To some it seems like recovery time objective (RTO) and recovery point objective (RPO) are interchangeable items. But they are distinctly different and have a different purpose.
RTO focuses on the time frame involved in which an organization will be able to resume business after an incident or disaster. It is measured in minutes, hours, or days.
RPO is a measurement of the amount of data that can be lost before harm occurs. It is typically measured from the point of an event, such as a ransomware attack or disaster, to the most recent backup.
See below for some of the top trends in recovery point objectives:
1. More stringent RPOs
Speed of recovery has always been an issue. This tends to put the focus on RTO rather than RPO.
Yet, RPO has gained in importance, and now companies are asking for much tighter RPOs.
“Businesses now set more stringent requirements for RTOs and RPOs,” said Vasilii Zorin, senior project manager, Acronis.
2. Greater frequency of backups
Not every organization needs near real-time RPO and zero RTO.
In any case, achieving them is expensive. Some organizations and certain verticals can get by if their systems are offline for a day or two. Areas like construction may well manage for longer.
But that willingness to tolerate longer RPOs is being eroded by the threat posed by ransomware.
“The ever-present ransomware threat forces IT to rethink how they meet recovery point and recovery time objectives,” said George Crump, chief product strategist, StorONE.
“Organizations that have to capture data more frequently to meet RPO demands require using technologies like change block and block-level incremental backups.”
3. Moving beyond backup
Organizations interested in improving RPO cost-effectively are realizing that a good backup system may not be enough.
They need systems that can address backup, recovery, and data protection in one integrated package.
“IT needs to look for a single storage solution that can meet the new demands of RPO and RTO with solutions that provide rapid backup ingests, protection of backup data, and an isolated recovery environment,” said Crump with StorONE.
4. RPOs in complex environments
Organizations often keep master copies of files or data in one location, perhaps to meet application performance requirements, regulatory compliance requirements, or data sovereignty requirements.
But they should also tier secondary/tertiary copies and replicas of data to a cost-efficient environment, such as a cloud service.
By storing replicas outside the primary application or platform environment, organizations take advantage of new price points, performance characteristics, storage locations, and avoid being locked into one application or infrastructure environment.
For example, look at a backup and RPO for Microsoft 365 (M365) data, said Andrew Smith, senior manager of strategy and market intelligence, Wasabi Technologies.
M365 retains user data and backups for specified periods of time. Users requiring longer data retention or backup windows or more granular retention policies must turn to a third-party tool to ensure user info or backups aren’t permanently deleted after a specific period of time.
This is where software providers, like Veeam, can be integrated to help provide visibility and structure for backup data, which surpasses native data management policies provided by an SaaS app.
All this equates to a robust data protection and resilience architecture that can extend beyond the recommended “3-2-1-1” backup strategy.
“However, it is important to remember there are complexities inherent with multicloud,” Smith said.
“Leveraging multiple cloud applications and infrastructure providers means organizations must manage disparate data policies, security and access across platforms, and movement and migration of data across cloud environments. These complex tasks often require manual intervention or implementation of a third-party tool, and they can be a nightmare when it comes to ensuring backup policies are implemented consistently and kept up-to-date.”
5. Zero RPOs
Jason Lohrey, Arcitecta’s CEO, goes as far as to insist upon zero RPSs.
“The ideal recovery point objective is zero,” Lohrey said. “Anything short of that is a compromise.”
Here is the logic: Backup typically runs every few hours or perhaps once a day, meaning the RPO could be hours to days. File system snapshots are better, but those might be hourly. Both are discrete, they are not continuous, which means anything created or modified since the last backup or snapshot will be lost in the event recovery is required. If multiple significant changes occur between those backups or snapshots, then only that latest version that was backed up will be recoverable and the rest will be lost.
Even though the reliability of storage systems is improving, the continued rise of cyber attacks and ransomware increase the probability of loss. Any data loss could incur significant impact and cost to individuals and businesses. This is one of the great challenges for data storage systems, which needs to be addressed.
“New approaches to file systems and data systems will make it possible to achieve near-zero RPO, hopefully on the way to an RPO of zero,” Lohrey said.
“We are heading towards continuous (incremental forever backups) with an RPO approaching zero. The backup systems that we are familiar with today will cease to exist.”