The backup battle

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itweb.co.za/index.php?option=com_content&view=article&id=146263

The ongoing evolution of data environments and the ever increasing amount
of data being generated each day by both individuals and organisations
present various conundrums. Where does it all go? Is it secure? And how do
I manage it all?

For Riaan Gouws, product manager for Backup at Vox Telecom, there's no
simple answer. But he believes business both big and small should start the
discussion around backup and recovery by acknowledging that not all data is
equal. "Simply put, business needs to categorise its data," he notes. Once
it has done so, suitable data management strategies can be put in place.
These are designed to ensure the security, accessibility and recovery of
different groupings of information. This approach is even more appropriate
when one considers that by 2016, 20% of organisations will have somehow
abandoned traditional backup/recovery techniques. A figure that grows to
50% by 2018 and up to 60% come 2019. The sheer magnitude of the data we're
currently dealing with makes it impossible to derive value from this
information without having a clear idea of what is what, he states

Mimecast senior sales engineer Giulio Magni agrees. In order for
information to be utilised to its full potential, classifying data is
vital. "Ifyou can't easily segment or search through data, this corporate
memory cannot be exploited by the organisation. Once you know what to
secure, you can use technology to define logic rules to

protect the data," he says, adding that regular reviews of the data and
rules are necessary to ensure everything is adequately protected. But you
shouldn't think of data classification as being as simple as putting
different bits of information in different boxes.

If an organisation allows users to classify the data themselves, there is
always a risk of inaccuracy, but employing technology solutions tends to be
expensive, Magni points out. "The best option is to apply a combination of
solutions, enforcement policies and user education around security risks."
He advises that organisations segment data into personal and business
information and also group data by information type.

For small businesses, with limited budgets and resources, getting this data
management dilemma right could be the difference between success and
failure. Gartner analysts predict 40% of companies suffering a business
interruption will fail within five years. "Unfortunately, many smaller
businesses don't have the budgets of their larger counterparts, and as
such, make use of fragmented approaches to storage and backup," says Sumash
Singh, country manager at CommVault SA. These businesses are commonly using
technology that isn't geared for ever-increasing volumes of data and they
lack the internal technical resources and expertise to advise on the best
technology and strategies to protect and back up their data.

Looking at data loss

Without wanting to weave tales of doom and gloom, Gouws stresses just how
many different ways things can go wrong. "Data can be lost, corrupted,
compromised or stolen through hardware failure, human error, hacking and
malware. Loss or corruption of data could result in significant business
disruption." From a security perspective, guarding against these threats
involves establishing the necessary hardware and software firewalls,
ensuring all software on individual devices is properly updated, encrypting
information to keep it safe from prying eyes and even setting up password
systems.

According to Isaac Makoto, a consultant at Hitachi Data Systems (HDS),
backups have been used as a last line of defence against data loss for many
years, but given the exponential growth of data and more stringent
legislation around handling this information, organisations have to employ
different strategies. Data replication, disaster recovery, data archiving
and backups should all form part of this multi-pronged approach to
preventing data loss, he states. It all comes down to carefully managing
the information at your disposal, he continues. Backup and data storage
plans should allow users to access data when they need it and guidelines
should be put in place to ensure different types of information are only
available to certain departments or users. For Makoto, a data replication
strategy is highly beneficial because once a copy has been created, it can
be made available for use because it's online immediately. Thus, there's no
need to search for it in backups or archives and multiple copies of the
source data can be created and used for things like development and testing.

Into the clouds

Budgets and resources are the two key challenges that face SMEs. "They lack
both, and as such, struggle to invest in the infrastructure to manage and
protect their data," says Singh. These businesses commonly can't justify
the costs of full-time resources to meet their IT requirements, and even if
they do have a basic infrastructure (hardware and software) in place, they
battle with support and maintenance. Having to outlay significant amounts
of money on infrastructure has been and always will be a major deterrent,
says Magni. "Budgets are a hot topic for all businesses, and trying to
justify high expenditure on creating a data repository is challenging at
the decision-maker level. It makes sense to pool resources to get a maximum
return on the value of data," he says, adding this is why cloud is a great
win.

Many businesses, especially smaller ones, are fast realising the benefits
of hosted and cloud solutions, notes Singh. In a cloud scenario, there's no
need to invest in expensive hardware or to hire highly skilled IT staff;
all the customer requires is a modest on-site installation and the backup
as a service (BaaS) provider will do the rest. "BaaS options offer many
benefits to smaller businesses as it puts them in reach of enterprise-class
technology, without the requirement to invest in hardware and software. The
pay-as-you-use model that many of these hosted platforms offer are
affordable and the service providers behind the offering usually offer
advice and support – two crucial requirements for smaller businesses."

The reality is cloud offersquick and simple deployment, it does not require
any investment in infrastructure and enables customers to easily scale up
or down depending on their varying business needs, says Makoto. And given
that there are various cloud models – public, private and hosted –
organisations have the freedom of choosing to store different types of data
in different places, he adds, noting this again illustrates the importance
of data classification. Magni points out that in certain instances, making
use of a private cloud rather than a public one is the best way to store
and manage sensitive data. When dealing with something like e-mail, for
example, the public cloud is the obvious option. According to Gartner, as
of 2014, 10% (67 million) of enterprise office system users had moved to
cloud office systems and most focused on e-mail, not a broad range of
capabilities. Gartner expects about 25% of the enterprise market will use
cloud office systems and e-mail by the end of 2017, growing to 50% by 2020,
and hitting 90% in 2027.

Because cloud is a popular choice for many businesses, it's important to be
mindful when selecting a cloud provider. Singh advises organisations to
choose a partner with a solid industry track record in the industry,
extensive technological expertise and one that provides stringent security
and redundancy. "It's also important to ensure the technology behind this
service is backed by a reputable and solid brand. Reporting should also be
available, providing businesses with insight into their data and cloud
storage usage."

Whether it's cloud, replication, archiving or backups, organisations cannot
afford to not have some sort of backup and recovery strategy in place, says
Gouws. When talking about data management and backups, it shouldn't be a
case of figuring out how to respond if something happens, but rather
putting a plan in place to respond when it does happen.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!