Best Practices for Creating Data Protection Plans

It’s October, which means National Cyber Security Awareness Month is here – a time reflect on the current and future state of cybersecurity – to share best practices, tips and guidance about how agency’s today can better prepare for tomorrow’s threats.  

At the Air Force Association’s Air, Space and Cyber Conference last month, Michael S. Rogers, commander of U.S. Cyber Command and director of the National Security Agency, spoke about the ever-evolving cybersecurity landscape and said, “When we look at what we should be defending, … the four things I tend to focus on [are] networks, platforms, weapons systems, and data.”

 “As we’re trying to build a future for us from a joint perspective within the Department of Defense, we are very focused on those four areas increasingly,” he added. “We’re also asking ourselves: What do we need to evolve to? What does the future look like?’ It’s not necessarily where we are today,” Rogers said.

We know that data protection planning is critical to a secure federal IT infrastructure. In a recent blog post penned by Kenneth Cohen, Consulting Engineer at IronBrick he covers best practices for creating a data protection plan. Continue reading for more.

I recently reviewed some previous posts on social media and was reminded of when a former co-worker was in the midst of a data center failover. There was a power failure at his customer’s location and servers needed to be failed over to the disaster recovery site. A few days later, I checked in with him and learned that all the protected VMs came back up at the disaster recovery site exactly as planned. Full disclosure, I engineered and wrote that portion of the business continuance (BC) plan.

Based on what was critical to the organization’s mission, the BC plan was designed to protect a subset of servers. We had to ensure that servers would come up in the required timeframe and that only a certain amount of data could be lost. In technical terms, we designed the plan to meet for our customer’s Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The BC plan utilized was a tactical plan — just a part of a strategic data protection plan.

Data Protection planning should take into consideration all aspects of data protection including tactical plans for each side of the data protection triangle: backup, archive, and business continuance. Each side of this triangle relies on making copies of data; however, the frequency, location and retention needs of each copy varies depending on the aim of the plan. The very beginning of every Data Protection plan should be an analysis of what needs protecting, how much data can be lost (RPO) and how long the organization can withstand being down (RTO). Applicable regulatory requirements should also be taken into consideration.

In the BC example above, the organization required that servers could be brought back up at a remote location within 4 hours (RTO) and that there be less than 1 hour of work lost (RPO). Only one copy of the data is required to meet the needs of the organization. While everyone hopes that data stored at a disaster recovery (DR) site will never be accessed, the media used to store this data needed to perform fast enough for the organization to operate in a disaster situation. In addition to storage systems at the DR site, servers needed to be available to run protected workloads. Having a 4-hour RTO is pointless if there isn’t hardware available to meet that RTO. The scope of the BC plan is for a site-wide failure — enacted if systems cannot be brought back online at the primary site within the specified RTO.

Backup needs are different than BC. The intended use of backup is to recover from a lost or corrupted system or file rather than a complete site failure. For backup, retention and RPO are probably more important than RTO, though all need to be considered. Backups should be kept for a specified period of time and multiple copies should be retained. Backups can typically be kept at the local site to speed the recovery process. Media for backup does not need to be particularly fast; however, it is important to be able to differentiate between different versions of the data. As recovering files from backup is often a self-service function, access requirements for backup are different than BC. You may want to let users recover their own files, but you need to ensure they can only access what they have permission to see.

Archive is the long-term retention of data to meet legal, historical or regulatory requirements. Archived data is a good candidate for being stored on big, slow, cheap media because it is likely that it will only be copied from on a rare occasion. Since there are retention requirements for archive systems, media is often written in the form of read-only copies or software controls are placed on data so it cannot be deleted until a specified date.

There are many types of data protection needs. One overarching strategic plan should exist for an organization, but each side of the data protection triangle needs its own tactical plan. Enacting the plan may require more than one type of technology and will most likely require different storage systems.

No plan can be successful without first determining the organization’s needs and then classifying data to determine how to treat it. Data protection then becomes a small part of a much larger plan for continuity of operations (COOP) which takes into account not just data, but how the organization will continue to exist in terms of data, equipment, employees and also the people served by the organization.

Related Posts