Information security: Data Protection... Part II

doifeellucky (64)in #crypto • 5 years ago

This is a series of articles that cover some basic InfoSec (information security) and OpSec (operational security) tips for private home/mobile or small business use.

I'm an IT security guy that came around quite a bit from small business settings to big corporations in FinTech and other industries.

I'm trying to cover much in - hopefully - simple words with some simple approaches, methods, processes and hands on recommendations for you to assess and maybe up your InfoSec (information security) game if you want. Please understand that I will have to be pretty generic in some parts of these articles...

...but if you got questions go ahead and drop them in the comments and I'll try to help out!

IMPORTANT! If you're insecure with some of the recommendations please hire an professional before getting into trouble with your systems and possibly blaming me for that!

A general advice! Please only "touch" (change) things/configurations that you are familiar with and that you can undo if needed!

Lastly, why do I do this? To raise awareness and to hopefully help you to raise your personal information security & data protection bar!

I will cover the following topics in this series of articles

190513 Assessment & general thoughts
190514 Passwords
190515 Prerequisites for secure patching of systems, Part I
190516 Prerequisites for secure patching of systems, Part II
190517 Information security: Data Protection... Part I
This article here Information security: Data Protection... Part II
"Right sized" processes for Risk management/InfoSec/OpSec
Automation?

A quick recap of points we touched in previous articles...

Assessment...

First article in series Here I’ve suggested that you make an assessment of your internet connected devices or better of all devices in your own network including mobile devices! This includes collecting information on serviceability of these devices.

This is the groundwork for the next steps.

Passwords...

The Password article touched on some general aspects of password handling like defining an password policy and the use of some help by using password managers.

Prerequisites for secure patching of systems, Part I...

With Prerequisites for secure patching of systems, Part I I've introduced you to some of the frameworks (ITIL) and methods (ITSM) to understand what you're dealing with, how to collect and store information of your environment (CMDB) and how to make an first estimation of the criticality of your systems (BCM, BIA).

Prerequisites for secure patching of systems, Part II...

With Prerequisites for secure patching of systems, Part II we dove a little deeper into the justification for putting time, effort and money on the table to protect our environment. We looked at IT risk management and resulting prioritization of systems/apps to gain knowledge about what is it all worth to us. At last we had a glimpse of a possible cyclic process to handle service improvement and vulnerability handling.

Information security: Data Protection... Part I

With Information security: Data Protection... Part I I've gave a little primer on things to consider in Backup & Recovery. We've looked at our device assessment list and how a possible alignment of protection requirements and a backup solution could be found. I showed a few examples of metering your own environments capabilities in terms of dependencies/relations based on DTR (data transmission rate). Finally I've pointed you to some market overview to free and payed backup solutions for local operation, cloud based, or hybrids to store your backup data.

Data protection: Data Protection... Part II

Since we have some basics covered we can now look into some backup & recovery strategies. We'll have to extend our understanding of backup & recover a little more. Backup methods have different advantages we'll look at their pros and cons and I'll point out some things to consider for choosing the right strategy.

Even if it seems very obvious let's state clearly the two distinct purposes of backup & recovery.

recover recent backup data after it's loss either by deletion or corruption
recover data from an earlier time

Also please think about that a backup and recovery solution even including disaster recovery option cannot replace a "complete" disaster recovery plan (see BCM business continuity planning and BIA business impact analysis) in this Article.

Let's go through the defining factors for a backup & recovery strategy!

Information repository models

To backup data is one thing but finding something in your backed up data is a completely different beast!

Repository models define the concept of an information repository that hold the information about the what, when, where of backup and recovery. Backup data needs to be stored therefore a backup backup rotation scheme must be defined. The repository of the backup data can be very simple starting with a piece of paper but more sophisticated methods will cover computerized index, catalog or even a relational database.

Unstructured

This can be a simple copy form source to target media without any computer based repository information generated while backing up date. Can be sufficient for some very simple backup needs. It's the "better then nothing" option.

Full only / System imaging

The repository for this backup method is the complete source system data for a or multiple points in time. Very effective to restore a complete system after a disaster for instance or for rolling out multiple alike systems. Unfitting for most data backups since even the restore requirement of a single file would would force you (in most cases, some imaging solutions offer the possibility to recover on file level) to recover the complete system.

Incremental

An incremental backup method only stores backup data for changed files on your system. The incremental backup start actually as a full backup on top of which following backups just save the changed files/folders. Very effective for selective recovers but with some drawback, depending on the number of backup increments, when you need to recover a whole system or large quantity of data. A whole system recover starts at the first save set (full) and then runs through all the increments after the first save set. Some backup solution provide the option to create a synthetic full backup from the first full and following increments but this is highly dependent on the overall backup dimensions and number of objects saved. The needed performance to create a synthetic full backup in that way can be much IO and CPU demanding and won't be feasible for most smaller environments. There are some additional flavors to incremental backups that reduce the overall backup capacity by just saving the changed parts of files instead of complete files.

Differential

A differential backup saves the changed data since the last full backup. The advantage is that there are only two backups are used to recover data (full+differential since full). The disadvantage is that the differential save set grows and so does the time needed for each differential backup. The recover of a entire system starts a the most recent full backup save set and then is using the last differential backup save set.

Continuous data protection

This backup method saves byte or block-level differences and logs them rather than file-level differences. It offers the possibility to do a log based roll back a system. It differs from other availability models like mirroring by offering a roll back and restoration of old data.

These where the most important backup methods. Now let's try to find the right method for our backup and recovery needs.

Try to check off or write down every result of your requirement analysis!

RTO/RPO

RTO (recovery time objective), RPO (recover point objective) should be clear for your systems at this point! These will be the most influential factors for your backup and recovery needs!

Capacity needs?

How many systems with how much capacity need to be backed up possibly even concurrently?

Disaster recovery option needed?

Possibility to recover a system from scratch with your backup solution. These come in different flavors like "on same system" (disaster recover target system has to be identical to the backup source system / hardware) or "to different system" (disaster recover let's you adjust for a different recovery target).

Data retention needs?

Data retention describes the time frame in which a given set of backed up data will be available for restore or the number of copies (versions) of backed up data. If you need to restore data older than the most recent backup you'll need multiple versions of this data accessible.

Backup speed needed?

For this you should have a clear understanding what you have to look for to meet your requirements. The minimum we are looking for here is a backup time that does not collide with following backups! Let's say you have a backup that runs more than 24 hrs. on a daily schedule. You get the picture, right? You'll never have a consistent backup set with this. Even if you just save the daily increments of your data changes of a system you must be able to get all of the system data to the backup target media at least once! Please also keep in mind that even though you might be able to let the first backup run longer than 24 hrs., on a daily schedule with following incremental backups, such a limited backup performance is an indicator for your recover possibilities as well. If your RTO is covered by an extended time frame for recovery your fine.

Recovery speed needed?

See if your RPO and RTO fits into the solution you want to select.

Phew... that's a lot to cover, right? I know... still if you want to do it right there's now way around doing your groundwork thoroughly.

Once you've got your requirements collected and written down I suggest that you look at consolidation possibilities. What I mean by that is that you maybe want to keep your backup and recovery solution as complex as needed but as simple as possible!

The more you can fit in an overall backup strategy the easier it will be using your backup recovery environment.

But... yeah there's always a but... this might not work for all of your systems with possibly different OSses or Firmware based "boxes"! Here either some preliminary secondary backup methods can be used (for instance 1. backup script for router/switch config to disk 2. disk including this backup result then backed up with everything else.) or indeed a second backup solution might be needed.

Some additional points...

Think really carefully about your data retention needs! If you go too short on the save set versions you can end up with data loss especially when a file corruption goes undetected for a while.

Also once again your backup storage considerations should not fall short in regards of performance and safekeeping of backups. If you use removable media keep in mind the manual handling of backup media, including the safe keeping like storing your backup media in a fire proof safe, or even a secondary location to the backup source like a safe deposit box in your bank for instance is important.

Give the security aspects of your backup data some thought in regard to encryption to make sure that no unauthorized access to your data is possible. Solutions that don't provide password protection and encryption should only be considered if backup data stays on your on premise and is securely kept from possible misuse by others.

Make sure that you document your backup and recovery strategy and methods on such a level that you yourself can rely on and use if needed.

Also think of possibly including at least one other trusted person in your backup and recovery thoughts that can use your backup and recovery environment if you cannot for some reason. This can be essential for backups that need manual intervention like changing backup media or storing away backup media. You can implement this on different levels up to full access including the passwords for your backup sets.

Don't trust, test and verify! Test your backups and even more important your recovery! Nothing is more frustrating than thinking you got all bases covered and finding yourself in the situation running into problems when you need a recover.

Remember a simple file recovery might not be much of a challenge to you and others but when a disaster strikes tension and stress can get to you so having a simple and tested recovery method that you can go through step for step makes things a lot easier and reliable... and if there's one thing you want from your recovery it's reliability!

Cloud solutions and ease of use...

As I wrote before if your needs can be covered by a cloud backup solution you'll be off pretty good since a lot of the technical and operational stuff is simply covered by those. The offer most of the named backup methods and got the operational stuff (no handling of backup media) and secondary location of backup data storage inherently covered and their pricing seems relatively fair in relation to their service.

On the other hand some of these fall short in terms of disaster recovery options and let's not forget they always require sufficient bandwidth to make use of them.

On premise...

If you got other needs in terms of accessibility and availability there are some pretty easy to use "on premise" solutions available for your requirements.

Special applications need special attention and care...

For instance databases... here you must make sure that you can backup database files consistently! In many cases this is only possible by preliminary database backup or export functions before you can save these into your "regular" backup. Some backup solutions therefore offer so called "pre- and post backup tasks" where you can implement such commands/functions.

I guess this will be it for a little more in depth look at data protection in regards to backup & recovery.

My personal recommendation for a backup and recovery solution...

Under the level of enterprise backup solutions I can personally recommend Acronis Backup.

I've used Acronis Backup in a number of environments and they offer a lot bang for the buck. Sure, they're not the cheapest solution but they cover most of the needs including a cloud & on premise hybrid solution - like the "big boys" with their enterprise solutions - and Acronis Backup has never let me down when I or customers needed it!

If you're interested in taking a look at Acronis Backup here's my ref-link:

Acronis Backup

Lastly please use your favored search engine (in that regard I recommend DuckDuckGo for some search privacy ;-)) and find some more details on product, market comparisons.