Backup Anytime

Data loss is only one component of data breach.

In years gone by, the main (even sole) concern which business had regarding data was the direct consequences to themselves of losing data. The questions they asked themselves centred around an inward looking theme.

What data do we need to retain to ensure survival?
How will data loss affect us?
How long will it take us to get backup and running should we lose data which is backed up?
Will we be able to get back up and running if we lose data which is not backed up?

These are all valid questions but every one of them miss the main concern which has always existed but has come to the fore in the past few years.

How will if affect other people and organisations?

Just to bring some clarity to inward looking people, the above question also equates to the following.

Will we be sued, prosecuted or shown in the media to have compromised client data?

This changes the perspective and adds a whole new required functionality to the issue. We are now moving up from basic backup to actual data protection.

So, a manual drag and drop of files to an external pen drive or hard drive which is bandied about in a directors car at night may to a small degree offer an element of simple backup. It does on the other hand however very likely significantly increase the risk of data loss. This is not recognised by companies and individuals who are only interested in retaining a copy of data for themselves. If they look beyond this blinkeed and recklessly narrow focus they will see that the net effect is to place copies of client data in dangerous situations.

Ask yourself this.
Would I be satisfied if every company I have ever dealt with had personal and identifiable information pertaining to me being driven about in staff cars overnight?

Absolutely not. All this does is increase the number of potentially available copies of this information for the companies involved and also increase the risk of breach to those about whom the data relates.

So, simple backup is too narrow a focus. Offsite only helps if it does not as a consequence of being offsite increase data protection risk factors.

The next time you consider the importance of a file, don’t just consider how much you need that file. Also consider how much others need that file (and any other versions of it applicable to you) protected from public release.

Data security for dummies

There is much misunderstanding of data data security. This applies not just at end user level but also quite generally at overall small business level. Much of this is attributable to an ever growing and widely misused information technology vocabulary. Much of this vocabulary is brought about by intended use of trade and company names by interested parties  when producing instructions, guides and white papers.

For this reason, an understanding of data security may only be obtained by reducing the factors affecting and important to information security to micro or atom level. This has been approached by many. Here we are interested in the work of third party academics and not interested business parties.

Three classic data security components are Confidentiality, integrity and availability.
They are known as the CIA triad. CIA being the combined first letters of the three terms and triad being linguistically synonymous with the number three. The CIA triad was later added to in what is now known as the Parkerian hexad. Parkerian because it was proposed by Donn B. Parker and hexad because the number of elements was increased to six.

The six elements of information security (in our case, data security) according to the Parkerian hexad are as follows.

1. Confidentiality
2. Possession or Control
3. Integrity
4. Authenticity
5. Availability
6. Utility

A list can serve to prompt incorrect assumptions so lets take a closer look at these data security principles. You may not want to get in to the academics but someone in or representing your organisation needs to have  a clear insight so you can actively avoid data breach as against simply protect against data loss.

First off, why these six elements? Surely there are thousands of terms applicable to information. These six elements are widely agreed among data academics as being at micro or atomic level. They are considered to be essential and non overlapping from the point of view of information security.
Confidentiality deals with the who in data. Information which is available to nobody is essentially useless and it is therefore agreed that no matter the level of confidentiality required that there must be a default exception list with at least one entry. The confidentiality of data is therefore measured by comparing the required access with the actual access allowed.

Possession and control may seem to an extent to represent an overlap with confidentiality but it is agreed to be a component in it’s own right. An example would be a letter addressed to you arriving to someone else. They may not open it but regardless possession and control have been breached.

Integrity of data deals with state of data and the effect on it of any modification intended or otherwise. Integrity therefore not only applies with point in time condition but potential modifications by users, software and incidents.

 
Data authenticity is not only different to integrity but has a broader focus. Authenticity deals with labeling data. This applies not only to intended managed data store but data introduced to the organisation through communications. An example would be a communication which is received from party claiming to be from an origin different from the actual one. If this is ignored, the recipient may not be the victim of any intended crime but in real terms, just not knowing of the intention regardless of the failure or the perpetrator is in itself a breach. Another more innocent example would be a form filled out incorrectly in which an applicant or respondent accidentally places an email address in a name input box. Any failure to validate this is a data authenticity issue. 
Data availability deals not only with the possibility of accessing required information but any time lag in availing of information in normal and data outage circumstances. Nanosecond delays in normal circumstances may be a technical availability issue but not a concern such as that brought about by an hours delay, a full day delay or total outage scenario. 

Utility of data deals with the practical area of the benefits of data stored. How useful is the data? This applies also to the ability to read the data in so far as to the format it is stored in and any conversions applied or required to read. Even encryption can be said to affect the utility of data due to any time required to decrypt before reading. This is not to say that encryption is not recommended. Encryption is absolutely necessary in most business environments. Utility can be confused with availability. It is however quite distinct from availability. An example highlighting this would be data converted to generate a graphic display. Despite how well matched mathematically and helpful from a human viewpoint a visual display may be, this represents a utility modification.

In summary

Data security represents a process not a task. Data security is never 100% certain. Innocent  parties may suffer a breach despite the best will of the data administrator concerned. All this said, risk reduction is a clear responsibility for which clear steps must be taken. The consequences for everyone should business not make acceptable efforts are also clear as is the distinction between those who tool action to protect data and those who did not.

House of Commons data debate 12 November

This House of commons debate is quite fresh being dated 12 November 2008

I follow UK blogs and Irish blogs. A few click away from a regular UK site I read I fount the following.

Want to have your say in a house of commons debate on data management? The one I am following deals specifically with not alone the Governments handling of data but their subsequent handling of the situation arising from handling data badly. The opposition may have ulterior motives but this aside they are good at voicing public concern when it suits.

You can have a read and even join in this house of Commons data debate. You can even have your say. If your comment picks up enough following you may even end up influencing Government action. OK, that may be unlikely but is a possibility. Your post could at least tutor the opposition.

This is a far cry from watching the Irish Government dillydally late at night and hours after the event with one way communications only. Maybe someone will post explaining that a similar Irish service is running. That would be nice.

All in all, the UK Government are being forced to take data (privacy, responsibility and legislation) seriously and this has to be a good thing.

Some of the comments on the theyworkforyou site are also quite good and demonstrate a keen insight in to the importance of data management by the British public.

The participants (mostly male) can be bitchy but with a surprising amount of hidden and readily available ammunition. David Heathcoat-Amory hits hard. Not the type of man you want outside the tent shouting in. Being a conservative he is about as far outside the tent as people have wanted the conservatives for quite some time. So, enlighten me. What Irish service along these lines have I been missing?

I follow a few Irish politics sites and the Authors on twitter and despite a high standard I don’t know of anything with the time or resource to run at this standard.

Ask the data experts.

New! (October 2008)

Following of from the continuing success of the “Who’s who in data” interview series we have decided to allow you to ask the questions! Simply respond to this post using the standard comment option below. Present your question in the comment. Given the question is appropriate we will publish it and ask it of an expert from the “Who’s who in data” interview series. The expert asked will be chosen based on the relevance of their experience and expertise to your question and their willingness to answer. The chosen expert may therefore be from a past, present or yet to be published interview.

The real benefit here is that information on this page will be provided in order of readers wishes rather than the interview chronological order of the main “Who’s who in data” section.

Appropriate questions may be asked regarding any of the following.

Data protection, data management, data law, data backup, data security, data storage, data de-duplicattion, data technology, data privacy and yes you’ve got it. anything of relevance to the data industry.

Go ahead, all you have to do is ask! Click on comment and type your question.

I got an email this morning from searchstorage.co.uk

I receive them on occasion. This one attracted my attention as it related to 7 key questions to ask before moving to disk based backup. I wanted to read it. I stress read. I clicked the link. I disappointingly found myself in a form filling exercise. I reckon they lose most visitors at that point. I continued and was careful with the boxes I ticked regarding the possibility of them allowing third party junk mail to come to my inbox. I was even more careful about areas which required personal information as they are a serious security concern. I ignored the questions I was allowed to and fudged where I had no other choice but to provide information or not see the “7 key questions” I had gone to so much trouble to see.

Next I was presented with the option of opening a podcast now or downloading it for later! There was no plain text version. Not even a html version. Given I am in a work environment and therefore have no sound card or speakers on my system this was of no use whatsoever to me.

I closed the screen and dutifully reopened the email to remove myself from their mailing list. If you need to do this, the removal function is in the right hand margin of their email.

In response to this total waste of time we will create a text version of our own question list to consider and ask before moving to disk based backup. You will not need any specific hardware to avail of it. You will not be asked to provide any personally identifiable information and you will not be sent on a round trip of form filling for third parties. You will be allowed read it in plain text.

Are search storage unable to bring this level of convenience to readers. I fear I will never know as I am no longer on their mailing list.

Update 13:38 (9 October 2008)

Seven Key Questions to Ask Before Moving to Disk-Based Backup

We believe there are far more than seven. Given that seven is the order of the day, here are seven of the most important key questions to ask of yourself, local I.T. and your intended provider before moving to disk based backup.

1. How secure will remote data store be with regard to protecting it from hackers?
This is a serious issue. You don’t need to scour the media to find examples of businesses suffering greatly from data leaks. These stories run on a daily basis. They are never good news for those concerned.

2. How secure will remote data be with regard to availability.
Keeping your data safe from prying eyes in one issue. One major exception is obviously yourself. You need to know that the data is available to you without delay when needed.
Any limitations need to be discovered before you have an urgent retrieval requirement.
3. What implications will this have for any current data backup systems?
Few responsible data backup companies will actually tell you to refrain from continuing the use of legacy systems such as tape. This has to do with your online backup providers limited  knowledge of client systems on an individual basis and sensible legal reasons. Your provider should however be able to work with your onsite I.T. support to identify any issues from the online backup perspective and allow your onsite I.T. support to advise you as to any such modifications.

4. Will I be fully empowered to manage and monitor data backups?
The straight answer to this must be yes. In almost all cases it will be. If your provider has difficulty with a positive answer here, you may well consider your options as this is in most cases a standard feature and requirement/

5. What level of support will I receive relative to general queries?
With an task as serious as data backup, you want a reasonable response time to even the most mundane of day to day queries. Any doubt left lingering is at best a cause of stress and possibly a serious data risk.

6. What levle of support will I receive with regard to any disaster recovery requirement?
This one needs to be established in written format. The section of your S.L.A. which deals with this is an important variable in the determination of the usefulness and value of the service provided. The actual response relative to the promise is of course the true variable  so ensure the S.L.A. provides sanctions to your provider which are of a strong enough nature to be effective in ensuring promises are kept.

7. What data retention period or data retention version numbers can I avail of?
This is sometimes overlooked, often underestimated from an importance viewpoint and commonly misunderstood.
Many providers offer a 30 day or 30 version life-cycle. This can be a dangerous limitation. An example is the case of a virus infiltration. The virus your system got three months ago may not become apparent until today. If your restore window is thirty days, you will find yourself in a position which may allow only older and equally infected versions of files to be restored. You should avail of a service with a high retention period and better still a configurable one which you can amend at will and without having to liaise with your provider.

So there you have it, a text only list. No form filling, no need for multimedia and no concern over providing personally identifiable information.