Posey's Tips & Tricks

Planning for Three-Tier Data Protection

Implement this multi-layered data protection strategy for enhanced security and resilience.

Implement this multi-layered data protection strategy for enhanced security and resilience.

Security professionals talk a lot about the concept of defense in depth. The idea is that you can't rely on any one single security mechanism to keep your organization safe, no matter how good that mechanism might be. It's better to use a collection of different security mechanisms so that if one mechanism were to be breached, others will continue to provide protection. Interestingly, you can apply this same concept of defense in depth to your backup and data protection strategy.

The best way to protect yourself against accidental data loss is to adopt a three-tier approach to data protection. Before I discuss these three tiers, I want to point out that these tiers are not necessarily synonymous with mechanisms. In other words, you can have multiple protective mechanisms within each tier rather than relying on only three mechanisms to protect your data.

Tier 1: Data Resiliency
There is an old saying that the best backup is the one that you don't need. In other words, backups are critically important, but it's always better to prevent a data loss event than to restore a backup (though it is not always possible to prevent a disaster, hence the need for a backup). This is where the data resiliency tier comes into play. Data resiliency consists of talking steps to ensure the reliability of your data storage.

You can achieve data resiliency in any number of different ways. In my own organization, for example, I use two different types of data resiliency. First, my data is stored on RAID arrays. That way, if a hard disk (or even multiple hard disks) fail, then the data will remain intact.

The other step that I use to ensure data resiliency in my own organization is to use replication. All of my data is mirrored to an entirely separate storage appliance (which is connected to a separate host server). This secondary storage array is identical to my primary storage array, and also uses RAID arrays for protection against disk failure. The reason why I mirror everything is because doing so provides protection against a host server failure and against a storage appliance failure.

Tier 2: Backups
Backups should be the second tier of any data protection strategy. While I have no doubt that there are some who would disagree with me, comprehensive resiliency does not mitigate the need for backups. Remember, backups do more than just giving you the ability to recover from a data loss event. Backups also give you a way of rolling back to an earlier point in time, such as before a ransomware infection occurred.

Like data resiliency, you can use multiple types of backups in an effort to give your data the best possible protection. In my own organization, I use two separate backup solutions. My primary backups are based around Continuous Data Protection. In other words, my backup checks every 30 seconds to see if any data has been newly created or modified, and that data is promptly backed up.

My secondary backups are file-level backups written to removable hard drives. These are what is known as air gapped backups. The idea is that there are some types of ransomware infections that can disable or destroy an organization's backups. Ransomware authors do this so that victims will have no choice but to pay the ransom.

An air gapped backup is a backup that is created and then physically detached from the system. That way, if a ransomware attack were to occur, the air gapped backup will not be compromised (though you do have to be careful when restoring an air gapped backup to make sure that it does not become compromised during the restore process).

The main disadvantage to an air gapped backup is that it is not as current as the backups created by a continuous data protection solution. The nature of an air gapped backup also means that you will have to manually attach the backup media, run the backup, and remove the media, whereas continuous data protection backups are automated.

Tier 3: Archive
The third tier of data protection is archiving. Archiving is often used as a way of offloading seldom used data that needs to be kept for whatever reason from costly primary storage to less expensive archival storage. Certainly, that's one form of data archiving, but it isn't the only way that data can be archived.

In my own organization, my archives do not consist of data that I offloaded from primary storage, but rather data that I want to keep forever. I'm talking about things like family photos, copies of books that I have written, and things like that. Even though that data is protected through data resiliency and through regular backups, I have taken the extra step of writing the data to highly durable, immutable, removable storage, thereby creating a permanent copy of my archival data. This archival copy is then stored in a secure location where it will hopefully never be lost.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


comments powered by Disqus

Subscribe on YouTube