Marco T' Chou

1
Enterprise DATA Protection

• Marco T. Chou
• Sr. Planning Consultant
• Allstate Insurance Company
• 3075 Sanders Rd., G2E
• Northbrook, IL 60062-7127
• (O) 847-402-2720
• (C) 847-226-2263

2
What are the two most important words in IT?
Data Protection

• Agenda
• Stay In Business (Backup and Recovery)
• Guidelines for Developing RTO and RPO
• Components of Recovery Time
• Recovery Technology Methods
• Trade-offs Between Tape and Disk Recovery
• How To Size Recovery Infrastructure
• Moving Data To The Mountain
• Do You Know Where Your Data Is?
• Stay Out Of Trouble (Regulatory Compliance)
• Information Lives, Moves and Changes
• Information Protection
• IT Requirements for Data Access Accountability
• Summary

3
Developing RTOs and RPOs

• These are driven by defined business requirements
  (ie. SLA)
• These requirements are often about survival
• (RTO) Recovery Time Objectives The target time
  to return a business process to an acceptable
  functional state following a disruption.
• (RPO) Recovery Point Objective The point in time
  prior to the disruption to which data will be
  recovered.
• Can be done by getting a handle on the exposures
  faced by a business
• Financial, Operational, or Legal Exposures
• Can be achieved by a formal Business Impact
  Analysis (BIA)
• Measured by time lost, cost of downtime and cost
  of lost data

4
Components of Recovery Time

• Recovery Time must be measured from when business
  functionality is lost, to when it is restarted in
  an acceptable form.
• These phases include
• Declaration
• Transportation (people, equipment, tapes)
• Manual
• Electronic
• Reconstruction of servers
• Reloading of data
• Restoring of applications and networks
• Some phases run in parallel, many do not
• Consider issues with each phase for your site
• What are your options? Is there a better way to
  do it?
• Whats the price tag?
• Factors that affect these times are
• People, Process, Procedure
• Technology, throughput, bandwidth, etc.
• Business Recovery Plans

5
Recovery Technology Methods - Server

• Cold (Hours - - gt Days)
• Reload from tapes
• Reload from network images
• Rebuild from scratch
• Lengthy process but less expensive
• Significant impact to business, users, and
  customers
• Warm (Minutes - - gt Hours)
• Reconfigure for production
• Reboot off alternate internal drives
• Moderate impact to business, users, and
  customers
• Hot (0 - - gt Minutes)
• High availability clusters
• Instant fail over
• Fast but expensive
• Least (or NO) impact to business, users, and
  customers

6
Recovery Technology Methods - Data

• Tape
• Tape Cloning for Remote Storage
• Remote Tape Vaulting
• Manual
• Electronic
• Disk
• Application Based Replication
• Database Based Replication
• Storage Controller Based Replication
• SAN Based Replication

7
Trade-Offs Between Tape and Disk

• Disk based recovery
• Is an on-line recovery
• Instant access
• Allows for hitting much tighter RTOs and RPOs
• Tape based recovery
• Is an off-line recovery
• Must load, configure and read the data before
  it can be accessed
• Lengthy process
• Through-put rates
• Read from disk vs. read from tape
• Removable Media
• A tape can be taken out of the library and taken
  to the recovery site
• A tape can be dropped, broken and lost and you
  may not know it
• Ability to store vs. ability to access
• Tape capacities increased 10 fold, but access
  rate increased 3 fold
• Consider the Value of Your Data

8
How to Size Recovery Solutions

• Driven by many factors
• Recovery Objectives
• How quickly must recovery be achieved?
• How much be recovered? GBs vs. TBs 5 vs. 50
  servers
• How much data can you afford to lose?
• Backup window Downtime for applications (SLA,
  of 9s)
• Network Bandwidth
• Between sites (Cold, Warm, Hot)
• Within sites
• Resource and availability
• Server capacity
• Tape drive
• Costs of technology
• HW, SW, Storage (Disk/Tape), Network, Vendor
• Must be done year by year prices drop and
  technology changes

9
Moving Data To The Mountain
In the 1950s, a Pennsylvania mine served as a
bomb shelter for companies executives and
records.
10
Today, a data center in the former mine receives
archival records over the Internet.
Reference www.IronMountain.com
11
Do You Know Where Your Data Is?

• Putting the Right Infrastructure in Place
• Compliance with electronic records retention
  regulations, whatever their source
• Storage medium
• Options Tape, magnetic disk, optical disk
• Considerations Security, data integrity, costs,
  performance, accessibility, searchability
• Applications
• Must comply with the relevant regulations
• Capabilities Records protection, online
  indexing, categorization, search, audit
• Policies Procedures
• How data is to be moved and stored
• How and when authorized IT and other personnel
  can access and modify data
• If and when data should be destroyed after a
  certain retention period
• Must ensure that unauthorized employees do not
  have the ability to inappropriately access,
  alter, or delete records

12
Information Lives, Moves and Changes

• Information is Alive The Blood of Your Business
• Changes over time
• Information is different
• Information Protection Isnt About Cost Its
  About Business Value
• Different Value
• Classify Your Data
• Tier your storage level
• Manage Growth
• Protection Backup, Access Control
• Regulatory Compliance
• Faster Recovery
• Costs
• What factors impact information value?
• Legislation
• Business Processes
• Data Purpose Change
• Litigation and Audits
• ILM (Information Lifecycle Management)

http//www.emc.com/ilm
13
Information Protection Why Now?

• Existing Regulations
• IRS
• Securities and Exchange Commissions rule 17a-4
• Requires financial services companies to archive
  all electronic communications, including e-mail
  and instant messages.
• Gramm-Leach-Bliley Act
• Banks are facing higher data demands on privacy
  rules
• New Regulator Drivers
• USA Patriot Act Anti-money-laundering (Bank)
• Sarbanes-Oxley Act (SOA)
• Health Insurance Portability and Accountability
  Act (HIPPA)
• California Security Breach Notification law
• Higher Marketplace Expectations
• Whats CIOs Thinking

• Here are the most important IT management issues
  that CIOs will confront in 2004 (ComputerWorld
  1/26/2004)
• Sarbanes-Oxley Act
• Security
• Project prioritization
• Continued focus on cost
• IT sourcing

http//www.computerworld.com/securitytopics/securi
ty/recovery/story/0,10801,89378,00.html
14
Where to Start

• No Magic
• No shrink-warp
• No turn-key solution
• No one-size fits all
• Wont happen over night
• Understand the consequences
• Objective Phased Approach (Divide Conquer)
• Form team of stakeholders
• Company culture and business process change
• Executive sponsorship
• Funding and resource
• Interpret applicable regulations requirements
• Legal assistance
• Outside perspectives peer practices
• Decide approach methodology
• Risk mitigation

15
What Applies To Your Business?

• Confusion on Interpretation, deadlines, and
  implementation
• SEC 17a-4 Every member, broker and dealer shall
  preserve for a period of not less than 6 years,
  the first two in an easily accessible place, all
  records required to be made
• Sarbanes-Oxley Internal Controls now
  interpreted to mean Internal financial reporting
  controls
• Automation vs. Manual process

16
Compliant Record Retention Periods Increase
Records relating to manufacturing, processing,
and packing of drugs and pharmaceuticals 3
years after distribution
Pharmaceutical/Life Sciences
Records relating to manufacturing of biological
products 5 years after end of manufacturing of
product
All hospitals must retain medical records in
originally or legally produced form 5 years
Healthcare (HIPAA)
Medical records 2 years after patients death
Financial Services (SEC 17a-4)
Financial statements 3 years
Member registration for broker/dealers
End-of-life of enterprise
Trading account records End of account 6 years
Employee and medical records of individuals
exposed to toxic substances 30 years after
completion of audit
OSHA
Original correspondence from financial audits of
publicly traded corporations 4 years after
completion of audit
Sarbanes-Oxley

• 1 2 3 4 5 10 15
  20

Source Enterprise Storage Group, 5/2003
17
IT requirements for data access accountability

• Who did what to which data when, and by what
  means?
• IT Should be partner of the compliance
• Finance people and auditors are leading
  Sarbanes-Oxley initiatives
• Documentation and analysis will identify gaps in
  business process and shortcomings in IT
• Technology is not the starting point
• Efforts must begin with a business perspective
• Take a comprehensive look at internal controls
• Consider all systems generate financial reports,
  e-mails, store information
• Be notified when someone changes database schema
  or permissions
• Keep a record of all changes to schemas and
  permissions
• Know what data was changed, when, and by whom
• Know who has viewed certain data and when
• Generate periodic reports on who accessed certain
  tables
• Investigate suspicious behavior on certain tables
• Know who modified a set of tables over a period
  of time
• Automate procedures across multiple servers

18
Summary

• Understand business requirements and regulations
• Establish policies and procedures
• Consistency and Integrity
• Validate procedures and processes periodically
• Document everything
• Security, privacy, access control, change
  management, risk control
• Prove that electronic systems
• Work reliably and consistently
• Produce and maintain reliable, trustworthy and
  authentic records
• Have audit trail capabilities
• Make sure its accurate and easy to retrieve
• Buy more storage, store more data, and keep it
  longer
• Recommendations
• Plan for regulatory compliance expenditures
• Standardization and consolidation can help reduce
  overall cost of compliance
• Prioritization