Cloud Architecture
DR: Data Backup Options
- Removable media - Redundancy - External hard drive - Hardware appliances - Backup software - Cloud backup services
DR: 3-2-1 Backup Strategy
A 3-2-1 backup strategy is a method for ensuring that your data is adequately duplicated and reliably recoverable. In this strategy, three copies of your data are created on at least two different storage media and at least one copy is stored remotely: Three copies of data—your three copies include your original data and two duplicates. This ensures that a lost backup or corrupted media do not affect recoverability. Two different storage types—reduces the risk of failures related to a specific medium by using two different technologies. Common choices include internal and external hard drives, removable media, or cloud storage. One copy off-site—eliminates the risk associated with a single point of failure. Offsite duplicates are needed for robust disaster and data backup recovery strategies and can allow for failover during local outages. This strategy is considered a best practice by most information security experts and government authorities. It protects against both accidents and malicious threats, such as ransomware, and ensures reliable data backup and restoration.
DR: Business Continuity Plan
A business continuity plan details how a business will continue operating and serving its customers, even in the face of a dramatic event like a natural disaster, major IT failure, or a cyberattack. The end goal is to preserve a company's financial viability, market position, reputation, and customers, even in the face of a crisis. Business continuity planning covers every aspect of the business including: Business processes—how can a process continue working even if critical equipment or supplies were missing? Human resources—how can critical staff continue performing their work if, for example, workstations are destroyed or there is no Internet connection? Business partners and suppliers—how can suppliers continue their work with the company if, for example, lines of communication or road transport is unavailable? A business continuity plan must consider important questions and provide good answers. What single points of failure exist in the organization? What are the critical dependencies on equipment, in-house staff, suppliers or other third parties? What workarounds exist for disruption of any of these? Which organizational processes, staff, skills and technology are needed to maintain business operations and fully recover from a disaster?
DR: Disaster Recovery Plan
A disaster recovery (DR) plan is a document that helps an organization react to a disaster and take action to prevent damages, and quickly recover operations. IT disaster recovery is a subset of disaster recovery, which focuses on IT aspects of DR, such as minimizing downtime of servers, databases and employee workstations, and bringing critical systems back online. An IT disaster recovery plan enumerates the tools and procedures to make this happen.
DR: Data Backup Options: Removable media
A simple option is to backup files on removable media such as CDs, DVDs, newer Blu-Ray disks, or USB flash drives. This can be practical for smaller environments, but for larger data volumes, you'll need to back up to multiple disks, which can complicate recovery. Also, you need to make sure you store your backups in a separate location, otherwise they may also be lost in a disaster. Tape backups also fall into this category.
DR: Business Continuity Plan: Structure
A typical business continuity plan contains the following sections: Goals of the plan—should quantify which parts of the business are considered critical and how smoothly they should be able to operate during a crisis Budget—resources allocated to business continuity planning and preparation Personnel—who is responsible for maintaining the business continuity program and executing practical steps during a crisis. Which other stakeholders exist—senior management, legal, PR, customers, partners, etc—and how they should be involved or notified. Business Impact Analysis—a holistic review of critical business processes, their weak points and how they are likely to be affected by different types of disasters. Proactive strategies—processes that should be carried out on a regular basis to prevent or more easily overcome disasters. Immediate reactive strategies—what the organization should do at the moment disaster strikes to continue operations. This will typically include temporary measures, for example, delivering electricity using a portable generator while power is out. This chapter includes an IT disaster recovery plan. Long-term reactive strategies—what the organization should do on "day two", after the disaster has ended, to fully recover and rebuild systems to their original state.
DR: Data Backup
Data backup is the practice of copying data from a primary to a secondary location, to protect it in case of a disaster, accident or malicious action. Data is the lifeblood of modern organizations, and losing data can cause massive damage and disrupt business operations. This is why backing up your data is critical for all businesses, large and small. Data backup includes several important concepts: Backup solutions and tools—while it is possible to back up data manually, to ensure systems are backed up regularly and consistently, most organizations use a technology solution to back up their data. Backup administrator—every organization should designate an employee responsible for backups. That employee should ensure backup systems are set up correctly, test them periodically and ensure that critical data is actually backed up. Backup scope and schedule—an organization must decide on a backup policy, specifying which files and systems are important enough to be backed up, and how frequently data should be backed up. Recovery Point Objective (RPO)—RPO is the amount of data an organization is willing to lose if a disaster occurs, and is determined by the frequency of backup. If systems are backed up once per day, the RPO is 24 hours. The lower the RPO, the more data storage, compute and network resources are required to achieve frequent backups. Recovery Time Objective (RTO)—RTO is the time it takes for an organization to restore data or systems from backup and resume normal operations. For large data volumes and/or backups stored off-premises, copying data and restoring systems can take time, and robust technical solutions are needed to ensure a low RTO.
DR: IT Disaster Recovery Plan: Steps to create
Follow these steps to create a working disaster recovery plan: Map out your assets - identify what you need to protect, including network equipment, hardware, software, cloud services, and most important, your critical data. For each item note its physical or virtual location, relation to other assets, vendor and version, networking parameters, etc. Identify criticality and context - understand how your assets are used and their importance to the business. Classify assets into high impact, medium impact and low impact, by identifying how likely they are to disrupt business operations. Risk assessment - identify which threats are likely to face the business as a whole and specific assets. Interview the staff who work on critical systems and ask them what are the most likely causes of service interruption. Define recovery objectives - consult with senior management and operations staff to understand what would be the impact of interruption to each critical system for one minute, one hour, one day, or more. Use this information to define your RTO and RPO. Select disaster recovery setup and tooling - using your knowledge of assets to be protected, risks and required RTO/RPO, envision your final disaster recovery setup. Will you have a hot DR site? Where will it be located, and will it be cloud-based or self-hosted? Which backups or replicas will you maintain? Where will they be located? Select the software or hardware, cloud services or partners that can help you achieve the required setup. Budgeting - as important as disaster recovery is to your business, you will have a limited budget. Present several options to management, each with a progressively higher price tag but better RTO/RPO and/or support for more critical services. Allow them to decide on the right balance between risk and investment in DR technology. Approval - put together an agreed draft of your DR plan based on feedbacks from management and get final sign off on the plan. Communicate the plan - circulate your document to the disaster recovery team, to senior management, and to anyone else who will be involved with or affected by DR procedures. Test and review - test the plan by conducting a realistic disaster drill, and seeing if and how staff act according to the plan. Learn from the test and modify the plan and procedures accordingly. You should periodically review the plan - at least every six months - to ensure it is still relevant and reflects the current organizational structure and IT setup.
DR: IT Disaster Recovery Plan: Typical structure
Here is the typical structure of a DR plan: Goals - what the organization aims to achieve in a disaster, including the Recovery Time Object (RTO), the maximum downtime allowed for each critical system, and the Recovery Point Object (RPO), the maximum amount of acceptable data loss. Personnel - who is responsible for executing the DR plan. IT inventory - list hardware and software assets, their criticality, and whether they are leased, owned or used a service. Backup procedures - how and where (exactly on which devices and in which folders) each data resource is backed up, and how to recover from backup . Disaster recovery procedures - emergency response to limit damages, last-minute backups, mitigation and eradication (for cybersecurity threats). Disaster recovery sites - a robust DR plan includes a hot disaster recovery site - an alternative data center in a remote location that has all critical systems, with data replicated or frequently backed up to them. Operations can be switched over to the hot site when disaster strikes. Restoration - procedures for recovering from complete systems loss to full operations.
DR: Data Backup Options: Cloud Backup Services
Many vendors and cloud providers offer Backup as a Service (BaaS) solutions, where you can push local data to a public or private cloud and in case of disaster, recover data back from the cloud. BaaS solutions are easy to use and have the strong advantage that data is saved in a remote location. However, if using a public cloud, you need to ensure compliance with relevant regulations and standards, and consider that over time, data storage costs in the cloud will be much higher than the cost of deploying similar storage on-premises.
DR: Data Backup Options: Hardware Appliances
Many vendors provide complete backup appliances, typically deployed as a 19" rack-mounted device. Backup appliances come with large storage capacity and pre-integrated backup software. You install backup agents on the systems you need to back up, define your backup schedule and policy, and the data starts streaming to the backup device. As with other options, try to place the backup device isolated from the local network and if possible, in a remote site.
DR: MTPD
Maximum Tolerable Period of Disruption
DR: Data Backup Options: Backup Software
Software-based backup solutions are more complex to deploy and configure than hardware appliances, but offer greater flexibility. They allow you to define which systems and data you'd like to back up, allocate backups to the storage device of your choice, and automatically manage the backup process.
DR: Recovery Point Objective (RPO)
The maximum acceptable age of the data that can be restored (or recovery point) and the version of data lost. For simplicity, RPO can be thought of as the time between the time of data loss and the last useful backup of a known good state.
DR: Recovery Time Objective (RTO)
The maximum acceptable length of time required for an organization to recover lost data and get back up and running. This value may be defined as part of a larger Disaster Recovery Plan across an organization that also includes applications like Office 365. For simplicity, RTO can be thought of as the time it takes, from start to finish, to recover data to an acceptable current good state.
DR: Data Backup Options: External Hard Drive
You can deploy a high-volume external hard drive in your network, and use archive software to save changes to local files to that hard drive. Archive software allows you to restore files from the external hardware with an RPO of only a few minutes. However, as your data volumes grow, one external drive will not be enough, or the RPO will substantially grow. Using an external drive necessitates having it deployed on the local network, which is risky.
DR: Data Backup Options: Redundancy
You can set up an additional hard drive that is a replica of a sensitive system's drive at a specific point in time, or an entire redundant system. For example, another email server that is on standby, backing up your main email server. Redundancy is a powerful technique but is complex to manage. It requires frequent replication between cloned systems, and it's only useful against the failure of a specific system unless the redundant systems are in a remote site.
