Best Practices for Storage Security

IT professionals and their businesses have learned the hard way in recent years that disaster can strike at anytime and that they must be prepared. Companies unable to resume operations within ten days of a disaster hit are not likely to survive, stated a study from the Strategic Research Institute. In an attempt of protection, upwards of 60-70 percent of companies begin a disaster recovery plan, but never finish due to the overwhelming and complexity of plans or they gets put on the back burner. However, the business costs associated with network downtime and data loss make secure backup and recovery an economic necessity. A recent study by Pepperdine University states that 40 percent of data loss stems from hardware failure and 29 percent from human error. Thus, specific procedures for creating backups and a plan of action for recovery are essential to any modern business wishing to secure storage.

Prepared Plan with Regular Performance Checks

Data loss can result from many factors, including: fire, power outages, employee theft, viruses and hackers, as well as modern tragedies that can leave companies without access to buildings and important documents. Preparation is the key. Those who are prepared have a better chance of overcoming losses with minimal damage. The first step is to back up the system regularly. Often times the problem isn’t that companies are not creating backups, but that they are not verifying the efforts. This results in “false backups” where data is believed to be secured, only to find in an emergency the backups failed and data has been lost. This is especially true with tape backups as tapes can be more easily corrupted, damaged, worn out, or employees can forget to change the tapes. In either case, it is too late and data is already lost which can often take weeks, or even months for these systems to be restored, if ever. Therefore, it is extremely important for companies to follow best practices and create policies and procedures for creating regular backups and for testing their recovery environments. Among these policies should be regularly scheduled test recoveries in order to ensure that backup policies and procedures are working properly. Recovery events should be conducted once a quarter to make sure backups are running as planned.

The Recovery Plan

Companies must also implement fast recovery plans in the event of data loss or systems interruption in conjunction with regular backups. The first step in planning for recovery is the assessment of your environment. When assessing what to include in a disaster recovery plan, companies should keep in mind the following:

1. What network resources are most important?
2. What is the value of those resources, monetary, or otherwise?
3. What possible threats do these resources face?
4. What is the likelihood of those threats being realized?
5. What would be the impact of those threats on the business, employees, or customers, if those threats were realized?
6. Which resources do you need to bring online first?
7. What is the amount of time each one of these resources can be down?
8. Set an allowable downtime for each resource.
9. Set decontamination process for viruses, worms, etc.

When determining the value of an asset, organizations must consider both its monetary value and intrinsic value. Monetary value can be determined by considering what would happen if the asset was unavailable for any reason. Intrinsic value is the loss of data, privacy, legal liability, unwanted media exposure, loss of customer or investor confidence, and the costs associated with repairing security breaches. Once information assets are identified and valued, threats to those assets must be evaluated.

Although types of sensitive data can be quite broad and vary from organization to organization, there are a few key types of information that every business should plan to protect. These include all data related to strategic plans, business operations, and financial data. Damage to or loss of any of this information can result in decreased sales, reduced competitive advantage, and decreased profits for the victimized company.

Companies also need to make sure that their backup, retention and recovery policies comply with industry standards and government regulations when thinking about the security of their storage. Industry guides such as the International Standards Organization (ISO) 17799 and government regulations such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act help provide a framework for improved corporate governance and controls. Accurately written and enforced, information security policies enable organizations to not only demonstrate their adherence with these critical regulations and standards but also articulate their own.

Combine Backups with Other Security Technologies

Companies also should plan beyond back up storage and use preventative measures to ensure systems are safe guarded. This includes the use of antivirus software, firewalls, and intrusion detection software. Intrusion detection, which acts as an alarm system protecting vulnerable data from both internal and external threats is vital because it monitors critical files for tampering and checks network traffic for “attack signatures.” If an anomaly is detected, an alarm notifies the administrator for further investigation or action. With intrusion detection, if an attack should occur, companies will have early warning to quarantine the threat and their current backup data, before damage can be done to critical systems. Also, using products and best practices for integration from the same vendor creates continuity planning, resulting in an easily managed comprehensive solution.

Final Notes

Survival in the modern business world requires strong backup and recovery plans. Companies can no longer sit back and wonder if something will happen, but must plan what to do when something does happen. Disaster recovery needs to be addressed immediately before disaster strikes. While disaster recovery is unique to each company and its environment, the guidelines mentioned above can serve as a solid foundation. The only way to make sure companies are protected as much as possible before an attack is to integrate security policies with regular and effective backups of their systems and important data. Additionally, they must have a recovery plan in place. Although creating a plan can appear overwhelming, trying to quickly recover from a disaster is near impossible without one—and that is something no company can afford.