From the Nov. 2006 Issue
A month or so ago, the LA Dodgers were playing great baseball and found themselves
in the thick of the pennant race. (For the non-sports fan out there, see “Wikipedia:
baseball.”) Since the team’s success on the field has been rather
meager for the last 17 years or so, this was no small deal for the fans in LA!
Those who follow the Dodgers credit a good portion of their success to the fact
that they have such a “deep” team. In other words, they have excellent
reserve players who possess the skills and versatility to hit well and play
any number of positions. When a regular player is injured or needs rest, the
manager has the confidence and flexibility to insert one of these talented “backup
players” into the lineup and know that the team will continue to be successful.
How does baseball teach us about information security? In the past several
months, we’ve covered a number of security essentials including anti-virus
software, personal firewalls, wireless security and spam filters. Creating a
layered defense to guard against attacks is important. But just as the Dodgers
need quality backup players in order to be successful, your ability to effectively
restore and recover if, and when, systems are compromised is no less essential
to your security strategy.
Are they really necessary?
Yes, a dependable backup is crucial in addition to your other security measures.
Reasons for this include the following:
• Hardware failure. Servers or workstations can stop
working at any time. If a hard drive crashes, a backup may be the only way of
recovering data and applications. Note: This is something our organization has
experienced first-hand no less than three times over the last year!
• A security breach. If a computer is compromised and
data is corrupted or stolen, a backup is essential for restoring applications
• Terrorism/disasters. Depending on your geography, you
can fill in your disaster of choice. (For LA, I’ll go with earthquakes,
fires, landslides, and riots. We seem to be a land of equal opportunity!) Any
one of these disasters, natural or otherwise, can decimate the physical and
data infrastructure of a company.
Unfortunately, many businesses underestimate the seriousness of existing threats
and the importance of having an effective backup plan in place. Research firm
Insight Express performed a survey of IT managers regarding backup practices
and business costs associated with server failures. The results showed that
over 30 percent of IT managers estimated that server failures cost their businesses
at least $10,000 in revenue and productivity. In spite of the great cost and
the fact that 72 percent of the respondents said that their organizations suffer
at least one server failure per year, more than half of the survey participants
(55 percent) don’t back up their entire system on a daily basis.
Following these sound backup and restore procedures are crucial to ensure the
continued availability and integrity of critical programs and data in the event
of a breach. Without adequate backup and restore procedures, small problems
can quickly snowball into major ones!
Historically, individuals and businesses alike have backed up their data to
media such as DVDs, tapes or hard drives. By following best practices, backups
can be maintained relatively inexpensively. Unfortunately, as is the case with
other aspects of information security, people get lazy and assume things are
working correctly. Tapes are not rotated properly, logs are not reviewed, backup
media is left by the server, and/or backups are not tested regularly. As a result,
IT managers and business owners often find out too late that they were not adequately
Another approach now growing in popularity is to backup data online. Businesses
can sign up with companies like eVault, Iron Mountain or Global Data Vault and
completely outsource the backup process. The process is pretty simple. Once
the proper software is installed on the client side, the data to be backed up,
and the frequency and timing of the backup are selected. At the time of backup,
the data is compressed, encrypted and transported to a secure data center.
Restoring is straightforward, as well. A user simply selects the files to
be restored and “pulls” them back to the computer of their choosing.
Listed prices on the Global Data Vault website (www.GlobalDataVault.com)
range from $9 per month for up to 300MB of data to $399 per month for between
25GB and 35GB of data. Less expensive options include newer sites such as JungleDisk.com
or ElephantDrive.com. These sites both use applications that communicate with
Amazon’s S3 storage API. Pricing is very inexpensive. ElephantDrive.com
is free while still in beta, and JungleDisk.com advertises the low price of
$0.15 per gigabyte. Obviously, the less expensive services take a little bit
more work to configure and maintain and should be investigated thoroughly for
their ability to keep data secure and return it promptly if and when it is needed.
Which backup approach is best? Traditional media or online? The answer really
depends on the IT resources at any given firm or company. Those with dependable
IT resources and a solid backup plan may not need to spend the additional money
for an online backup service. On the other hand, firms or companies without
reliable IT personnel and a shaky backup plan may find an online service to
be a very reasonable investment.
Do you have a backup solution? Is it integrated with your information security
strategy? Does it actually work? You need to make sure your backup policy upholds
best practices and that the technology you employ (traditional or online backup)
allows mission-critical systems to be quickly brought back online in the event
of a crash or disaster. If that’s not the case, you need to spend the
necessary time and investment to bolster your “bench.” And Go Dodgers!!
David Cieslak is a Principal in Information Technology Group, Inc. (ITG),
a computer consulting firm with offices in Simi Valley and Huntington Beach,
Calif. He is currently an instructor for K2 Enterprises and a frequent speaker
on technology issues. He also currently chairs the AICPA IT Executive Committee
and serves on the Information Technology Alliance board of directors and CalCPA