Backup Essentials Part Three

It's time for part three of this series. What we're discussing here is what to keep in mind when selecting your backup solution. The factors we'll be discussing include: data availability, administrative cost of the solution, portability, and security.

Data Availability
This factor is always a balance that has to be struck between how quickly you need to get at your backed up data, and how resilient you want your solution to be. For example on one end you could merely have your data backed up to a drive attached to the source machine. This would give you the fastest access to it, but at the cost of a single point of failure. On the other end of the spectrum you can have the data backed up to offsite location(s). This would give you the most protection as any harm to your office is far from your data, but also increases the amount of time required for access. Ultimately you either want to have some form of both, a solution that is highly portable (physically moving storage and compatible with your equipment) or even better has all of the above.

Portability
Perhaps one of the more overlooked factors is how portable your backup solution is physically. This becomes a point of particular importance when you have backups that are at an offsite location. For most organizations that aren't in the 'large' category it is unlikely that you'll have a fiber link running across to your offsite location. So if/when an emergency strikes your main office you need to be able to physically move the data and then make use of local link speeds. Remember this when choosing your solution as the ability to do this can vary greatly depending on what sort of hardware requirements are involved, and the manner in which the software operates.

Administrative Cost
One of the banes of the small IT shop is the near impossibility of its associates to truly specialize. The needs of the business, and likely size of available staff tend to demand that the technician/administrator/engineer in this role be a generalist. It's important to keep this mind when picking your backup solution, as it would be a terrible situation to need to conduct a restore, but have no experts in its use to conduct it. If the product requires a significant amount of additional training to operate it can end up costing the business significant resources. The cost is incurred doubly so if the training itself isn't of a certain caliber as well. The long and short is that 'simple' and 'intuitive' should be your watch words here.

Security
The manner in which your data is stored and transmitted is obviously important. Looking around you are likely to find that most if not all of the notable solutions out there at the very least transmit data in an encrypted manner between target and source. The differentiator here is going to be the manner in which its stored after the job is complete. Do you have the option to encrypt the data? If you use third party encryption does it effect their storage format? Checking this functionality is especially important for those of you in the medical field who have to comply with HIPAA (The Health Insurance Portability and Accountability Act). Also consider the discrimination of data here. For example if I log onto one target machine am I capable of pulling data down to it that belongs to another? While it may sound convienent if the answer is yet, it does create a bit of a security vulnerability if one of your target machines were compromised. If your business in a field with confidential data you certainly want to make sure that you have the ability to discriminate and control which clients can access which data.

Truth be told an entire article could be written about each of these factors. These basic thoughts act as an effective guide in researching backup solutions and implementing them into your infrastructure. If anyone would like to discuss the topic in greater detail with me, feel free to comment or shoot me an email: koch.ryan@gmail.com.

Backup Essentials Part Two

For part two of this series we will begin the planning phase. In this phase we'll take an inventory, categorize our data, decide backup types, figure out our backup window, and figure out storage requirements. For this example we will use a small test environment representing the size of a 10 employee company as mentioned in the introduction.

First we'll knock out the inventory. The test infrastructure has a mix of desktops, servers, and remote laptops. I've gone ahead and included a list of these below:

6 desktops of a similar configuration (general user machines)
1 SQL Server (HR)
1 Exchange Server
1 Web server
1 Domain Controller
3 Remote laptops

Having this list we will now need to set priorities. To do this we need to break down an analyze what this business would need to operate, and what it has that merely makes it operate better/more efficiently. While simple, the prioritization below will help us in making decisions on backup types as well as scheduling and storage.

Need to operate:
Domain Controller
Exchange Server
SQL Server
Web Server

Makes business more effective:
Desktops
Remote laptops

Next we need to discuss what backup types are available to us. In general the various backup solutions will give you the ability to do file level backups, service/application backups, and image level backups. In general the decision of which level to use with which machine depends on what expectation of recovery time you have, the location of the machines, and what the machine is being used for. In our case the desktops, and the remote laptops will require a file level backup. The servers will all require an image level backup, a file level backup, and a service level backup.

After deciding what backup types we're using we also need to decide how this fits into our disaster recovery strategy. Do we need any of this data to be backed up to an offsite location? In our scenario it seems clear that the SQL Server,Exchange Server, Domain Controller, and Web Server all need to be backed up to a remote location. These services should be able to be brought backup at a remote office or home office in the event that the main office is brought down by a disaster of some sort for any extended period of time.

The last two factors to consider are scheduling and storage. For scheduling you have to figure out what your organization's 'production' hours are. This will allow you to create a backup window that will exist to minimize the impact your backup jobs have on the ability of  users to operate. For example if the office is open from 8am-5pm then an effective backup window might be from 7pm-6am. This will give a 2 hour buffer both on the beginning and ending side of the window in case someone stays late, or a backup job runs too long. A lot of the decision is going to be unique to your organization and its needs. Storage is also going to be a bit unique as the requirements are going to be different from backup solution to backup solution. Depending on if you choose to go with an appliance, or software you may or may not have to purchase your own hardware. To fully implement a backup and recovery policy however you are going to want to arrange for some sort of storage system on site at your office, as well as another one at some off site location be it an off site data center, or even someone's home office.

That about covers are basic planning stage. The next article will cover what we need to consider in order to pick and implement a solution. There may even be pictures in that one (screenshots).

Backup Essentials: A 4 part series

As many of you aware one of the topics I fancy writing about is backup and recovery. To appease that desire I've decided to write a 4 part set on what's involved in planning, picking and implementing a backup solution. While you've seen this talked about over and over again, we're at it here because it is truly important. Data loss and downtime is the same as tossing cash out the window, and most businesses can't afford it. Besides let's face it, now matter how well your infrastructure runs, Moore's law will eventually strike and it's best to be prepared.

The series starts with this introduction, an outline of what we'll be trying to accomplish. For our walk-through we will use the example of a company made up of 10 employees. Our goal will be to come up with a backup strategy to propose to this 'company', once they've accepted begin implementation, and then finish off by conducting some testing and concluding on its effectiveness. Our scenario will also involve two separate customer sites, and with machines ranging from standard Windows 7 desktops to an Exchange server and a SQL server.

Check back for the next part where we begin the planning phase. In the mean time I need to finish building up the test environment to use as screenshot materials. This should an interesting set of articles and hopefully will help some of you out there in the course of your careers.

Users and Security

I do apologize for the delay in getting a new article out. Between the power outages here in Columbus last week and the catch up work that followed the plate has been rather full. Today I started giving some thought to security, and specifically how the actions of Users can effect your policies and planning. It seems that no matter how much care and caution one puts into a great security set up, there is always one weakness to root out and that is User behavior. These beings seem to be able to defeat the greatest of security infrastructure practices and are somehow able to throw a wrench in the most finely configured of ecosystems. And so here is a bit of an overview of some thoughts on how to manage user behavior.

But how to do you prevent the user from accidentally breaching your security? It's not so much a question of control, as it is a question of influence and education. Ultimately the majority of user mistakes are due to a lack of instruction, or knowledge of good practices. It's understandable, most of these users be they internal or external customers have other things to do and have other concerns that have been given a greater priority. As the IT Engineer/Analyst/Manager it ends up falling to you to be the one that breaks this shell, and instructs them on what to do. The importance of taking the time to do this is only going to grow over time, especially since these users are now even bringing in their own devices and conducting business on them. You now not only have the possibility of company infrastructure being mucked up, but also of corporate data leaking through external devices.

How do you accomplish an educational role? It's about the soft skills here. You need to schmooze a bit with other departments and employees in order to gain their trust and cooperation. The idea of IT education needs to be sold as a value added piece, something that will ultimately save the company time and money. I find that his process is very similar to that of starting a new workout program or lifestyle change. It's best to start off just getting the first session/meeting/etc and then the next one. Once you can get a routine going the ride is much smoother, and you've accomplished an institutional change. An example of this might be to send out a weekly email newsletter and partner that with a monthly 'class'. Once you get solid practices in your users' minds you'll start to see improvements in their behavior and perhaps less security oriented incidents.

Outside of purely IT type education, you also need to make sure that policies are clear and published in as many places as humanly possible. In crafting your policies I would suggest taking heed of the manner in which intelligence agencies operate. Users should only have access to infrastructure pieces they have both 'clearance' for and a 'need to access'. This is very similar to the 'clearance' and 'need to know' principal of intelligence that is used to keep information leak to a minimum. Documentation for this principal is critical as the rest of your organization needs to understand the structure for how access is granted, as well as procedures to gain clearance when needed. Along with policies on access a proper acceptable use policy is recommended. The document should detail exactly what behaviors are frowned upon, and what behaviors are considered acceptable practice.

Lastly, and perhaps the most important piece of this is user involvement. If you want to maintain a credible IT department you need to make the users feel involved and keep them in the loop. Regular and predictable communication with as much of your organization as possible will create an environment in which users don't see the IT department as just some strange offshoot of the company that just tells them they can't do things with their system. By creating these venues of communication you'll be able to create a situation where you users aren't following described practices because you said so, but because you convinced them that they *want* to. This type of shift can only lower risk to both your data and your infrastructure.

Backup 101

I swear I'll post something with some substance tomorrow, but today I wanted to promote the recording of the Backup 101 web seminar I hosted today. My presentation covered an overview of backup essentials that are required for any effective IT knowledge set. I hope to do more sessions like this on a range of topics as time moves forward. If you guys have any requests please feel free to drop me a line.

Backup 101 Seminar

Just quick blurb for you guys today. I'm hosting a Backup 101 seminar/class on Thursday 6/28 that you might find fruitful. It will have a quick slideshow presentation followed by what I hope will be an energetic and fruitful conversation. Please click here and register for the webex event.

SMB IT Continuity

You might be thinking that as a small or medium sized organization that business continuity isn't that important to you. In particular with your small IT department you may not realize just how important this sort of planning can be to your organization's well being. The truth of the matter is that planning for business continuity from an IT perspective isn't horribly complicated, but does require thought and careful consideration.

In making a plan there's only a couple basic categories you need to worry about. You need to consider your personnel, your physical infrastructure, and your data. Depending on your size a list made of these portions of your organization may fit on a single page, or it may take an entire book. In either case it is important to take an inventory of what you have. For example a company of 5-10 employees might have a list like this:

People:
Fred, Systems Administrator
Joe, HR/Accounting/etc
Linda, Sales
April, Sales
Alvin, Sales Manager
George, Owner
...

IT Equipment:
1 Server (Virtualization host)
6 Desktop Computers (Model: xxxx)
1 Color Printer (Model: xxxx)
1 B&W Printer (Model: xxxx)
...

Data:
1 Email server VM
1 Domain controller VM
Local desktop data (Users)
1 Webserver VM
1 Financial Management VM (Terminal services)

 As you can see, even in a company that small there are a lot of things to worry about if something goes wrong. And if the size of that company were to increase over time, that list would only grow in size and complexity.

Once we have some semblance of and idea of what we have, we then have to figure out what our priorities are. By this I mean we need to decide what people and things are absolutely required for the business to run, and what after that assists in making it perform more efficiently. Again I suggest coming up with some sort of list but this time ordering by priority, or adding a priority designation. In the case of the company above it looks like as far as equipment goes the most important bit is the server. For the data they likely would need at minimum the Domain controller VM, Email VM and the Financial Management VM data in order to begin operating. A list describing would look like this:

Critical Needs:

IT Equipment:
Virtualization host
2 Desktop computers

Data:
Domain Controller VM
Email VM
Financial Management VM

After that you would list the other stuff in increasing categories of importance. What this allows your organization to do is prioritize its time in what it's working to bring back online in the event of a catastrophe. You avoid spending time on portions of your infrastructure that may be able to wait and thus could end up saving the organization a substantial sum of capital.

So knowing what's important, and what you have is all well and good but what are we going to do about preserving it? Emergencies are unpredictable (obviously) and you need a strategy in place that allows you to get back to an operating status in hours (not days). You need to have an offsite location to store a backup of your data, and perhaps a few pieces of hardware to get you by in a pinch. When I say offsite location that doesn't necessarily mean a sophisticated data center or even another office itself. If you are a small organization your cash flow might not allow for something that elaborate, and in that event you could even use a residence. It just has to be somewhere that  you outfit with a decent broadband connection, and reliable electricity.

Once you've picked and outfitted a proper offsite location you have to come up with a data backup plan. Using the backup solution of your choice you will need to maintain an offsite copy of anything deemed important. I suggest using a two tiered approach to going about this. First start by taking a local backup of everything at the file level, image level, and application level (Database, mail, etc) giving you one solid copy. After this you'll want to set up file level backups (and smaller application level) that occur across to your offsite. After you have started moving data off site regularly you will want to pair that with an image backup (and any larger application level backups) that is dumped to a local spot. This scenario gives you the fall back you need in the event of a disaster, but also gives you the easy access you need for smaller incidents.

As you may be aware by reading this blog in the past I do have a bit of a favorite when it comes to products that help out with business continuity and disaster recovery planning. The 3X Appliance is an excellent solution for this sort of thing and certainly deserves a look. They've posted an article here that talks a bit about its usefulness for business continuity.