Protecting Yourself By Protecting Your Data By John Pawlicki
This column normally focuses on macro-scale technology topics, but this time we are concentrating on issues pertaining to data archiving, namely, backing up your data. In today’s interconnected world, with data breaches happening everywhere, it becomes more important to protect yourself and/or your company by always having access to data, even during a crisis. We face the ever-present threats of a fire, flood, earthquake, drones falling out of the sky (especially in certain localities which have allowed anyone to shoot one down), and the two most likely events of all: hardware failure or a cybersecurity issue.
Chances are that malware will compromise your computer or network if it hasn’t already. In some cases, the perpetrators will steal your data, cause some havoc on the infected device, or simply use your computers or network to attack other computers. None of these represent a good outcome. You will need to have security specialists cleanse your devices. This could result in downtime and possible loss of any data currently stored since wiping an infected hard drive is a typical course of action.
This is where data backups come in and why they are so important. The more dependent we become upon data generated from business operations, not to mention operations which interact with aircraft in flight or maintenance (be this test equipment, maintenance laptops, document repositories, etc.), the more we need to enact measures to continuously backup such information in the event of a catastrophe.
This means not only your desktop and notebook computers and servers, but all of your devices that contain any type of data, such as smartphones and tablets. Many of these devices serve double or even triple duty nowadays, supporting business use, personal use and in some cases, use on an aircraft in the cockpit. Some of these devices are used on a network, and you might have network backups performed on a periodic basis, others may not at all (shame on you). With the ever-connected nature of today’s always-connected world, suffering a loss of files, address books, log data and manuals becomes not only more severe, but also more likely.
It is worth defining the two main types of stored data — active data (also referred to as data in use in the IT world), and inactive data (data at rest). Each is important for different reasons. Active data generally refers to documents and data being referenced frequently or recently. Inactive data is often important whenever you need to reference information (for tax purposes, aircraft records retrieval, or simply to find embarrassing pics of a buddy from that spring break trip back in college). Data at rest often ends up in an offline data archive in corporate/government environments, but these archives are essentially compressed databases of information. With the ever-expanding capabilities of portable computing devices, such data may be carried around more often than in the past, since it is easier to do so.
According to Bill Blanchette, senior InfoSec engineer, “Depending on the nature of the loss, such as leaving your notebook on the TSA counter at the airport, this could produce a breach of personally identifiable information (PII) or worse, protected heath information (PHI). The damage could have civil and/or criminal legal ramifications in addition to loss of trust, business reputation, etc. Having backups of such information is paramount, but so is protecting it.” This is why mobile/portable devices must also be backed up on a regular basis (and have adequate security for the data they contain.
Different Types of Backups
Nearly everyone is familiar with the various types of local backups, either to a USB drive, CD-ROM (which is rather rare nowadays due to the data size limitations), or if you are on a network, to a network-attached storage drive. Many of the solutions for home or small business users perform a scheduled backup nightly or weekly. Many of the lower-end software applications that drive such backups are not always reliable, and leave you at risk. I have experienced this first hand at home and on the job.
While I worked for an unnamed defense contractor many years ago as a software engineer tasked with leading a project, we had a lightning strike on our building one weekend, and it caused havoc. I received a phone call from the facilities personnel on a Sunday morning to inform me that the DEC VAX computer system in our secured lab had been impacted. (I am dating myself here, but this was one of the largely-used systems in the days before PCs and LANs). I stopped in that day to inspect the system, and surely enough, it was down and would need to be restored from our daily/weekly backup tapes that a system operator had configured for us. On Monday morning, when the system operator informed us that the backups had failed for the past week or so, you can imagine the reaction –mayhem, profanity and panic. We had to painstakingly back track all of the recent software changes our project had done, and missed our project milestones for many weeks until we caught up. Quite simply, a canned software application for backups had failed and no one had noticed, even though we had someone assigned to monitor this, and a once-in-a-blue-moon event happened and triggered a crisis.
More recently, I had used one of the large cloud-based backup services to archive several computers on my home network. This worked fine for many years and I was able to restore accidently-deleted files many times without incident. Because of this, when my local (rather old) backup drive on my router failed, I did not bother replacing it since I had grown complacent. I’m sure you know where this story is headed.
One of the laptops I used exclusively for contracting/consulting work had been experiencing some issues, possibly due to malware. (I am never sure if I trust the security software prognosis, since each one of the two or three applications I use tells me something different). I had lost some key files I needed and the cloud backup service did not archive deleted data for a long period of time, so when I noticed the missing files, my backup service provider was of no help since it had apparently been too long and the archives had gone past their due dates and were no longer available. It took me about one day to cancel my account there and go with another provider, but I could not completely fault them. Nevertheless, it felt good to blame someone other than myself.
Lessons Learned
The takeaway from my two examples are that you always need to have more than one solution (belt and suspenders approach). In the first example, we had a professional system operator using a high-end product, and in the second, a technology-obsessed professional (my wife uses a different set of terms) who depended upon a limited solution — both failed.
There are various studies on this topic, and the takeaway for any small business or home user is to have multiple/redundant solutions. These can be setup rather inexpensively.
For a small business, have both a local network backup and an off-site cloud backup service. In the event of a major catastrophe, you will not get any sympathy from anyone anymore if you plead for understanding from customers, vendors and regulators (and employees) if you lose access to your data and are unable to restore it quickly. This includes all of the non-attached devices such as notebooks, tablets and smartphones. You need to invest in one or more network-attached storage solutions as a minimum, and have your IT staff or outsourced provider verify the validity of the backups on a regular basis.
For home users and small businesses, and those who support their own personal computing devices for work, it is actually much easier. If you have a home network, purchase an inexpensive network drive to attach to your router. Some routers support a USB port so that a less-expensive external backup drive can be procured. Always, and I mean ALWAYS buy a larger drive than you think you might need. I can guarantee that you will use most of the disk space much faster than you envision. Small companies can procure a single set of network-attached storage drives (with failover drive support) to provide a company-wide data backup system.
Your second step is to upgrade the software that comes with any of these drives to a more comprehensive version. I had purchased a higher-end USB 3.0 drive from one of the pricier vendors, but the basic software they provide is simply shameful. I upgraded the third-party software immediately to a comprehensive version that supports nearly-continuous backups (this runs in the background monitoring for any file changes), and, just as importantly, a seamless system recovery in case of a catastrophic event. Since this type of software supports some degree of archiving, I can backtrack several versions of key files (depending upon how I set up the feature to save disk space). I have not had to test either one yet, but you can bet that I check periodically to see if my data is being stored!
Additionally, I use a cloud-based service from Carbonite and pay a flat fee for archiving my data files. For a small annual fee, this provides me with a secondary backup mechanism that can be accessed easily while traveling. There are other good providers to consider, and each of these has its drawbacks and limitations, so research what is important to you when choosing one these services.
Synchronization
Another mechanism worth mentioning is file synchronization, one of the newer trends. A number of services such as Syncplicity and Dropbox pioneered this approach, and this has been copied as of late by Microsoft SkyDrive, Google Drive and other such providers. I use three of these (keeping under the free limits) to synchronize certain directories on each my various computers with my main desktop PC. Each of these not only performs an automatic synchronization, but, you can access these files on a Web site while traveling (or when using a computer that is not part of the sync process). This is simply a great feature for anyone with multiple computers, or who travels and needs to send or acquire updated data.
IT personnel might cringe when considering the synchronization services due to the lack of control on having files moved out of a company, but each of the sync solution vendors provides a business-level solution to consider.
I have used several of these services to work with project team members globally. Quite simply, we each download the application to our computer, set up which directories to have uploaded, which of these we’d like to share, and with whom. This way, our global team was able to sync up the latest version of presentations, reports and spreadsheets with each other constantly. Conflicts happen on occasion but this was rare since we kept in touch on who was working on which documents.
Dropbox and Syncplicity are probably two of the easiest solutions to use for such functions, but there are many others to choose from.
Wrap up
There is no excuse to not have multiple solutions in place to back up and share files. The costs to administer them are low and there are many service providers from which to choose. To condense the recommended actions, here is our list of steps to consider:
1. Always have a local backup solution, either network-attached or simply an external hard drive (for each router or each computer if you do not have a network).
2. Always buy a larger drive (or set of drives) than you think is necessary, since it will be soon afterwards. The amount of data generated is going nowhere but up.
3. If you are not buying a corporate-level backup solution, upgrade the software that typically comes with most backup drives to a more comprehensive solution. This NEEDS to support continuous backups and a ‘system restore’ function. Such solutions typically support multiple file archives, so you can step back through a few versions of a file as well. These can be life savers or even career savers.
4. Always use a cloud or off-site data backup service as a secondary solution. For the typical price, these are quite effective. Make sure that you understand the limitations of the service you procure so that you are not surprised by a restriction when you need this most.
5. Consider using a file synchronization service, especially if you are an individual or a small business owner. Larger companies should look at the business-level versions of these so that this fits your corporate IT profile. These services are great for those who want to have files available across multiple computers, and for dispersed teams that need access to the same data. There is no need to constantly e-mail files or to manually manage such data. Let your software do it for you.
6. With large fleets of mobile devices containing proprietary or private information, don’t forget to layer in a data at rest solution to protect your interests, especially for those that contain databases of reference information.
There are many places where it is wise to cut costs, but data backups are not one of them. Take this from someone who has learned the hard way.
John Pawlicki is CEO and principal of OPM Research. He also works with Information Tool Designers (ITD), where he consults to the DOT’s Volpe Center, handling various technology and cyber security projects for the FAA and DHS. He managed and deployed various products over the years, including the launch of CertiPath (with world’s first commercial PKI bridge). John has also been part of industry efforts at the ATA/A4A, AIA and other industry groups, and was involved in the effort to define and allow the use of electronic FAA 8130-3 forms, as well as in defining digital identities with PKI. His recent publication, ‘Aerospace Marketplaces Report’ which analyzed third-party sites that support the trading of aircraft parts is available on OPMResearch.com as a PDF download, or a printed book version is available on Amazon.com.