Storage and recovery strategies should be important aspects of your security plan.
You arrive at the office early Monday morning only to find that hackers have infiltrated your network over the weekend and have destroyed your company’s data for the sheer thrill of it. Quick, what is your recovery plan?
Perhaps more important, how much will it cost your company to recover the lost data and return to normal business operations? The combination of application downtime and idle staffers can cost your company thousands of dollars (millions, if you’re a medium or large-size business). Moreover, customers can lose confidence in your company should downtimes be frequent or lengthy.
Your security policy must be tightly interconnected with your overall business-recovery plan. Data recovery is the trickiest part of any business recovery plan, but it needn’t be. Developing plans to recover downed networks, servers, or desktops is a relatively straightforward process.
Identifying your data
The first step toward defining and implementing an economical storage-recovery plan is to identify just what data you actually have. Does this mean you have to comb through every machine at your company to identify every last piece of data? Hardly.
The best approach is to make a data map of your company, based on its business processes. Just as you might have a site map that helps your Web site visitors navigate your online content, a data map will help your company organize its internal and external data.
For example, your human-resources department might have a network share where it stores information on current employees. In addition, it might have another network share for company forms, such as payroll and insurance, plus tape backups of old employee data archives.
Likewise, your sales team might use a relational database to process existing orders while rolling completed orders to a customer-service database. In turn, your customer-service department might use a specific database to handle existing customers while maintaining long-term customer histories in another database.
It is crucial to identify all data sources and their locations. In particular, if data for a particular function is maintained by a single user on a desktop system (which often happens in smaller enterprises), it is especially important to identify this data source and plan for back up and recovery of these single-source data points.
Prioritizing your data
Once you have mapped out the data you have and its current location(s), your next task is to decide how important that data is to your organization. I usually use three priorities to designate the relative importance of data in a business environment.
“Priority 1” data (P1) should be reserved for data that your company must have available to do business. P2 data is useful, but not necessarily needed to conduct business–at least for a short period of time. And finally, P3 data is usually data you like to have on hand, but could live without for a longer period of time if you had to.
An example of P1 data might be your current customer database. Your customer-service reps certainly could not service existing clients without this data. Likewise, your inventory data would likely be considered a P1 because you need to know what you have on hand to sell.
The electronic forms your human-resources department uses to manage employees might be designated as a P2 data source. Certainly you would not want to be without these forms for an extended period of time, but you probably could do business for a short time while this information was brought back online.
Finally, historical data is quite often given a P3 designation. Orders that your company processed five years ago probably don’t affect the critical processes of your business today. Archival data can typically be recovered once you have brought P1 and P2 data back online.
During the time that you are identifying and prioritizing your data according to your business process, you might also try to gauge how much your data storage needs increase over time. Examining the size of historical data sources every year can give you a good indication of how much storage recovery you need today–and beyond.
One of the primary reasons for identifying and prioritizing your data is to implement storage-recovery solutions that match your budget. Storage-recovery solutions can vary widely in price, but those that provide real-time data recovery are the most expensive. Therefore, you’ll want to limit the implementation of real-time solutions to only the data you consider P1.
There is no single solution or service that will meet all of your storage-recovery needs. You’ll likely want to implement a multipronged approach that meets the needs of your company. Today three classes of storage recovery solutions and services are available.
First, there are storage recovery measures that you can implement internally. Examples of these are tape backup units, network-attached storage, and server clustering. You might use tape backups (and store them offsite) to inexpensively support the recovery of P3 data. Network-attached storage and server clusters can be configured for redundancy and availability. You might use these types of solutions to support P1 and P2 data inexpensively. Many companies also prefer the implementation of internal recovery measures since this route provides the greatest control and security over business data. Another recovery route that is gaining in popularity is online backup and recovery. Vendors that support this type of solution usually provide secure connectivity and let you decide what to back up and how often. You also have control over when data is retrieved.
BackupUSA is one supplier of online backup and recovery solutions. Its system includes client-side software plus a service contract to support offsite electronic storage of data. After signing up for the service, customers use BackupUSA’s software to determine which data will be backed up or recovered.
Although online backup and recovery solutions come with fees, they are a useful way for recovering data quickly should your local systems be completely compromised. The most important things to check when evaluating online backup and recovery solutions are security and fees. Compare three to five different providers and ask for specifics on how they will secure your data while it is in transit across the Internet, as well as what measures they take to insure the security of your data once it is in their hands.
One other item to note about online backup and recovery providers is that some support the backup and recovery of any data, regardless of platform. Others, such as BackupUSA, are limited to only specific platforms, such as Windows. So if you are running Macintosh, Windows, Linux, and other platforms, you’ll also want to check on platform availability.
The third solution for backup and recovery solution is to contract with a storage-recovery provider. For many larger companies, this approach is warranted due to the sheer volume of data involved. However, for small- and medium-size businesses, this type of solution can be very expensive when compared to other options.
When you contract a storage-recovery provider, you usually implement private, high-speed links between your company and the provider’s facilities. Once connectivity is in place, a configuration is customized to back up portions of your data in real time, near-real time, or periodically, based on your data priorities.
Companies that have crucial P1 data might use a storage-recovery provider, such as IBM, HP, Exodous, SunGard, and others, to bring critical data back online very rapidly.
Understanding the bottom line
No matter how beefy your security measures are, the fact is that attackers can certainly defeat your strategy and corrupt your data. You need to be prepared to recover data quickly following an attack, just as you would with any other disastrous event. Knowing what data you have on hand and prioritizing that data in terms of business availability is the first step toward formalizing an economical recovery policy.