×
We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.
eSecurityPlanet > News > Backup Best Practices Save Critical Data

Backup Best Practices Save Critical Data

By George Spafford,

In an increasingly paperless age, it's critical to backup your data. If you're not doing so, or if you're not doing so correctly, you and your company could be in for a disaster.

Download our in-depth report: The Ultimate Guide to IT Security Vendors

In the dark ages of computing, there were paper records that were keyedinto the computer for processing to generate reports. If the data waslost, then the paper records were retrieved and keyed back in.

Today, paper records aren't so common, as paperless offices grow inpopularity. As a result, the need for timely reliable system backups hasbecome critical as they serve as a safety net. If the data relating tothese all-digital records is lost or corrupted, then all records aregone.

In order to have timely and reliable data backups, there must be acareful blending of people, technology and processes using a systemicperspective to ensure that goals are met.

For any data backup project, it is important to have a defined scope ofwhat data and servers/hosts will be included. For each type of data, ITshould work with stakeholders to identify what hosts need to be backedup, how often, the level of security and the available service window fordoing so.

In addition, an estimate of how often data needs to be retrieved from thearchival system is needed to better understand the possible technology,people and processes that will be required. An understanding of the risksconfronting the organization and each data set for backup will serve toguide additional factors that need to be considered.

These requirements should drive not only the identification of a solutionbut also be documented in the organization's formal backup policies andprocedures.

People

As a foundation element for the initial implementation project andongoing backup and restoration processes to be successful, the peopleinvolved must have sufficient training and understanding to grasp whatmust be done. Management must support the people and the processes byensuring that the correct people are hired, training is provided and thatpolicies and procedures are adhered to. The ''tone from the top'' isvital to this, and any other, project.

Avoid Techno Babble

As a tip, when dealing with a non-IT stakeholder, including seniormanagement, be sure to frame communications in language that the otherscan understand. Don't leave them dazed and confused with a slew of technobabble. Focus on the services they need, risks to those services,regulatory requirements and business needs. And make sure to quantifythings in terms of time-frame, dollars and risk whenever possible.

The goal is to put in a solution for the business. To do this, businessexecs must be able to understand and be involved.

Technology

There are a variety of types of backup systems, ranging from tape drivesto full host redundancy with real-time fail over. The solution that isput in place and its corresponding level of investment must be driven bya combination of risks confronting strategic, operational, reporting andcompliance objectives. One group may need a $5 million hot spare datacenter with real-time fiber optic feeds and another may just needredundant $2,000 tape drives with $1,000 worth of software.

Compatibility

One recommendation given to organizations of any size is to be very awareof the backup technologies in use relative to the data in storage.

It is vital to ensure that any restoration process will be able to handlethe vintage of media created in the backup process. Tape drives provide aclear case in point. It is common to walk into an organization withseveral models of tape drives of varying vintages. The groups religiouslyback up. However, if there is a fire or other disaster, they are in abind. Why? Because the needed combination of tape drives and software maynot be readily available after a disaster.

Having all the needed tapes but no way to read them defeats the purpose.Carefully consider how the correct model of tape drive, version ofsoftware and corresponding backup data can be stored offsite and madeavailable when needed.

Ultimately, whether the redundancy is simple or complex, the solutionsput in place must be driven by risk.

To be explicit, the probability of negative events and their impact tostrategic, operational, reporting and compliance objectives must beunderstood. By using a risk driven approach, investing in systems thateither provide too little protection or investing too much in extremelyelaborate systems can be avoided. Some people may find it odd to bewarned against buying too much redundancy, but it is because redundancyincreases systemic complexity.

This increase in systemic complexity comes at a cost in terms ofresources. And it's not always obvious. Initial purchase cost, additionaltraining and more avenues for failure must all be considered.

In looking at the confidentiality, integrity and availability of databackups, we must look carefully at the supporting processes. The besttechnology in the world can be negated by ill-conceived processes.

Different technologies may require specialization but the following bearconsideration:

  • Ongoing Risk Analysis -- An understanding of threats, whatmanagement is willing to accept and how to mitigate those risks are vitalto not only implementing a backup solution, but also for keeping italigned with the needs of the organization;
  • Scheduling -- Work with system and business stakeholders tounderstand when backups can happen and how long the system can beunavailable;
  • Data retention -- Work with system, business and legal stakeholdersto understand how long data should be retained. In some cases, backupdata may only be needed for several months and in other cases theduration may be in years;
  • Review of Logs -- Log files generated from each backup job should bereviewed to check for errors, duration of the backup job and so on. Tryto identify problems and take corrective action to reduce any risksassociated with failed backups. From a compliance perspective, be sure todate and sign reviewed logs in a method that mirrors your policies andprocedures. Auditors need to see proof that reviews are happening due tothe critical nature of the data;
  • Library -- Be sure to clearly label media and note where it isstored;
  • Rotation and Expiration -- Depending on the model used, backup mediacan be re-used at some point in time. To be cost effective, it makessense in some cases to re-use media when possible versus constantlybuying new media. But it, in turn, means that organizations need to trackmedia to understand when it can be put back into the available mediapool, and when it has reached its end-of-life and needs to be properlydisposed of;
  • Disposal -- Do NOT throw media in the trash. Physically destroy itso it can not be read by an unintended party;
  • Testing -- More than one IT administrator has had an awful momentwhere she finds out her data restoration is flawed. It is far better tofind out the causes and take corrective action in the safe confines ofmonthly or quarterly testing than it is in the heat of battle.

    Data is increasing critical these days as timeframes compress, risksincrease and businesses run on information that increasingly exists onlyin digital form. Data loss can result not just in financial losses to thecompany, but can also impact the strategic, operations, reporting andcompliance objectives of the organization. Each group must collectivelyidentify, understand and manage the risks associated with its data tosafeguard the overall organization.

    • Submit a Comment

    Loading Comments...