Tag: data protection

Hardware v. Software Backup and DR

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

There have been a lot of changes to disaster recovery since I started my career in IT years ago.  Back then, the hardware stored things and the software moved backups to tape.  It was a simple if somewhat stilted environment.  It also took forever, as anyone who did “fulls” on the weekend can tell you.  An all weekend backup window can really put a damper on things.  Like when tapes need to be changed.  Of course, that was before “the cloud”.

Now, we have many of those functions converging.  Hardware is becoming “smart” and can now make copies of itself.  Software is becoming smart as well, with the ability to search through catalogs of backup files to show multiple instances of files, or different versions.  So – how do you fit these into your environment?

Hardware Snapshots

Smart hardware platforms and arrays have sprung up almost everywhere.  From the old days of JBOD – Just a Bunch of Disk to intelligent and aware arrays, the mechanisms controlling storage are trying to streamline functions that plague the storage admin.  These days, storage appliances are able to quiesce data on the volumes, make snapshots of those volumes, and often times replicate those volumes between like appliances, or via 3rd party APIs to other storage, like the cloud.

There are many advantages to this approach.  Since these appliances are now placing data using ILM strategies, the appliance usually knows what data resides where.  Data can be snapped quickly, often in just milliseconds.  Hardware based replication to other storage for DR or backup purposes is much faster than traditional backup.  This is often accomplished using just changed data, and then letting the hardware figure out how to make full snapshots of this in the background.  A very nice solutions for hot- or warm- backup sites.

Software Backup

Software solutions traditionally take longer for backups.  It takes time to traverse or “walk” the filesystems involved.  This is slower than SAN or NAS based snapshots.  Software allows for storage that is not associated with hardware appliances to be backed up.  This includes individual machines and drives that may not be hosted on a SAN or NAS.  Even critical desktops and laptops.

Software also is a great solution for its ability to collect information on the files it is backing up.  All the file attributes are collected and organized into a catalog that is user searchable, in the event that only one file or email needs restored.  Catalogs are very organized and searchable by storage and backup admins.  If you haven’t read my article entitled “Is Backup Software dead?“, it goes into a bit more detail on these advantages.


Appliances are often hybrids of both types of backups.  They consist of a hardware appliance that stores file and catalog information locally, stores a copy of the latest backup locally, and often times offers the ability to store older backups off-site.  Appliances do not address the speed of SAN or NAS based backups.  But appliances speed up software based backups and offload the computing load that traditionally has been reserved for a server running backup software.


Backups are a part of life in the IT shop.  Between accidental deletion of files, ransomware, and just plain disasters, you would be crazy not to do them.  How you do them is changing on a consistent basis.  As new technologies come out, the face of backups and disaster recovery changes.  Make sure that you are taking advantage of all the new technology that is being offered.

Share this:

Data Security – lessons from Equifax and HBO

Data Security
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net

You can ask Equifax, Ashley Madison, or HBO how data security worked out for them.

With the latest high-profile attacks at large companies that hold customer data, anyone that stores sensitive information within their computer systems should take a look at their data security policies.  While this article won’t help you develop a detailed data security plan, I hope that it will start to explain several of the things that you should know and address.

For starters, let’s talk nomenclature.  Digital data has three states.  These states are agreed upon, however what each encompasses is often debated.  These three states are data-in-use, data-in-motion, and data-at-rest. Addressing these three states will encompass all of your data and potential data exposure.


Data-in-use is data that resides in a processing device (like your computer) and is actively held in memory.  Most of the security risks that happen with data-in-use happen when people have physical access to the computers that are using this data, systems are in a poor state of update or malware protection, or network accounts and security are lax.

Solutions to these issues are fairly straight forward.  Keep computing resources physically secure.  Make sure anti-virus and anti-malware software up to date.  When operating systems and application updates and patches come out, install them.  Good systems administration is also key.  User accounts are secure.  Disable or delete old or unused accounts.  Educate users to recognize potential data leaks due to poor security practices.  Use means to limit access to data to only trusted resources using protocols like CHAP or ACLs.  Keep tight control over other means of access like vender portals and outside APIs that you may use.


Data that is moving from storage to processing is considered data-in-motion.  This usually means the WAN or network, where your data traverses in its journey between at-rest and in-use.  This also includes transport in the cloud, where data may be moving over very public networks on its way between -use and -rest.

The most common way to defend against data-in-motion snooping is to encrypt data.  Always encrypt data-in-motion.  Always.  Many vendors provide virtual private network (VPN) solutions, or WAN acceleration appliances that include encryption as part of the package.  This is traditionally for WAN usage and encrypts the entire communications channel.  There are also solutions for local LAN traffic.  Check out IPSec if you haven’t already.  It may also be worth your while to consider encrypting your data itself, not just the traffic tunnels.  This will become expensive, either in real dollars or in computation, so it may not be a fit for your organization.

Limiting physical access to your network is also a must.  Keep your networking gear behind locked doors, and secure any wireless access.  Again, this is all basic Network Security 101.


Data that is stored on a device, but it is not actively being used, is considered data-at-rest.  This usually means disk, appliance, tape or other removable device.  Yes, thumb drives and CDs are included in data security plans.  Data security plans often overlook backups and backup media, too.

Securing data at rest is again all about physical security and encryption.  Physically secure your storage appliances and tapes and you have solved 90% of the issues with data-at-rest security.  If no one can get to your data, then no one can steal your data.  For data encryption there are also solutions.  There are software applications that will encrypt data, and several operating system vendors have included this functionality in their OSes.  This does tend to slow systems down.

Appliances are also a solution to encrypting data.  There are speciality manufacturers that will sit in between storage media and computing resources that will encrypt data “on the fly”.  These tend to be a bit expensive and are for speciality applications.

Seagate makes a Self-Encrypting Disk (SED).  Special chipsets encrypt everything written or read from this disk.  This disk tends to be a bit slower than traditional disk (figure a 10% penalty on reads and writes), but is a nice solution for those clients that may be trying to meet data security standards.  The disk does not store encryption keys.  Therefore, taking disks does not compromise data.  But for heaven’s sake DO NOT FORGET OR LOSE YOUR KEYS.

Summarizing Data Security

In this article, we have discussed data security.  A data security plan must consider each state of data separately.  Security measures may span more than one state, but remember they are implemented differently dependent on state.  This article is an introduction to basic data security.  It is not all encompassing.  We have only scratched the surface.  Read up, work with your in-house security people, or engage competent data security consultants to get the best security that you can.  Your data may not include government officials looking to “hook-up”, or the spoilers for next season’s Game of Thrones but you never know.







Share this:

Is Backup Software Dead?

Is Backup Software Dead?
Image courtesy of Simon Howden at FreeDigitalPhotos.net

Is backup software dead?  Everywhere I look, I see increased functionality within storage appliances and operating systems.  Appliances will backup themselves, Operating Systems now have quiescing and basic back up support, and the cloud is making backup targets stupid easy.  Should I buy dedicated backup software, or does my hardware, hypervisor or Operating System handle this?

As a storage professional, I will never discourage anyone from taking backups. As a matter of fact, I personally believe that more is better.  I am sure that many of have heard the popular saying ‘Two is one and one is none.’  Anyone who has mounted a blank backup that “worked last time” understands the wisdom of multiple backups.  Balancing this wisdom against the cost of additional methods of backup – what should I do?  While there is no one answer that will work for everyone, discussions help us formulate plans.

Many hardware solutions provide backup

I’m a big fan of taking administrative tasks off-line.  As an axiom to that, the closer I can get backup to where the data lives, the faster the backup will occur and the SMALLER the impact to production systems.  It stands to reason – if a system snapshot takes place on the storage appliance and it takes milliseconds to execute, isn’t that better than a full backup through system agents that may take hours over the weekend?

To take advantage of this, many storage vendors have added support within their hardware for snapshots and replication.  In essence, this makes a copy of your data volume and moves it within your environment.  Yes, this usually only works on products within the same manufacturing family.  Yes, vendors must support quiescing.  But many OS vendors are now building the functionality within their operating system to quiesce resident data painlessly.  Well, painlessly once you get it set up.  But what was once the realm of large, intense database houses, or financial trading houses now ships with many OSes.

This seems easy enough, right?  Your storage appliance and OS will do most of the difficult work.  But what about support for your hypervisor?  Maybe those legacy apps don’t support some sort of OS quiescing?  Or what about those that don’t even have a dedicated storage appliance?

Backup Software

While it will never be as fast as dedicated storage appliance backup, backup software does have a place.  Many places in fact.

Backup Software’s arguably most important function is as a broker.  The software acts as the middleman between your data (the source) and where ever you would like a copy of the data (the target).  And it provides a greater amount of flexibility than traditional “baked-in” solutions from hardware manufacturers.  Of course, this is a simplistic approach, and many backup packages have lots of gizmos and what-nots to make a backup administrator’s life easier.  But the main function is moving data.

Software works well with dissimilar hardware.  Want to backup data across many different manufacturers?  Software can do it. Want to move it between disk, tape, and the cloud?  Removable media?  Software shines here.  Want to work with legacy applications or operating systems that may not support data integrity?  Software does this and gives you the flexibility to customize it to your environment.

What works for you

I see a place for both hardware and software in a backup strategy.  Of course, I’m also the guy that still sees tape as the most economical means to store and archive large amounts of data.  The key point is to do what works for you.  I’ve worked with large organizations that had more data than could be reasonably backed up through software.  In this case, snaps and replication were a great fit.  But those same organizations had legacy apps that needed databases backed up hot and live, then log files backed up as well to insure transactional integrity.  Software to the rescue.

My point is that there are many tools in your toolbelt to use.  But, technology always changes. Does your hardware provide all the things you need to recover your data in an emergency? With the amazing growth of data, do you see software still being a viable backup method into the future?  How do budgets and cost affect your decision?  Please share your thoughts!


Share this:

The Case for data protection – Tuesday’s ransomware attack

hacker, malware, ransomware
Image courtesy of photouta at FreeDigitalPhotos.net

The second reported attack of NSA-esque ransomeware this Tuesday should not surprise any systems administrators or IT staff. These attacks are happening on an increasing basis, and with the release of the “Vault 7” documents as a how-to-for-hackers, they will only increase. Google hacker culture, Vault 7 or script-kiddies. Suffice it to say, that dangers like this are a growing concern that needs to be addressed in your Data Protection plan.

Data Protection Plans

Getting back to the basics of Data Protection, todays’ article will discuss how backups as a part of your DP program, can help with ransomeware attacks. Backups may bring up visions of hurricanes or tornadoes, but it goes well beyond that. Data protection also means, well, protecting your data. From all the threats out there, including accidentally deleted files and not so accidentally deleted files, or even ransomed files.

So, you may be asking, how does data protection actually protect me from ransomeware? To put it simply, ransomeware doesn’t remove your data and your files, like a tornado, hard drive crash, or hurricane. It removes YOUR ACCESS to that data and files.  Time and mathematics instead of wind, rain, and lightening are denying access to your data. The files are still there, but you can’t use them to do what you need to do.


This is the case for backups. We previously discussed the several use cases for snapshots in an article, but in this instance, any backup will do as long as the backups were taken BEFORE the systems became infected with ransomeware.

To this point, you should have a backup SCHEDULE. That means that you don’t just keep the latest copy of your backup, your keep staggered copies of your backups. One of the most famous backup schemes is Grandfather-Father-Son backups. While the scope of your backup schedule is beyond this article, suffice it to say that you should have at least one month of good backups if you have to restore data. With many of the backup appliances on the market these days, this is taken care of for you. And with compression and deduplication technologies the amount of data that can be stored on-site or remotely is truly astounding.

This solution is not perfect, but better than paying someone to release the data that you generated in the first place. Or maybe not – maybe the hackers will sell you an enterprise license? Good Data Protection policies deal with many ways to keep your data YOUR data. This includes making sure you can access it.

In the grand scheme of things, this rash of WannaCry-type ransomeware attacks will continue. While security companies are rapidly working to cut down these attacks, if your data protection isn’t cutting the mustard these attacks will be terrible for your ability to support the other departments of your company. It is time to have a discussion with management about your data protection strategy and how these attacks affect it. Like they say “Life is tough, but it’s tougher if you are stupid.”

Share this: