Todd Gifford

Data Resilience 101

admin — Wed, 22 Dec 2021 23:49:19 +0000

Data Resilience 101 admin Wed, 12/22/2021 - 17:49 Backup Todd Gifford

What is data resilience?

You know when your car breaks down or when the fuses blow, and the lights go out at your house? Often both of those things are problems, but you can work around them: You can call breakdown recovery or grab a taxi, and if the lights go off, sometimes the power is still on elsewhere, or you have a torch. Both of those situations and the workarounds supply a level of resilience – when there is a problem or something breaks, you can still walk around the house at night and see where you are going or make it work or the airport on time.

Data resilience is your ability to take a hit on your data availability or integrity and keep your organization running.

Why do you need data resilience?

Let’s get this out there: All organizations rely on their data; they always have. That accountancy firm from a hundred years ago had loads of data – it was just on paper. Architects, mechanics, the hospital, manufacturers, software developers, those of us who write blogs – everything we do has data at its core or associated with it. Many organizations even have data about their data – how much there is, where it is, who has access to it, how long they should hold it – the list goes on.

Let’s take an example – an oil pipeline. How much data is associated with pumping oil through a pipe? Probably quite a bit: flow rates, volumes pumped, pressure, leaks, maintenance records, valves, staff, locations, emails, diagrams, bills, wages, security information, etc.

What happens if all that data is lost or modified? No oil. No bills are issued, or revenue paid. Maybe a massive environmental disaster.

So – data. How about that – it’s critical to your organisation.

How to make data resilient

Data resilience requires planning. All organizations have some of the same types of data (like finance or HR) – but its value is different depending on the organisation.

Step 1: Collect the business requirements for data resilience – these will inform what to protect, how often to protect it, and how quickly it may need restoring after a data resilience event:

Know what data is essential to your organization. Work with department heads and those who use the data to perform their jobs. Categorise the data into high, medium and low based on the sensitivity of data (such as HR or medical) and how it would affect your organization if it were changed or unavailable.
Know where the data is – if you can’t find the data, you can’t control it and protect it.
Know who needs access to the data and how often
Work out how long each area of your organization could function without access to its data. This will allow you to work out the maximum time you could be without access to data, known as the RTO or ‘Recovery Time Objective.’
Work out how much data you can afford to lose – this is known as the RPO or ‘Recovery Point Objective’.

For some organizations – those last two will be zero. As in, the data needs to be ‘always available’ with ‘no loss’. Ouch – those are some tough asks – but not impossible. There will always be some risk of data loss due to Murphy’s Law – (if something can happen, it will) – but we can do our best to minimize the likelihood.

Step 2: Data resilience design

Data resilience design requires answers to the previous questions, but it also needs to consider the systems you are using. Is all of your CRM in Salesforce? Staff using Dropbox for corporate data without permission? Email and finance data in Microsoft 365?

Here are some pointers for design:

Control where the data is and where it can go
Secure those locations – understand who can access the data
Make those systems and locations as available as they need to be. This is key as the budget likely won’t stretch to allow every system to have 99.999% uptime. The payroll server only needs to run once a month, for example. That real-time ambulance tracking system – that one needs those five-nines of availability.
Despite all that resilience – you do need to take a backup.

For me – the cloud offers a cost-effective way of achieving a high level of availability at an affordable price, as those expensive infrastructure and maintenance costs are shared across many organisations.

Step 3: Back up the data

This is probably the number one thing on the list of data resilience must-haves. Backups. Back up your data somewhere that lives separately from your primary data (i.e. – consider AWS instead of Azure if your primary data is hosted in Microsoft, and vice-versa).

All the security and outsourced hosting won’t protect you from every incident – in fact, most cloud service providers bury it in their terms of agreement that they are not responsible for your data loss. When looking at your resilience plan, it’s important to ask - are you hosting your data in the cloud? In someone else’s cloud platform?

There is a backup for that as well – often called cloud-to-cloud backup or SaaS Backup

Backups provide you with a point-in-time recovery option. Between those points-in-time, however, there could be some data loss (most enterprises backup systems every hour, for example).

Step 4: Archive or backup? You may need both.

Need to make sure there is as close to zero loss on those legal emails or conversations about patients? For that, you need a real-time copy of everything that happens. This can be in the form of replication to an offsite location for virtual systems or an information archive for cloud systems to capture real-time data, like emails or Teams conversations.

Even if you have backups in place, if you work in an industry with any level of compliance requirement, having an archive can be the fastest and easiest way to source a copy of your communications. Where a backup brings you a step further – it can back up files, images, projects and other data in addition to your communications. When it comes to legal requirements, it’s crucial to practice as much due diligence as possible. You can read more about the difference in archive and backup here.

Summary – data resilience

The first rule of data resilience is to ensure you implement backup. The second rule of data resilience is to always have a backup. You can hone your data resilience approach by taking input from your organization. Likely nobody will be comfortable with data loss, but they may be able to operate without some data for a period of time (RPO vs RTO).

Follow the steps and plan your approach. Not only will this enable you to concentrate your efforts and budget in the right areas, but it will also enable you to show the board or the regulator what you are doing and why.

And don’t forget the third rule of data resilience – always have a backup, and make sure it is stored away from where the primary system is. Run all of your environment inside Microsoft 365? An excellent choice – but don’t keep the backups there as well, just in case.

Todd Gifford, BEng, CISSP, has 22 years of cybersecurity experience and is the CTO of Optimising IT, a UK-based Managed Service Provider whose goal is to help you pragmatically manage risk. Connect with Todd on LinkedIn or visit Optimising IT to learn more about how they can help you choose and implement the best cloud-to-cloud backup solution for your business.

Secure Modern Workplace

Should you backup your cloud communications and apps? The answer is yes, and here’s why.

admin — Tue, 12 Oct 2021 19:51:02 +0000

Should you backup your cloud communications and apps? The answer is yes, and here’s why. admin Tue, 10/12/2021 - 14:51 Backup Todd Gifford

Why do I need to back up the cloud?

Let’s rewind for a moment, to address a question you may be asking: “wait, what do you mean ‘back up THE CLOUD’”?

We are talking about any existing cloud service you’re using today, whether that’s Microsoft 365, Dropbox, Google, Salesforce or other SaaS-based services that house your business data.

Okay, now back to the question: do you really need to backup 'the cloud'? Yep, you really do. As great as it would be to leave it at that and have everyone reading this run-out and purchase SaaS (aka cloud-to-cloud backup) immediately – let's explore why it is necessary to do that.

Cloud is secure and resilient, right?

Well, yes. BUT (and it is a massive but) it is possible for a cloud service provider to lose the data your business has stored in their cloud servers. It has happened before, which means it’s likely to happen again. It’s often a simple shrug when it happens to someone else's data, but what if happens to yours?

Reasons why cloud storage isn't 100% reliable

Let's check out three of the most common reasons why the cloud can fail, and you can lose your data.

Reason #1: Ransomware

Yes, ransomware can encrypt files in cloud storage systems and defeat any fail-safe capabilities in your chosen cloud provider. Ouch.

Reason #2: Physical failure

From lightning strikes to fires – physical failures in someone else’s cloud can and does have the capability to permanently delete data.

Reason #3: User error

And the third critical reason – users. Last week, we were working with a new client who got in touch because one of their users had accidentally deleted 70,000 files from a SharePoint site. No problem -let's take a look in the recycle bin. Ah – over 100,000 files in here. The challenge came as the client didn't want all of the files back, just those that were accidentally deleted. To identify them to restore would mean multiple PowerShell scripts or manually selecting the correct files - no small task and likely to miss at least some of the critical files. Did I mention this type of data recovery process is hugely time-consuming? Luckily, the customer noticed in time, and the files were available to recover, but there is limited time to do that. What would have happened if the client didn't notice for a few months? Likely the data would be gone and irrecoverable.

How does cloud-to-cloud backup help?

In the case of ransomware, physical damage and accidental deletion – nothing beats having an offline copy. By offline, I mean a copy that is stored in another platform, with physical and logical separation beyond the reach of a logged-in user, malicious software running on an endpoint somewhere or indeed a fire that destroys a data center. It will also save vast amounts of time trying to recover data with tools that were just not designed for data recovery as part of business-as-usual. Those 70,000 Sharepoint files? Restored in a few clicks with the right backup platform.

Encrypted files with no roll-back option? No problem - head to the last known good backup date in your cloud backup solution and hit the restore button. With unlimited data retention and restore capability for the price of a coffee and a pastry – it's a small price to pay by comparison to the value of your data and potentially your business.

To explore more on this topic, download our ebook “7 Reasons Every Business Needs SaaS Backup”.

Todd Gifford, BEng, CISSP has 22 years of cybersecurity experience and is the CTO of Optimising IT, a UK-based Managed Service Provider whose goal is to help you manage risk in a pragmatic way. Connect with Todd on LinkedIn or visit Optimising IT to learn more about how they can help you choose and implement the best cloud-to-cloud backup solution for your business.

Secure Modern Workplace