 Hi everybody, this is Dave Vellante coming to you from Wikibon headquarters. As you know, for the last several months we've been having CUBE conversations with IT practitioners about their data challenges and particularly their data protection issues. We're really pleased to have Karen Sullivan joining us today. She's the Chief Information Officer and also the Chief Security Officer at Public Employees Federal Credit Union, PEFQ. Karen, thanks for coming on and welcome to theCUBE. Thank you very much for having me. So tell us a little bit about PEFQ and your dual role there, CIO and CSO. First, as a CIO, I am in charge of the IT department and all our IT initiatives. And we also help the business by looking at the strategic plan and the business goals align IT with business. And then as Chief Security Officer I manage the entire security program and that includes disaster recovery, data protection, et cetera. So if you could talk about your data protection environment in particular, I'm interested in what the environment was like prior to your current modernization? What was keeping you up at night? What were some of the business challenges that you had to deal with? Well, first off we were relying on tape-based backup and that was an issue for me. Disaster recovery was an issue because we have one DMX and a Centera and of course on the Centera we were running out of object space and we only have one DMX. So we purchased the second DMX and eventually moved to a recovery site and we've evolved from there. So archiving of data was also an issue. We were using cold storage before we moved to the Centera. So that was a big jump and then we've made leaps and bounds since then. So tape was your primary backup approach. Do you still use tape? No, we do not. So you eliminated tape completely. Talk about the project. What did you bring in? You have a suite of EMC products, I know. Maybe talk about that a little bit. Sure, we are now on a BMX 10K. We have one here, one at our disaster site and we also have a warm site with a VNXE and then we also brought in data domain and removed the Centera and migrated all that data. So we wanted to consolidate archiving and backups into one appliance. And then we changed from SRDF to RecoverPoint for replication between the sites. Okay, so go ahead, please continue, sorry. Data domains are nice because everything goes to the data mains, all the archiving, the backups, but then it's cascaded from here to our disaster site and then again onto the warm site. So we know our data is always there and that's important for regulations from the financial institution. So you have a data domain which is the primary backup appliance and then you replicate the data. Do you have another data domain target offsite or do you replicate it to, okay, you do. So two data domains, so redundant sort of offsite and you're doing that at asynchronous distance or synchronous distance? Well, we actually have three data domains. We have one in Lakeland, we have another one in Jacksonville and another one in our warm site, North Cross, Georgia. So we're cascading those data domains, the data from them. Okay, so, and the three sites are, what are they, two-site synchronous and one-site asynchronous or are they all at asynchronous distance? They're all async. Okay, great. So talk about some of the business impacts and the outcomes of that initiative. Maybe give us the before and after, maybe a technical, economic considerations. What's changed? Well, we saved money by removing the tape and the tape storage offsite and consolidated all the backups that saved time. It reduced the backup window tremendously. Replication has sped up and the return to operations is much faster for us and now we've taken 410 terabytes of data because of the data domains and are able to deduplicate that down to about 30 terabytes of data between the three appliances. And then we changed from, of course, SRDF to Recover Point appliances. So can you talk about your RPO and RTO requirements and was there any change there? Yes, there was. We use SRM, of course, we're completely virtualized with VMware throughout the entire credit union and using SRM, we are able to fail over, not on our core processing system, but over 100 servers in about an hour. And that's compressed from where you were before. Can you give us a comparison? Oh boy, from years past, when we were dependent on a surface provider and before we moved from SRDF to Recover Point and got the data domains, we're talking three or four hours to bring ourselves back up, sometimes up to eight, depends on what the service provider provided as far as equipment. And we couldn't depend on that, so we decided to duplicate our main office at our DR site so that everything is exactly the same. I wonder if we could talk about EMC, their role in this process, why'd you go with EMC, what they do that you liked, anything that you wish they had done differently? Talk about that a little bit. I can't say that I would've wished they'd done anything differently. They've always brought in the top level engineers our sales manager did and they would whiteboard things out for us, they would understand what our business needs were and make sure that what we were purchasing was the right fit for our business. So I'm very pleased with what they've done with us. So I wonder if you could talk about having gone through this, what experience you would apply when giving advice to your peers, what would you tell them, what are the two or three things they should really be focused on? Well, first they need to align IT with business, understand the business and what those business needs are and then they need to look at what the strategic plan is for the next five years and then plan around that because if you don't you could get stuck buying equipment or software that's not going to get you into the future. So by doing that and working with EMC and letting them know what that strategic plan and what your goals are, then they can help you design a system that will get you into the future and make sure that you have data integrity and data protection. So what's hot for you guys these days? What are you working on, what new projects, strategic initiatives and how, if at all, will that affect your data protection strategy? Well, the VMAXes are coming up for a new one next year. However, we are looking at Extreme I.O. Because we want to go to VDI. That would help us in recovering PCs quickly when a person has a problem. So click on the button, boom, done, you're up and running again. So we're also looking at Isilon for storage as well. We will find that out when we visit EMC World this year as well as talking to our account manager and the engineers at EMC. Awesome, we'll be there with theCUBE. So by all means, stop by, we'd love to have you on live. And let me ask you another question. As a Chief Security Officer, every year I look back at the beginning of the year and I say, okay, am I more or less secure? Every year I feel like the challenges are greater, there's more data, there's more bad guys out there. So I wonder if you could talk about that a little bit. What do you see as the state of security and how are you addressing those challenges? Wow, we put in DDoS protection, several layers of it by outsourcing part of it and an internal appliance that we have. We also use dual antivirus programs on the outside of the DMZ and on the inside as well. But protection of that data is very important to us and that's why the data domains and the VMAX are very important to us because if something is corrupted here, we will know that it is not corrupted elsewhere because we can recover at any point in time and go back. So malware is a big issue. Of course, DDoS attacks are a huge issue and of course hacking and we use multi-layered security. Have you had to sort of, can you talk about recovery? Backup is one thing they say, recovery is everything. What's your experience been with recovery? Have you had to actually test that out in a real world situation? Well, not in real world, no. We did have a close call in 2004. We had three hurricanes pass through Pope County and that was a big lesson for us because it almost destroyed the whole roof of our building and we almost lost all of our equipment. So that was a big impetus for the things that we did and moving our disaster site to a facility away from a service provider and duplicating our own equipment and having complete control. And so I'd say that coming from where we were in 2004 to now, we're, I think we're one of the best and I don't wanna sound like I'm bragging but we do have people come from all over the country to see our disaster recovery procedures and how it works and they come in and ask us questions and we're a reference account for several companies for that reason. And you test that pretty regularly. How often do you test that? We test it fully once a year. We go to Jacksonville and we take 43 people with us. We have a command center there, all of our IT people go just to be there for support. We really don't need to go, we could do it from here. And we actually do failover before we even go to the disaster site. So once the failover has taken place, we show up just to support. If somebody has a problem with an application or whatever, we built little cubicles just like it's the Lakeland office or our main office. And then we have a command center for the CEO and others involved in the disaster recovery team. And as a matter of fact, we even have bins for each department to keep supplies in. They must update their supply list each year. And then we have sleeping bags and cots and ready to eat meals. We are living in Florida and we can't take a chance. Yeah, in that part of the world, you really gotta be on top of things. All right, Karen, we have to leave it there. Thanks so much for bringing your CIO perspectives, your security perspectives, the practitioner views from a data protection standpoint. And we will probably hopefully see you at EMC World. And thanks for watching everybody. All right, thank you. All right, take care everyone. This is Dave Vellante with Karen Sullivan at theCUBE. See you next time. Bye bye.