Title: Marco T' Chou
1Enterprise DATA Protection
- Marco T. Chou
- Sr. Planning Consultant
- Allstate Insurance Company
- 3075 Sanders Rd., G2E
- Northbrook, IL 60062-7127
- (O) 847-402-2720
- (C) 847-226-2263
2What are the two most important words in IT?
Data Protection
- Agenda
- Stay In Business (Backup and Recovery)
- Guidelines for Developing RTO and RPO
- Components of Recovery Time
- Recovery Technology Methods
- Trade-offs Between Tape and Disk Recovery
- How To Size Recovery Infrastructure
- Moving Data To The Mountain
- Do You Know Where Your Data Is?
- Stay Out Of Trouble (Regulatory Compliance)
- Information Lives, Moves and Changes
- Information Protection
- IT Requirements for Data Access Accountability
- Summary
3 Developing RTOs and RPOs
- These are driven by defined business requirements
(ie. SLA) - These requirements are often about survival
- (RTO) Recovery Time Objectives The target time
to return a business process to an acceptable
functional state following a disruption. - (RPO) Recovery Point Objective The point in time
prior to the disruption to which data will be
recovered. - Can be done by getting a handle on the exposures
faced by a business - Financial, Operational, or Legal Exposures
- Can be achieved by a formal Business Impact
Analysis (BIA) - Measured by time lost, cost of downtime and cost
of lost data
4 Components of Recovery Time
- Recovery Time must be measured from when business
functionality is lost, to when it is restarted in
an acceptable form. - These phases include
- Declaration
- Transportation (people, equipment, tapes)
- Manual
- Electronic
- Reconstruction of servers
- Reloading of data
- Restoring of applications and networks
- Some phases run in parallel, many do not
- Consider issues with each phase for your site
- What are your options? Is there a better way to
do it? - Whats the price tag?
- Factors that affect these times are
- People, Process, Procedure
- Technology, throughput, bandwidth, etc.
- Business Recovery Plans
5 Recovery Technology Methods - Server
- Cold (Hours - - gt Days)
- Reload from tapes
- Reload from network images
- Rebuild from scratch
- Lengthy process but less expensive
- Significant impact to business, users, and
customers - Warm (Minutes - - gt Hours)
- Reconfigure for production
- Reboot off alternate internal drives
- Moderate impact to business, users, and
customers - Hot (0 - - gt Minutes)
- High availability clusters
- Instant fail over
- Fast but expensive
- Least (or NO) impact to business, users, and
customers
6Recovery Technology Methods - Data
- Tape
- Tape Cloning for Remote Storage
- Remote Tape Vaulting
- Manual
- Electronic
- Disk
- Application Based Replication
- Database Based Replication
- Storage Controller Based Replication
- SAN Based Replication
7 Trade-Offs Between Tape and Disk
- Disk based recovery
- Is an on-line recovery
- Instant access
- Allows for hitting much tighter RTOs and RPOs
- Tape based recovery
- Is an off-line recovery
- Must load, configure and read the data before
it can be accessed - Lengthy process
- Through-put rates
- Read from disk vs. read from tape
- Removable Media
- A tape can be taken out of the library and taken
to the recovery site - A tape can be dropped, broken and lost and you
may not know it - Ability to store vs. ability to access
- Tape capacities increased 10 fold, but access
rate increased 3 fold - Consider the Value of Your Data
8 How to Size Recovery Solutions
- Driven by many factors
- Recovery Objectives
- How quickly must recovery be achieved?
- How much be recovered? GBs vs. TBs 5 vs. 50
servers - How much data can you afford to lose?
- Backup window Downtime for applications (SLA,
of 9s) - Network Bandwidth
- Between sites (Cold, Warm, Hot)
- Within sites
- Resource and availability
- Server capacity
- Tape drive
- Costs of technology
- HW, SW, Storage (Disk/Tape), Network, Vendor
- Must be done year by year prices drop and
technology changes
9 Moving Data To The Mountain
In the 1950s, a Pennsylvania mine served as a
bomb shelter for companies executives and
records.
10Today, a data center in the former mine receives
archival records over the Internet.
Reference www.IronMountain.com
11 Do You Know Where Your Data Is?
- Putting the Right Infrastructure in Place
- Compliance with electronic records retention
regulations, whatever their source - Storage medium
- Options Tape, magnetic disk, optical disk
- Considerations Security, data integrity, costs,
performance, accessibility, searchability - Applications
- Must comply with the relevant regulations
- Capabilities Records protection, online
indexing, categorization, search, audit - Policies Procedures
- How data is to be moved and stored
- How and when authorized IT and other personnel
can access and modify data - If and when data should be destroyed after a
certain retention period - Must ensure that unauthorized employees do not
have the ability to inappropriately access,
alter, or delete records
12 Information Lives, Moves and Changes
- Information is Alive The Blood of Your Business
- Changes over time
- Information is different
- Information Protection Isnt About Cost Its
About Business Value - Different Value
- Classify Your Data
- Tier your storage level
- Manage Growth
- Protection Backup, Access Control
- Regulatory Compliance
- Faster Recovery
- Costs
- What factors impact information value?
- Legislation
- Business Processes
- Data Purpose Change
- Litigation and Audits
- ILM (Information Lifecycle Management)
http//www.emc.com/ilm
13 Information Protection Why Now?
- Existing Regulations
- IRS
- Securities and Exchange Commissions rule 17a-4
- Requires financial services companies to archive
all electronic communications, including e-mail
and instant messages. - Gramm-Leach-Bliley Act
- Banks are facing higher data demands on privacy
rules - New Regulator Drivers
- USA Patriot Act Anti-money-laundering (Bank)
- Sarbanes-Oxley Act (SOA)
- Health Insurance Portability and Accountability
Act (HIPPA) - California Security Breach Notification law
- Higher Marketplace Expectations
- Whats CIOs Thinking
- Here are the most important IT management issues
that CIOs will confront in 2004 (ComputerWorld
1/26/2004) - Sarbanes-Oxley Act
- Security
- Project prioritization
- Continued focus on cost
- IT sourcing
http//www.computerworld.com/securitytopics/securi
ty/recovery/story/0,10801,89378,00.html
14Where to Start
- No Magic
- No shrink-warp
- No turn-key solution
- No one-size fits all
- Wont happen over night
- Understand the consequences
- Objective Phased Approach (Divide Conquer)
- Form team of stakeholders
- Company culture and business process change
- Executive sponsorship
- Funding and resource
- Interpret applicable regulations requirements
- Legal assistance
- Outside perspectives peer practices
- Decide approach methodology
- Risk mitigation
15What Applies To Your Business?
- Confusion on Interpretation, deadlines, and
implementation - SEC 17a-4 Every member, broker and dealer shall
preserve for a period of not less than 6 years,
the first two in an easily accessible place, all
records required to be made - Sarbanes-Oxley Internal Controls now
interpreted to mean Internal financial reporting
controls - Automation vs. Manual process
16Compliant Record Retention Periods Increase
Records relating to manufacturing, processing,
and packing of drugs and pharmaceuticals 3
years after distribution
Pharmaceutical/Life Sciences
Records relating to manufacturing of biological
products 5 years after end of manufacturing of
product
All hospitals must retain medical records in
originally or legally produced form 5 years
Healthcare (HIPAA)
Medical records 2 years after patients death
Financial Services (SEC 17a-4)
Financial statements 3 years
Member registration for broker/dealers
End-of-life of enterprise
Trading account records End of account 6 years
Employee and medical records of individuals
exposed to toxic substances 30 years after
completion of audit
OSHA
Original correspondence from financial audits of
publicly traded corporations 4 years after
completion of audit
Sarbanes-Oxley
Source Enterprise Storage Group, 5/2003
17 IT requirements for data access accountability
- Who did what to which data when, and by what
means? - IT Should be partner of the compliance
- Finance people and auditors are leading
Sarbanes-Oxley initiatives - Documentation and analysis will identify gaps in
business process and shortcomings in IT - Technology is not the starting point
- Efforts must begin with a business perspective
- Take a comprehensive look at internal controls
- Consider all systems generate financial reports,
e-mails, store information - Be notified when someone changes database schema
or permissions - Keep a record of all changes to schemas and
permissions - Know what data was changed, when, and by whom
- Know who has viewed certain data and when
- Generate periodic reports on who accessed certain
tables - Investigate suspicious behavior on certain tables
- Know who modified a set of tables over a period
of time - Automate procedures across multiple servers
18 Summary
- Understand business requirements and regulations
- Establish policies and procedures
- Consistency and Integrity
- Validate procedures and processes periodically
- Document everything
- Security, privacy, access control, change
management, risk control - Prove that electronic systems
- Work reliably and consistently
- Produce and maintain reliable, trustworthy and
authentic records - Have audit trail capabilities
- Make sure its accurate and easy to retrieve
- Buy more storage, store more data, and keep it
longer - Recommendations
- Plan for regulatory compliance expenditures
- Standardization and consolidation can help reduce
overall cost of compliance - Prioritization