Editor's note: Welcome to .NETRocks Conversations, excerpts of conversations from the .NET Rocks! weekly Internet audio talk show. Hosts Richard Campbell and Carl Franklin chat with a wide variety of .NET developer experts. This month's excerpt is from show 658, with .NET security expert Patrick Hynds, co-host with Michele Leroux Bustamante of the LockDown weekly Internet talk show, who dispenses disaster recovery wisdom for developers and other tech professionals.
Carl Franklin: What do we do, not just how do we recover, but how do we prevent data loss in the first place when that catastrophic physical event happens?
Patrick Hynds: So this is disaster recovery pure and simple. It's the... what do you do when the place is flooded, it burns down, the server fails, and there's escalating levels of mayhem that you have to plan for. And really, all you have to do is plan for it, know what the threats are and what you would do with it, and you're pretty much covered. The problem is, most people put this off until after it's too late.
CF: The thing is, nobody really wants to think that such a tragedy could happen to them. Part of it is actually accepting the fact that these things happen.
Richard Campbell: I think the big thing here is the planning part of this. I used to have a book I called "In Case Of," and the big thing was writing it out in a way that I didn't need to be there to execute on it.
PH: Yeah, that's key.
RC: Sometimes the disaster is you. They lose you, or they lose other key people. Like you've got to have documentation that allows people to know where things are... bank account numbers and who owns our telephone service. That kind of information goes a long way toward just staying functional after a disaster.
PH: So, specifically what we wanted to talk about today is, where do smaller companies fit into this? What if I'm a 50-person company. What should I be worried about?
So let's start with the first level of advice. Figure out your threats, think about the levels of threats. Is it that a server fails and doesn't come back up, but the hard drive's still good? OK, what are you going to do in that scenario? What if the server fails, and the hard drive is non-recoverable? OK, what if the server room burns or floods? What if the building is destroyed? What if the building [is destroyed] and all your employees are killed? And that's the question that usually shakes the CEO and the board of directors to their core, because a lot of people have never even thought about that.
Most of the time, the answer is, we're done. Especially with smaller companies, where the company is four other people, so if we lost 80 percent of the employees then we wouldn't try to continue. Though that means that the ones who survive are out of work.
RC: But as long as that's an accepted plan, right... there's sort of a recognition point, there's a point where business can't continue or the data's lost, and that's ok. I think that's setting reasonable guidelines. I think we get rather irrational about this... that we can never lose data, we can never be down. It's not reasonable.
PH: All data's not equal. So home directories are great, but my ISO library is infinitely replaceable. My email server, my SharePoint data, my financial system... that's probably [not]. So when I look at a small company and they talk to me about DR, and want me to talk to them about DR, I bring up the systems that are most likely to be the most important... the top tier, must-have, you-better-back-them-up-daily items.
So there's email. Financial systems. Usually it's the invoicing system or the ERP system or whatever holds the financial data, it's another—we need a daily backup. I would also say that your CRM system, the way you talk to your clients, client lists, or source code if you're a software or consulting company... those are the ones that I find universally are... if we only had most of those back, we could keep going.
CF: People don't usually talk about a hacker attempt or an infiltration as a disaster. But it certainly could lead to a disaster.
PH: If they delete all your data, it's going to test your disaster recovery plan because it's all about restores. It's all about getting back running.