. Instead of developing the required expertise in-house, companies can outsource the problem to an external vendor that operates on the software-as-a-service (SaaS) model.
At the right price, and prices have fallen significantly in recent years, this service should be attractive to a wide range of companies. Small firms that lack the resources to create their own DR program now can subscribe to one and pay by the GByte. Larger companies, particularly those that are wrestling with updating their programs to comply with new business regulations, now can simply replace them. Beyond this, however, the growth of online data protection, and the entry of some of the largest vendors in the industry, is one sign of a much larger evolution. SaaS is a disruptive technology that is changing the face of multiple industries ranging from IT to entertainment. The day is not far off when many even large companies will not need a data center. They will be able to contract a variety of SaaS and other sourcing services, based worldwide, for their entire data infrastructure, from the software and hardware on desktops to mainframe-based systems to support, at a fraction of the cost of maintaining that functionality in-house. Their IT departments will be dominated by negotiations experts and contract managers with no sign of programmers or other techies, who will work instead for the service providers. Barring a global cataclysm, this is what computing will look like inside a decade, except in the relatively few companies for which IT is a core activity and source of competitive advantage, and those in the industry need either to ride this wave or get out of the way. Bert Latamore
Once a high flying Internet bubble business, managed storage services are back in vogue but this time appear to be solving real customer problems at affordable prices. In the past few years, three factors have driven the return of on-line storage services primarily focused on data protection (i.e., backup and restore):
- Technologies that make this business cost-effective are coming to the mainstream, including disk-based backup using data de-duplication, encryption, and the consistency and reliability of moving data over networks;
- Relentless compliance and regulatory requirements specifically pertaining to the explosion of data and the need to retain, re-produce and authenticate electronic records have been put on the books;
- New and emerging business models that include Software as a Services (Saas) and packaging solutions (including processes) into a repeatable offering, make the business more channel-friendly.
These factors have enabled large service providers such as IBM, HP, Sunguard, EMC, and others to leverage data center economies and offer standard building blocks for channel partners (e.g., service providers) that are beginning to provide incremental add-on services to large, medium, and small customers who themselves are increasingly comfortable sourcing remote data protection.
Storage competitors have seized this opportunity, and acquisition and partnering activity has been up lately as EMC and IBM both made moves in this space acquiring Mozy and Arsenal Digital respectively, and HP has partnered with Iron Mountain.
Who are candidates for such services and what are the primary applications? The best candidates for these services are large and mid-sized customers who generally rely on decades-old backup processes; and smaller customers that don’t perform regular backups and/or have no processes. Backup/restore, backup/recovery and retention are the primary applications with the emphasis on remote services that can be purchased as an ongoing operating expense rather than as a sunk capital investment.
Pricing models for such services is based on two typical models:
- Pricing on data that is protected,
- Pricing on data that is stored.
Typically charges include a flat setup fee or a minimum requirement of gigabytes stored. Banding of services is also common with an N-month term required.
Despite the apparent convenience of these services, which includes an OPEX, versus a CAPEX, hit and the outsourcing of an increasingly problematic compliance issue related to electronic records, customers must remain vigilant in their assessments of these opportunities. Specifically, switching costs could be substantial given disparities in processes and technologies across providers. But there are examples where moves to alternative service providers have been made fairly smoothly in relatively smaller sites. In general, the larger the vault, the more difficult the migration, making pricing visibility fundamental.
As it relates to costs, most customers do not have a clear handle on the full cost of providing data protection today. Without this proper accounting, it is unclear if buyers will save money outright or be paying more for better service. In general, experience suggests that the payback on such services largely relates to very important, but harder to sell (internally) soft dollar factors such as quality, risk reduction, and speed to market.
Moreover, even though service providers are more likely to have best-in-class processes to manage data protection services, the burden of auditing and documenting such processes for defense in legal discoveries remains squarely with the customer. Finally, while service providers will contractually agree to penalties related to speed and accuracy of data recovery, the penalties will be limited to percentages of monthly service fees and not reflect the value of data lost.
Requirements As a result of these caveats, customers should choose suppliers that are financially viable and can be held accountable for process and procedure excellence and best-in-class security. As well, customers should demand flexibility in fees and service levels for factors such as retention and recovery points and backup frequency. Customers should also be aware that they are either paying for data protected or data stored, meaning the benefits of savings from factors like de-dupe will accrue differently for different applications. As well, invoking data encryption will add storage and consequently costs.
Action item: Large customers should endeavor to consider the operational overheads associated with protecting data carefully and fully consider total costs for internally managing versus sourcing such services. In general, it is best to do your own homework and not rely solely on the analysis of the service provider. As well, given potentially high switching costs, negotiating shorter contracts is advisable. Smaller customers must begin to recognize that their information is as important as large customers and outsourced data protection services provide a path to best in class data protection.
Both SMB's and larger enterprises face a conundrum when selecting managed storage service providers. Customers must often choose between the viability of a newer entrant and the typically less flexible contractual terms from larger, more established players. Because switching costs are often high for such services, due to diversity in technology and processes across offerings, established players can and will attempt to lock users into longer contracts and evergreen renewals while providing very limited price protection over time.
Best procurement practices show users need to take the time to understand how their requirements map to service provider offerings. Once that's done the decision boils down to understanding contract terms and making necessary trade-offs. Contractually, customers should:
- Negotiate more attractive terms, especially from newer entrants from established leaders (e.g. EMC/Mozy). Often users will find appealing incentives from larger companies trying to crash the party (e.g. monthly renewal periods);
- Use such incentives to negotiate the elimination or reduction of one-time setup fees from competitors;
- Negotiate the elimination or proration of early termination penalties;
- Investigate the possibility of obtaining 'Green Rebates' from power companies. Service providers may be willing to offer incentives to customers who qualify for such credits in exchange for PR (e.g. references or a case study);
Action item: Given the rapid advancement of technologies and never-ending cost reduction in place within large data centers, remote data protection customers should attempt to negotiate the shortest terms possible. In general, customers may very well find that shorter terms, while carrying a higher monthly cost, will result in more attractive pricing, better flexibility or improved service down the road.
Today a company’s ability to restore or recover data following a disruption is based upon the data backup process being used. Therefore, companies of all sizes can no longer treat backup and recovery as separate processes. As the volume of data in companies continues to increase dramatically, so does its importance and value. Data is now estimated to constitute 80% of companies’ assets. The traditional approach to protecting that data is to back it up to tape, keep a copy off site, then recall that tape to perform operational data restores, or send it to a recovery site for tests or disaster declarations. That traditional process no longer supports today’s 21st Century business requirements, for data security, compliance, restore or recovery speed. Using a services provider to provide one integrated electronic process for backup, restore, and recovery can deliver day-to-day operational efficiency, help support data centric regulatory compliance, and enhance a company’s business continuity posture.
Action item: Examine your backup process and ensure it supports your end-to-end data protection requirements in terms of your ability to access, restore, and recover data. Thinking about backup and recovery as a single umbrella process (rather than distinct activities owned by different parts of the business) will reduce inefficiencies and speed productivity of data restoration at the most critical time - when there's a problem.
Installations that use VTL libraries with de-duplication technology often perform a raw backup to disk and then tape as a means of ensuring the fastest time to securing the data offsite, and improving the recovery point objective (RPO) in the case of a disaster at the data center. Inserting de-duplication as a first step can increase the RPO and introduces another potential technology failure point, but also has the potential to reduce IT costs, especially relative to performing backups on tape.
One key technology that has enabled a reemergence of remote backup and recovery services is de-duplication. This can be done at the originating site, or at the remote site, and there are tradeoffs that must be evaluated seriously.
The advantages of de-duplication being done at the site is that the data sent over the network is minimized with lower IT costs and shorter network transmission times before the data is secure. Some vendors argue that de-duplication is a type of weak encryption; however if encryption is a requirement before transmission over the network, de-duplication can only be done first or not at all.
The disadvantages of de-duplication are that an additional de-duplication step is required to produce the data for transmission, with the added risk of technology failure, additional IT cost (e.g., server and operational overheads), and additional elapsed time before the data is ready for transmission.
The ideal from an IT cost point of view is to de-duplicate the data early, then compress the data and then transmit without encryption. However, the business has to decide whether the additional costs of de-duplication later in the cycle are offset by reductions in risk and improvement in RPO.
Action item: Installations looking at remote backup and recovery must establish a robust process for looking at the impact on each application group of inserting site de-duplication technologies. Evaluation criteria include RPO and recovery time objectives (RTO), as well as cost and risk. The hard question “what happens when the de-duplication technology fails” must be asked and answered. This process should include strong input from corporate risk officers and the line of business.
Nearly a year ago it was clear that online storage services were a becoming a top strategic priority at several leading companies. With pricing today for data protection services at roughly $5/gb/month, headed to $2.5/gb/month in the near term, things are beginning to heat up -- but much remains unclear. EMC's recent acquisition of Mozy and IBM's move to bring in Arsenal Digital are just two examples of leaders intent on muscling in and/or not giving ground in this marketplace. Indeed, every major storage supplier will be forced to participate in this space either through acquisition, strong partnerships, or homegrown offerings.
How much this business is driven by consumer trends remains to be seen, but betting against the consumerization of storage services is probably a bad idea as SMB's will define the market. Moreover, with Dell's commitment to storage sealed with its recent acquisition of EqualLogic and the company's installed base of several hundred thousand SMB's, the marketing hype is just about to explode.
The requirements for this market are straightforward. Offerings must be simple and transparent with rock-solid reliability.
Action item: Storage providers must get serious about on-line storage services in general and data protection services specifically. Suppliers must aggressively adopt software-as-a-service (SaaS) models and drive price/usage transparency, simplicity, and an always-on reliability. Marketing messages will become a key differentiator and source of customer value as free trials, bronze/silver/gold service granularity, and 'it's your data' messages will permeate the industry over the next 6-12 months.
The legal system has become very concerned about ensuring that electronically archived information has not been covertly altered. An IT manager’s word is not enough. The court has to be convinced that there is no possibility that somebody could have changed the data being presented. Indeed, opposing counsel have learned to attack the very processes by which organizations store and secure information, essentially flipping the burden of proof onto the defendant. Establishing a process that will hold up to opposing counsel and the court is not a trivial task and not one that IT should exclusively own.
For organizations challenged to establish that archived information can hold up in court, it makes sense to look at outsourcing archiving to a remote service. However users should understand that the burden of auditing and documenting procedures by which data are stored, protected, and secured in a tamper-proof manner rests squarely with the customer, not the service provider. Service providers will limit their liability in this regard contractually. Users must therefore guarantee they have adequate access to audit service supplier operations and processes so that they may ensure compliance with the edicts of the corporation and courts.
Action item: All the investments in archiving can be for naught if the data is not accepted by the courts. Key to acceptance is not fancy technology, but very good and robust processes and procedures. Using a high quality remote backup, recovery and archiving service and then auditing the processes and procedures of this service can be a quicker and more cost effective way of ensuring that all archived data is admissible in court.