Social Network For Security Executives: Help Make Right Cyber Security Decisions
Part 8 of 8: Daily Backups of Important Data
What Is It? Backing up your data has been a long-standing strategy in safeguarding your information when things go sideways. Servers crash, laptops get lost, files get deleted accidentally, and mistakes are made. Mistakes, accidental or intentional, can have severe repercussions that require recovering your data such as in the event of a Ransomware attack. Whatever the reason, the fact remains you should have a backup copy of your important data.
There are many options at many different price points that will suit everyone from individuals to large enterprises. These include magnetic and optical media, cloud-based storage such as iCloud, OneDrive, and Box, and even all the way up to Disaster Recovery Sites. The latter can be fully functional exact replicas of production data centres with 100% live replication, to warm standby sites, to even cold sites ready to build from scratch and restore your data. The fact remains you have options, but you have no excuses.
Just as critical as backing up your data is the ability to restore it and use it without it being incomplete, corrupt, or completely inaccessible. It's like a one-way ticket to somewhere you can't get back from otherwise.
Where Do I Start? If you have data, you need to back it up, so the first part is already determined. Depending on service level agreements and who is responsible for your data, either on premise, hosted, or cloud-based, many other factors need to be considered. How long can you be down before you must have your services and data available? How much work can you stand to lose in the event you need to restore? Figuring out your Recovery Time Objective (RTO) and Recovery Point Objective (RPO) may determine your investment in the solution, and it needs to be a business-led conversation and not just technology. If you don’t have a plan, you’ll need to create one. If you already have a plan, it may be time to review it to make sure it meets your current objectives.
Determine what you need to back up in a prioritised order, and how to back it up. Will you do full backups every day or a full backup once a week with incremental daily backups? Will you use tapes, cloud, or replication to a DR site? Will you rotate media off site on a regular basis and how quickly can you get that media back when you need it?
The backup itself is just a small part of the overall solution. Your Disaster Recovery / Business Continuity Plan (DR/BCP) needs to address a lot of moving parts and remove single points of failure. For example, if John is expected to be the one that kicks off the restore but he’s in Bermuda on a fishing trip without his mobile, someone needs to do his job.
Regular testing, including full-scale DR exercises, are highly recommended. Whether you need to restore a file for someone in HR or recover a 10 TB database, your system MUST work.
How I do I Make It Work? Rather than just jumping straight into backing up files, make sure you have a plan in place and ideally this should be a part of your overall DR/BCP. Identify what you are backing up and why, the priority of the data, the recovery time and recovery point objectives, and how it is being backed up. Equally important is how it gets restored and by whom, when, and where. Don’t overlook the value of annual full-scale, live DR testing and regular revisions to the plans. Also remember to include any new systems and their data as well as any storage location movements. Vendor support and even support by a managed services organisation can be worth every penny.
Ask the questions and get informed and if need be, get the right people involved. The ability to backup and restore critical information can mean the survival of your enterprise. Among the essential eight strategies, this one has probably been around nearly the longest but is probably also the one that gets overlooked the most. Make sure that any future changes to your data includes a section in change management to consider the backup and restore impacts.
Pitfalls? A common pitfall is not adjusting backups to allow for new servers, data stores, or applications, so when new systems and new data come online, they’re not captured in the backup scheme. Also, commonly overlooked are device backups such as firewall and router configurations so if a device falls over, its replacement or the device itself can be quickly brought back up to speed. Another common pitfall is backing up everything…. just because. It’s all well and good to capture every tiny bit of data, but not at the cost of bandwidth, storage capacity, or at the risk of over-writing critical information. Plan, execute, review, adjust the plan, repeat.
Ghosts in the Machine? The list of things that can go wrong is extensive, but simply assuming the backups will work every time is hazardous. As with all technology, things can and do go wrong. We all have stories about how our backups let us down at the worst time possible. You simply must stay on top of things, even if it’s feeding the logs into another system so we can quickly check the status of our backups and right the ship, so to speak. Like a good insurance policy, we need it to be there when it matters.
Anything Missing? While you’re at it, it’s time to evaluate backing up your personal data. Far too many of us fail to back up our home data and files, so with a wealth of cheap & cheerful options such as personal iCloud, OneDrive and GDrive, we’ve plenty of options. Just be wary of your bandwidth usage and it may be time to look at your ISP options…. you may even save a few dollars!
Bonus Points: Watch out for data stored on local drives of workstations and laptops…. anything business important should be stored on the corporate servers. I’ve seen a few instances of a staff laptop crashing only to lose vital work documents with the online copies several months out of date.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock