Information Security Management Handbook, Sixth Edition (2012)
DOMAIN 8: BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING
Business Continuity Planning
Chapter 27. Data Backup Strategies: Traditional versus Cloud
Carl B. Jackson
Questions concerning the adequacy of data backup strategies have long been a major concern of enterprise management. There is no news on that. But there IS news in that Internet-centric data backup supporting technologies are evolving rapidly. Given the Internet cloud computing trends, might a reevaluation of existing data backup strategies make sense for your organization?
When considering data backup strategy options, there is no shortage of new or old solutions. A simple Internet search will quickly deluge you with solutions heaped upon solutions and offering various technological alternatives in numbers and types that are truly staggering. But, what is the problem we are trying to solve? It is that the vast majority of today’s organizations have come to rely heavily, if not entirely, on information technology (IT) to support mission-critical business processes. And as such, they continue at an exponentially increasing rate to pack away enormous amounts of data/information for archival and backup purposes.
The meaning of the term “data backup” for one entity may be, or in fact probably is, different than for another. Terms such as virtual server backup, mirroring, failover, cloud computing, cloud online backup, cloud storage administration, electronic vaulting, data reduction/compression and encryption, data classification, incremental backups, and the like have become everyday jargon of IT and continuity and disaster recovery planning professionals.
So, although technological advances have made redundancy of information assets much more foolproof and efficient, some things never change. Without the data, all the machines and networks in the world are of little use. With this as a given, what is the best data backup solution?
While detailing the listing of every possible alternative solution is well outside the scope of this chapter, we will attempt to sort out some of the jargon and offer a few important suggestions that the management might want to consider when building their data backup strategies.
There are numerous reasons for performing data archival and restoration backups. Primarily, it is to support organizational time-critical business process functionality (e.g., increasing profitability, sales support, customer service, mission-critical support, etc.). Audit and regulatory mandates also necessitate access to archival data and ensure availability of information. Also because regular and ongoing backup processes reduce the possibility of data loss, a sound data backup strategy is quite plainly a compulsory requirement for doing business.
Disruptions: The Root Causes
It is unfortunate but inevitable that business process disruptions occur. Generally, the root cause for these events can be classified in one of the following categories:
Hardware failure: IT hardware and other equipment (e.g., hard drives, circuit boards, magnetic tapes, network controllers, etc.) or their countless components are subject to malfunction.
Software failures: The failure of software for continual support processing of mission-critical business processes regularly impacts IT infrastructure and is often a major source of financial loss and/or customer service impacts or dissatisfaction.
Facility/environmental failures: Facilities or environmental disruptions (e.g., fire, water damage, utilities failures, HVAC failures, etc.) result in a surprisingly high number of disruptions annually. Add to this list man-made or natural disaster. The tragic consequences surrounding the 2011 Japanese earthquakes, tsunami and atomic radiation releases or in the case of the Churchill New Zealandearthquake in February 2011, or the flooding in America’s Northwest and Midwest areas, etc., are constant reminders of the fragility of organizational infrastructures in the face of natural regional or, in the case of Japan, national disaster. In addition, in uncertain times, the potential threat of terrorist-related violence calls for reexamination of the integrity of the organization resiliency program, including data and application backup processes.
Human errors, accidents, or omissions: By far, the single most frequent cause of disruptions within an enterprise results from the errors, accidents, and omissions of people. Not just any people. They are the organization’s own people. Whether accidental or intentional, human errors, accidents, and omissions are traditionally considered the major cause of organizational process interruptions or breakdowns. It is often because of the human errors, accidents, and omissions of insiders that lead to many of the other disruptions cited above.
Outsider actions: Viruses, worms, and a whole host of other insidious outsider-originated attacks on your organization and its facilities, systems, communications, and data are increasingly to blame for the loss of data integrity and availability.
These potential disruptions clearly illustrate why the management must perform regular physical security, information security, and emergency response status reviews. The answer is to anticipate and mitigate the root causes of serious disruptions that might necessitate data recovery or restoration. Further on in this chapter, a number of relevant recommendations along these lines will be offered.
Other Data Backup Mandates
Aside from the usual list of business- and technology-related potential disasters, other requirements often mandated through standards or compliance-related entities can be added, such as:
Standards Requirements: There are a number of external entities that in some way, shape, or form mandate good data backup practices. Standards are issued by the ISO for IT Disaster Recovery and Information Security Management Programs, the National Fire Protection Association (NFPA) Standard on Disaster/Emergency Management and Business Continuity Programs, and the British Standards Institution’s Business Continuity Code. The BSI code stresses off-site data backup storage and other leading practices. These are just a minor few of the numerous standards organizations that can and do provide justifications for backup approaches.
Audit/regulatory requirements: Internal and external audit requirements, as well as governmental mandates, through U.S. governmental agencies such as the FFIEC, IRS, and SEC continue to stress the importance of fundamental business continuity planning including provisions for appropriate data backup. Intended for those enterprises that operate in countries outside the United States, large numbers of similar corresponding requirements are mandated.
Data Backup Requirements Gathering
A sound and well-thought-out data backup management process must dovetail with various components of the enterprisewide Continuity Planning Business Process. All data backup strategies must provide support to the enterprise business goals, of course. They must also work in unison with existing continuity planning business processes and defined business process recovery objectives and time frames.
Here are just some of the primary data gathering requirements:
Status of the existing enterprise business continuity planning infrastructure: A fully developed enterprise continuity planning business process should consist of several components. These closely interrelated components include the Business Continuity Plans (i.e., business process recovery planning), the Disaster Recovery Plans (i.e., technology recovery planning), and the overarching enterprise Crisis Management Plans and planning structure. These components once implemented and tested, rely on the timely and accurate recovery of data/information in both electronic and hardcopy forms.
At the outset, the executive management must insist on having a clear definition of the backup strategies requirements. The requirements gathering process includes undertaking a business process impact assessment as well as an emergency preparedness analysis.
Status of the business impact assessment (BIA) process: Reasonable estimate of the time needed to restore interrupted functionality to minimize impacts on time-critical business processes is the goal of the BIA activity. A properly conducted BIA provides enterprise managers with prioritized inventories of time-critical business processes including the estimates of their recovery time objectives(RTOs). How can the management possibly make informed backup process and resource acquisition decisions without a BIA? Only through development of a sound understanding of all potential loss impacts can the management efficiently allocate resource requirements.
Status of enterprise emergency response capabilities: Along with the BIA, the management should also perform an enterprise emergency preparedness analysis focusing on current and anticipated emergency response capabilities. These include environmental security (e.g., fire detection and suppression, electrical supply monitoring and conditioning), physical security of facilities (e.g., access control, surveillance, personnel identification practices, etc.), and personnel security considerations (e.g., employee awareness and training) and the regular and ongoing testing or exercises of these emergency response capabilities.
Data Backup Process Selection Criteria
Once the management has a handle on the status of existing threats, potential impacts, and existing control measures, they should turn their attention to developing data backup philosophies and practices that fit their organization’s needs. This chapter does not presume to present an all-inclusive directory of the criteria that enterprise managers should use in selecting data backup schemes; however, following are a few of the most important considerations:
Support the enterprise mission: Above all, the data backup strategy, including data restoration timing requirements and expense allocations, must fit the overall enterprise mission/goals. Consider what is driving time-critical business process recovery windows, which, by the way, force data restoration time windows and mandate that the data backup strategy be designed accordingly.
Management scope: Depending upon the size, organizational structure, geographical footprint, and enterprise mission objectives, the executive management group should articulate their expectations to all concerned business process and technology owners/leaders. Mid-level managers will inevitably be responsible and accountable for the in-the-trenches development, implementation, and ongoing oversight and reporting on the data backup and archival strategy for each of their specific areas of responsibility. It should go without saying that executive management’s support and direction in this effort are of paramount importance. Success in this complex and rather daunting undertaking requires resource allocation and management support. Failure of the executive to clearly articulate the expectations will very possibly result in incomplete and inconsistent application of the strategies and ultimately result in some very unpleasant surprises, should a restoration become necessary.
Temporal scope: Utilizing business process recovery time frames (i.e., RTOs) determined during the BIA, the management must insist that data backup and archival processes meet or, even better, exceed RTO time frames. Beware. Experience has demonstrated that failures in this area are common and costly if allowed to go unaddressed.
Fiscal scope: Again, depending upon business process RTOs, backup strategy cost estimates are required and the methods determined for allocating those costs across the enterprise.
Data and media scope: Considering the best way to manage multiple types of media (e.g., hard drives, tape, logical, virtual, and even hardcopy) is the challenge. Another is to understand and organize types of data (e.g., historical data, transactions, legally mandated data [IRS, SEC, etc.]). Do not forget the requirement for data classification. Accumulated information of large organizations can include literally millions of gigabytes of data. Simply coming to grips on how best to administer backup processes by prioritizing information according to the type can be off-putting. In the world of information security, classification of data has always been a colossal implementation and management problem. The sheer magnitude of information makes classification of electronic and hardcopy information daunting. Experience has shown that more often than not, and sometimes in frustration, management eventually defaults to the “everything goes” principle and simply opts to “back it all up.”
Backup geography considerations: The assessments must also take account of the organization’s geographical footprint (i.e., one or multiple locations), IT architectures, and user reliability expectations and requirements.
Technology scope: Understand the precise technological scope and requirements for backup. Are we talking about server backup, e-mail backup, mainframe backup, etc.? What systems (e.g., mainframe vendor supplied, MS-based, UNIX, Linux) are utilized and how are they configured (e.g., mainframes, server implementations, multiple facilities, desktop implementations, or combinations of the preceding)? Of key consideration for data backup purposes are the volume of data currently being processed and the bandwidth currently being used. It is crucial to factor in both volume and bandwidth the expectations for the future.
Special circumstances considerations: Organizations that serve unique public safety or national security related populations may well have special circumstances that also require analysis. As an example, take the Department of Homeland Security initiatives for supporting America’s critical national infrastructure during times of national crisis.
Does Your Organization Support America’s National Infrastructure?
For those enterprises that are considered part of America’s critical national infrastructure, the Department of Homeland Security (DHS) is attempting to provide guidance through the release of the 2009 National Infrastructure Protection Plan (NIPP). The DHS is endeavoring to form a partnership with the 18 critical supporting private sector industries by defining a unifying structure process for integration for the protection of what the DHS calls “critical infrastructure and key resources” (CIKR). As the primary emphasis, the CIKR sets forth objectives for establishing a safer, more secure resiliency for America’s CIKR by developing a set of tools. These tools will, among other objectives, “provide for the appropriate protection of information, including developing an inventory of asset information…” DHS directive Homeland Security Presidential Directive/HSPD-7 directs the Secretary of Homeland Security to implement plans and programs that identify, catalog, prioritize, and protect CIKR in cooperation with all levels of government and private sector entities. Data systems currently provide the capability to catalog, prioritize, and protect CIKR through such functions as: (1) Maintaining an inventory of asset information and estimating the potential consequences of an attack or incident (e.g., the IDW); (2) Storing information related to terrorist attacks or incidents (e.g., the National Threat and Incident Database); (3) Analyzing dependencies and interdependencies (e.g., the NISAC); (4) Managing the implementation of various protective programs (e.g., the BZPP Request Database); and (5) Providing the continuous maintenance and updates required to enable the data in these systems to reflect changes in actual circumstances, using tools such as iCAV and DHS Earth. Organizations supporting America’s critical infrastructure should factor data backup programs accordingly.
Data Backup Solution Alternative: Cloud Data Backup
At the very least, the topic of cloud computing is hot and getting hotter! Internet searches reveal many sites dealing with the latest and greatest services, predictions, surveys, capabilities, recommendations, technology reviews and discussions, and the like—all related to the topic of cloud computing. Keeping up with the cloud computing industry and technology will be a major challenge for managers considering the cloud for data backup purposes.
Cloud backup: The meaning of cloud computing can have multiple definitions depending on who is using it. For the individual or smaller sized organization manager, cloud computing, including cloud data backup, takes place over the public cloud. However, for organizations of any significant size, rapid RTOs mandate the use of a private cloud. Reputedly, one of the downsides of using the public cloud is the length of time it can take for data recovery and restoration. For information-only purposes, a good source for cloud computing–related information is the Cloud Computing Journal.
Lines are blurring: The lines between public and private cloud capabilities are blurring quickly. Making hard and fast declarations concerning the various cloud computing data backup support capabilities, advantages, and disadvantages to be somewhat problematic.
Public cloud backup providers: Public cloud users include individuals and small business through services provided by vendors such as Carbonite, CrashPlan, IDrive, Jungle Disk, and others. Today, public cloud servers are capable of collecting, compressing, and encrypting data that is transferred, typically every 24 hours, over the Internet. Public cloud backup offerings are rapidly evolving, including trends toward allocation of storage space, storage space expenses, recovery/restoration time frames bandwidth support, etc. Needless to say, this space will certainly look different as industry, technology and user requirements mature.
Private cloud backup: As the name implies, a private cloud is “private” or, in other words, proprietary to a particular organization or other consortiums. Some larger organizations have been using cloud backup for archival purposes, mainly because of slower data recovery turnaround times. Some large organizations have built or are building private clouds for their use. Companies that provide cloud computing services for larger organizations include: SunGuard Availability Services, EMC, Inc., IBM, Cisco Systems, et al.
Under either the public or the private cloud scenarios, enterprise management backup strategies require optimizing the amount and type of data that will be stored and synchronized. It also requires a reasonably well-established set of operating procedures by the user organizations to keep backups organized and accessible when needed (e.g., data, applications, etc.).
Prepare for the cloud: Cloud computing online backup techniques include transmitting real or virtual copies of data over public or private networks to be stored and accessible as backup. This process can be done by the organization itself or farmed out to a third-party vendor. Either way, care must be taken to ensure that the solution is sound from a data integrity, privacy, availability, and overall security standpoint. There is much guidance available in the wild that will assist managers in making decisions on how best to utilize cloud computing service offerings and capabilities. One word of warning, however, would be the concern related to governmental initiatives toward implementing controls that could be used to interrupt Internet access and/or other capabilities under a certain set of predetermined circumstances. See the discussions on National Institute of Science and Technology (NIST) standards below for some assistance, but be aware that governments around the world have looked or are looking very closely at Internet monitoring and even attempting to or actually controlling Internet accessibility. Should your data be in the wrong place at the wrong time—you could have a very big problem.
National Institute of Science and Technology (NIST) Standards
Cloud computing standards: The ever-widening acceptance and use of cloud computing have been recognized by the government, which is now considering appropriate standards and practices. For instance, in February 2011, the federal technology agency National Institute of Science and Technology (NIST) issued a working draft of a paper titled NIST Cloud Computing Standards Roadmap. In it, NIST defines cloud computing as “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”
The future of cloud computing: Cloud computing services and technologies are moving beyond the hype and evolving into a market presence so quickly that by the time this chapter is published, there is a very real likelihood that what has been said here will be obsolete. One thing is for sure—cloud computing is not going away anytime soon and its potential for providing enterprise services can only increase. Not only can individuals, small companies, and larger organizations utilize the cloud (public or private) for data backup purposes, this topic alone can be likened to one very small pixel in a much wider screen. Significant conceptual issues including applications management among and between cloud spaces, managing overall information security issues (not just data backup security), understanding cost/performance issues, and keeping an eye on networking bandwidth concerns are all currently at the top of the discussion queues. Stand by!
Data Backup Solution Alternatives: Localize Solution
The term “localized” within the context of this chapter is meant to involve data backup solutions that utilize local enterprise resources, whether located in a single facility or data center or colocated in two or more facilities. These backup facilities can be managed solely by enterprise management or can be provided by a third party.
Following are several points of consideration regarding the localized data backup solution:
Facilities availability: What is the organization’s geographical footprint? Does it include single or multiple locations? Do other sites have the ability to accommodate backup systems? Or should they already accommodate systems capabilities, might they be made suitable for off-site backup and data storage?
IT infrastructure: Can the organization’s technology infrastructure (including hardware, software, networks, support personnel, operating practices) support in-house redundancy solutions such as implementation of a completely redundant data center? Does it have access to cost-effective third-party physical media off-site storage or online data storage capabilities (e.g., electronic vaulting)?
Virtual machine backup: IT managers now often utilize a more advanced “virtual machine” technology for data backup purposes. Once accomplished, virtual machine restorations look and feel the same to the end user, but virtualization of the backup process is an entirely different approach to data storage. In a virtual machine implementation, the virtual machine software sees single or multiple physical devices (e.g., servers, networks, applications, desktops, and other IT appliances) not in a physical way, but in a virtual way. So, the contents of large numbers of devices can be stored in a virtual manner upon one or fewer devices at other locations. This can be a very efficient process, although resource contention issues related to concatenation of multiple devices, data, and processes into virtual environments can possibly result in processing performance degradation. In addition, backup costs can escalate when using the virtual backup approach. Expenses would include acquisition and maintenance of multiple copies of backup software to facilitate backup processes. Restoring virtual machine backups can sometimes turn into an all-or-nothing restoration approach. Restoration of individual files or applications only can be problematic. In virtual restoration circumstances, the entire virtual snapshot (see the Virtual machine utilities topic below) must be recreated, which can mean restoring tremendous amounts of data for the sake of a single file. Virtual machine backup processes can be utilized in a localized, remote, or cloud processing environment.
Virtual machine utilities: There are many utilities offered that will assist the enterprise in making backup processes more efficient and effective in the virtual environment. One useful alternative backup utility concept is referred to as “Snapshot-based backup.” This is a virtual copy of a device or files system that can be adapted to rapid RTOs. It is not necessarily a backup file, but a symbolic link to a file or data that has been captured and frozen in time. With a snapshot approach, although very useful under the right circumstances, it can be problematic if instantaneous access is a requirement. So this solution, as with others, requires requirements analysis before adaptation. Although the resource requirements and operating costs of this approach can be significant, organizations requiring almost instantaneous access to their data should consider such a solution. There are several large service providers that can provide both the hardware and software support that will, among other functions, support snapshot-based backup.
Other Localized Backup Alternatives
Off-site data storage (Tape): Of course, there remains the more traditional data backup and recovery solutions. Backing up data to tape and rotating it to an off-site location may work for archival information, but not when short recovery windows are involved.
Electronic vaulting: Electronic vaulting technology is not a new concept by any measure. Electronic vaulting capabilities have been a very useful alternative to backing up data and storing it at the primary site. Like all other technologies, electronic vaulting capabilities have evolved substantially over the years. Companies that offer electronic vaulting services include: EMC Corp., EVault Inc.,Iron Mountain Inc., LiveVault, and SunGard Availability Services, to name just a few.
Service provider support: Utilizing third-party service providers not only for data backup support but also for rapid IT support (i.e., hotsite) following a disaster remains a perfectly viable option for some organizations.
Cloud versus Localized Data Backup Decision
Whether enterprise management decides upon cloud data backup or, on the other hand, the more traditional methods of data backup is relative. When considering which alternative backup strategy to use, the answer comes down to “it depends.” It depends on understanding where the organization is relative to these questions:
1. What are we doing relative to data backup now and is it working for our users?
2. Are our organization’s mission-critical success factors supported by our current data backup strategies?
3. Are our current IT infrastructure backup strategies adequate in addressing our data security and RTO requirements?
4. How much data (i.e., volume) do we really need to backup and restore? And at what cost?
5. At what rate (i.e., bandwidth) must data be transmitted to and from backup facilities? And at what cost?
6. How quickly does the data need to be retrieved and available if needed? And at what cost?
Short recovery window mandates: If enterprise RTOs are very short (e.g., seconds, minutes), then the enterprise must be equipped with the appropriate hardware, (including data storage capacities), software, and bandwidth to move the data. It all really boils down to time. Short RTOs, large data volumes, and large pipes (network bandwidth) are the key deciding factors and tend to force the organization toward localized backup strategies. This probably will include multiple locations, geographically disbursed, that can be equipped with very robust IT and data network capabilities.
Extended recovery window: If enterprise RTOs are longer (e.g., hours, days), then the enterprise may have the luxury of time to take advantage of a more remote data storage strategy, such as cloud computing, to support the lower data volumes and smaller bandwidth requirements.
At the end of the day, there are no hard and fast rules. Each organization is unique (e.g., differing missions, technologies, geography, threat scenarios, number of employees, etc.), so each solution must be customized to fit the environment.
Linking Backup Strategies to the Broader Continuity Planning Program
In the broader scheme of things, a well-prepared enterprise would have already considered the risk potentials and have provided for commonly accepted protection mechanisms that are well rounded and make good business sense, including:
Impact assessment: The BIA, which should be undertaken and updated periodically, provides the management with empirical loss impact and time criticality information needed to make informed decisions.
Physical security: Physical security should be reviewed and designed or enhanced to provide as much mitigation as cost justified for the enterprise. It is important to ensure the physical and environmental security of all remote off-site storage facilities that are being used for time-critical data backup.
Data security: Data security mechanisms, including access control, data transmission, and storage encryption of off-site data, provide a degree of data integrity and security.
Business continuity and crisis management planning: As mentioned previously in this chapter, attention to the development, maintenance, and testing of full scope enterprise business continuity and crisis management planning processes are fundamental in helping support data backup recovery and restoration.
Metrics: If we truly get what we measure, development of measurements is necessary. They should be designed to help make enterprise business process more efficient and effective and must be uniquely designed for the agreed-upon data backup policies, processes, and practices (e.g., operational-, financial-, and personnel-related), so the metrics will enhance the possibilities of success.
Questions about the adequacy of data backup strategies have long been a major concern of enterprise managers. Although there is no major news on that, there IS news that Internet-centric data backup supporting technologies are evolving rapidly. Given the Internet cloud computing trends, might a reevaluation of existing data backup strategies make sense?
Whether considering traditional approaches to data backup or use of Internet cloud computing, determination of requirements objectives is the first step. But, making decisions between cloud and localized data backup options can be reduced to a few key questions. These are: (1) How does our current data backup strategies meet enterprise recovery time objectives? (2) How much data is involved? (3) How much IT horsepower and network bandwidth will be needed to support the volumes of data and the recovery time objectives?
In reevaluating these questions, remember that the lines between more traditional localized backup solutions and the use of public and private cloud computing are blurring. Given every organization’s uniqueness in size, mission, technology footprint, recovery time requirements, and geographical location(s), the solutions must be customized to fit each unique environment. There is no one-size-fits-all in this arena. With history as a guide, we know that evolving technologies hardly ever fail to present us with better mouse traps.
1. NIST Cloud Computing Standards Roadmap (NIST Document: NIST CCSRWG – 040), February 16, 2011, p. 3.
2. Department of Homeland Security National Infrastructure Protection Plan, p. 92. (http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf).
3. Cloud Computing Journal (http://cloudcomputing.sys-con.com/).