Rick Bawcum, CAE, CISSP | CEO – CIMATRI
Here’re the facts:
- 56% of IT decision makers say targeted phishing attacks are their top security threat.
- Hackers attack every 39 seconds, on average 2,244 times a day.
- The average lifecycle of a breach is 314 days (from breach to containment).
It’s time to give your data the protection it deserves by building a strategy that goes beyond backups.
Business continuity requirements are often vague.
Not knowing precise business continuity needs often results in over-expenditure and overexposure to liability.
Backup options are abundant.
Disk, tape, cloud? Each has drawbacks, efficiencies, and cost factors to be considered.
Backup infrastructure is never greenfield.
Any organization with a history has software to run backups, and that existing software was probably determined by past architectures that may not reflect the diversity of your current cloud, PaaS, IaaS, or on-premise assets.
Don’t let failure be your metric.
The past is not an indication of future performance. Quantify the cost of your data being unavailable to demonstrate value to the business.
Determine the current state of your data protection strategy by identifying the pains and gains of the solution and then create a business-facing diagram to present to relevant stakeholders.
Stop offloading backup as the last resort.
Human error more frequently leads to data loss than any other factor. As such, data protection can’t exist in isolation. Get key leadership involved to ensure you can meet organizational requirements.
Some data is useless.
Stop data hoarding and start protecting what matters. Take the time to understand the data that exists within the organization.
This step is critical to effective data governance and cost management for your data protection program. Neglecting to properly tag and classify data will lead to a costly data protection solution that protects redundant, useless, or outdated data.
Phase one: Define the current state of your data protection plan.
Not all data protection methods are created equal.
Using your backup as your archive isn’t cost effective. Keeping multiple copies of “cold” data intensifies capacity demands and introduces multiple (possibly disagreeing) copies of important data. A strong archiving policy requires better indexing and search capabilities than needed by backups.
Remember that your data protection strategy isn’t about backing up data. It’s about being able to access and restore your data in an appropriate amount of time.
70% of small organizations go out of business within one year of suffering a large data loss. But that doesn’t have to be you.
Identify the drivers behind your data protection strategy
Understanding the drivers motivating your organization’s backup strategy ensures that the implemented solution provides returns exactly where you need it most.
To get started, book a meeting with key stakeholders to outline the purpose of your future backup software and the drivers behind the decision. Then, document your plans with your drivers in mind.
Align key drivers of your strategy with your association’s goals
- What are the IT initiatives around data protection and business continuity?
- What data protection services do we currently have in place?
- What are our critical business activities?
- What applications and data sources are associated with these activities?
- How are we currently backing up that data?
Analyze problems found in your current backup solution
Meet as a group to brainstorm issues and shortcomings with your current backup solution. Then, try to match those problems with solutions where applicable. These potential solutions will be useful when searching for new strategies or when fixing your current solutions.
Phase 2: Conduct a Business Impact Analysis to understand data restoration requirements.
You must know what you’re backing up and why. “Everything and forever” is not a viable answer.
When it comes to recovery, you must maintain a delicate balance between budgetary constraints, recovery objectives, and data security. And while the budget is typically fixed, you must still ensure that your recovery objectives are, first and foremost, based on your organization’s needs.
But in order to meet those needs, there needs to be a clear line of communication between your core team members and users to understand what you can give and where. To develop practical backup procedures, you need to determine the recovery objectives your data and applications need.
And remember: backup is about minimizing loss – not eliminating it completely.
Sure, in an ideal world, you would be able to recover from an up-to-the minute backup with the snap of your fingers, but in the real world of dollars and cents, this just isn’t feasible (or needed).
Why bother with a business impact analysis?
In the association industry, you’re constantly stretched thin, and we get that, but that doesn’t mean your data restoration strategy should fall to the wayside. In fact, it’s the opposite.
Time is money, and data drives decisions. Conducting a business impact analysis before choosing a data protection strategy is key to saving both. They give you the opportunity to:
- Determine workload criticality.
- Establish appropriate RTOs and RPOs.
- Inform vendor selection and evaluation.
- Justify cost for disaster and operational recovery.
How does the BIA methodology work?
01. Creates objective scoring criteria.
Avoid defaulting to “whoever screams the loudest” getting priority. An objective scoring scale increases the transparency between IT and the business while establishing a consensus on criticality.
02. Keeps the process efficient.
Value versus effort. You want your business impact analysis to be efficient enough to be iterated on and digestible by all stakeholders and team members.
03. Scales to assess the entire environment.
Do. Rinse. Repeat. The methodology you learn is repeatable for the rest of your softwares and applications. By understanding how to run the exercise, you can continue to facilitate informative sessions when systems are introduced. Meaning: when processes change, you’re already one step ahead.
If restore and disaster recovery objectives and total cost of ownership are unbalanced, you’re either spending too little or too much.
Conduct a proper cost / benefit analysis of all the Total Cost of Ownership (TCO) aspects to fit at an acceptable cost. But keep in mind that underprotection of data is risky and overprotection of data is costly. More isn’t always better.
Here at CIMATRI, we tend to go with the goldilock’s method. Utilizing best-fit protection of data to safeguard valuable data at the lowest possible cost without compromising quality. (Read: it’s just right, and it’s built specifically for us.)
Consider the cost of data loss, as well as the cost of downtime in any estimation of restore requirements.
If you were to sell your data, what would it be worth? If you were to lose your data, what would be the direct costs?
These direct costs should serve as a baseline for what is spent on backup. In other words, match the value of data with the cost to back up and restore to maximize your return on your backup investment.
Adjust to meet your backup window, if necessary.
There are only two ways to better meet your backup window: move less data or move that data faster.
Meeting your backup window is critical to your success. If you don’t complete backups within their allotted time, you risk failing or slowing down day-to-day operations.
And while it is unlikely that your backup window is going to get any bigger, you still have options. You can either reduce the amount of data backed up or increase that speed.
Phase 3: Propose the future state of your data protection plan.
Your backup needs are going to change. And often. Be prepared and agile.
Use information lifecycle management to help define states of care
Backup strategy is not the place for (nor does it require) a full ILM implementation. When infrastructure leads the charge on data governance initiatives, they traditionally fail. Ensure that your backup processes respect any ILM that may be in place or build out just enough of one to ensure your own success.
Effective information classifications are distinct from one another in their deployment and application of different standards of care. And while the specifics will vary across your organization, an information lifecycle may help structure your thinking so specifics can be easily derived.
Determine necessary attributes for your strategy
Gather a small team to brainstorm. Start by writing the question “What attributes are necessary for our data protection solution?”.
Have your participants write down ideas and points. Then, spend time organizing those notes into logical groupings.
Once grouping is complete, work with the team to define each category. These will be used to determine the necessary requirements for each data tier.
For each attribute, drive consensus on what should be required based on the tier of data. The tiers should come from your business impact analysis.
Consider your approach to end-point data backups
End-point data remains a stumbling block for many backup strategies.
End-point devices (i.e. laptops, tablets, and smartphones) are major sources of production data and, as such, are subject to compliance regulations, just like anything else. What’s different, however, is that this data is particularly vulnerable, especially when mobile.
The truth is this: users are frequently the weak link in the chain, and leaving backup responsibilities to your users might mean that the data won’t be backed up at all. And putting in place certain policies that require the end user to store data in specific locations won’t truly fix the problem.
Where possible, include end-point data as part of an automated backup policy. This will require the support of your users, so it is vital that you communicate with them the risks of not complying with operating procedures. Your ability to correct backup, store, and find their data depends on their cooperation.
Make your strategy flexible and plan for change.
As we’ve mentioned before, your backup needs are going to change. And constantly. You need to be prepared to reevaluate your strategy as different needs arise.
Clarify your needs.
How much notice will you need to incorporate a new application or software into your backup processes? Make sure your strategy takes this into account. Remember, without sufficient planning, your data may temporarily be at risk.
Document the process for introducing new systems into the data protection environment.
Assume that new applications will receive an intermediate level of service unless there is a business case made for an exception. Consider developing a standard request form and insist that application owners provide you with a detailed rundown of the application’s backup requirements.
The Wrap Up
If there is one take away, let it be this: data growth is inevitable, and data protection is vital.
An effective data protection plan starts with working with your team to understand data growth patterns for your organization and anticipating how your capacity needs will change as you grow. Plan for more growth than expected, and plan your budget accordingly.
For many, a great place to start would be an analysis of your current framework and IT applications. Check out CIMATRI’s IT assessment here to get started.