1 A how-to guide on using cloud services for security-rich data backup By Karin Beaty and Chris Bode Contents 1 Executive Summary 2 Technology Advances 4 Service Management Best Practices 5 Standards-based Processes and Policies 6 Managing Physical Security 7 Analyzing your risks with data protection analysis 7 Summary Executive summary The tremendous growth of data has created unprecedented challenges for businesses today. Although data growth can help improve efficiencies and expand market reach, it can also expose a business to more risks, such as data theft, fraud and service interruptions. With data becoming increasingly dynamic, in addition to business resilience and security, risk management has emerged as a top priority for best standards and practices in many organizations. In the IBM Global CIO Study, with input from over 400 IT and C Suite managers, 37 percent of respondents cited data loss and 61 percent cited data breach as causing reputational harm. IT...is like the heart pumping blood to the whole body, so any failure could threaten the whole organization's survival. IT manager, French IT and technology company Successfully balancing opportunity and reputational risk requires a strategy that includes a solid business resiliency plan along with dependable backup and restore policies for systems and processes. This also helps address the need for better security of data and applications, using advanced technology and analytical capabilities.
2 This white paper discusses how you can: Use IBM s integrated technologies to help protect servers both in physical and virtual environments and more effectively use advanced techniques to help reduce data redundancy Act as a virtual extension of your backup environment with trained specialists who employ leading practices designed to provide around-the-clock support for backup and restoration services Help restrict access to data by independent users through data segregation Help improve data management by using stronger policies and procedures based on standards and industry-leading best practices Offer physical security to an organization s data center environment to help protect network and servers and allow restricted access to data Help deliver a more thorough and unbiased assessment of an organization s information technology (IT) infrastructure and backup processes, along with related business processes and organizational risk through data protection analysis In addition, the white paper helps determine if the protection of physical and virtual servers is key to improving business continuity and resilience, and looks at more effective ways to gain visibility to the backup and restore operations. Also, it examines the capabilities that would help manage ever-expanding data, while helping detect if your data security and backup are vulnerable. Technology advances to help better secure your data backup Without proper security measures, data that is being transferred over a network, or is in flight, can be susceptible to unauthorized access or eavesdropping. IBM SmartCloud Managed Backup offerings utilize leading data encryption and deduplication technologies to help protect data both in flight and at rest. Encryption IBM SmartCloud Managed Backup can provide 128-bit clientside file-level data encryption and allows users to generate an encryption key of up to 63 characters in length to provide in-flight encryption. SmartCloud Managed Backup can also provide an optional enhanced encryption capability for data at rest on tape that is designed to comply with Federal Financial Institutions Examination Council (FFIEC) standards. This capability is delivered through IBM Tivoli Key Lifecycle Manager software (TKLM), which supports 256-bit Advanced Encryption Standard (AES) data encryption and allows users to implement and manage a revolving set of keys that can be scheduled to automatically change on a calendar basis. For offsite backups requiring the highest standards of protection, optional Federal Information Processing Standard (FIPS) Publication Level 1 certified encryption services are available. TKLM is an optional robust tape encryption feature available for data at rest through Tivoli Key Lifecycle Manager software. The TKLM software can provide security-rich tape drive encryption and a user-managed interface for configuring and administering keys and certificates, along with a relational database (IBM DB2 ) to help maintain metadata on keys and certificates and information on devices. For some configurations, customers may prefer client-side encryption, which provides encryption in flight and allows the customer to generate a one-time encryption key per protected server. It is supported for most backup types. The data is encrypted using customer-controlled keys prior to crossing the demarcation between IBM and the customer. Server protection IBM SmartCloud Managed Backup provides integration with VMware s vstorage API for Data Protection (VADP) technology in order to allow backups of virtualized environments in a much more efficient manner than if they were treated as physical environments. Both the Storage Area Network (SAN)-based transport method and the Network Block Device (NBD)-based transport method are supported to allow the solution to be flexible enough to fit a wider variety of customer environments. IBM s aggressive integration with VMWare can significantly reduce the amount of time and effort system administrators are required to spend in order to prepare systems for restore, while simultaneously providing greater flexibility to the customer. In traditional recovery scenarios, physical machines for restores must be identified and either have their operating systems reinstalled or recovered using a system-imaging or bare metal restore (BMR) product before the core applications can be recovered and brought online. These traditional procedures are tightly coupled to the exact hardware make and model of the original machine, which may not be available at the time of recovery. By integrating with VMware, the need to first recover 2
3 the operating system by either a reinstall or through system imaging or BMR product is reduced. Instead, the restore of the operating system, data and application can be accomplished in a single pass without requiring intervention from the systems administrator. As a result, this integration allows enhanced flexibility in how the systems are recovered. During the restore process, IBM has the capability to reconfigure many aspects of the virtual machine during the single-pass restore, such as converting to thin provisioning or changing the network configuration. Increased resiliency with software-based data deduplication Data deduplication, an advanced compression technique, helps prevent others from reading data at the remote vault location. Data deduplication can identify redundant data at the source and store only unique chunks of information across files, file systems and servers. These data chunks on average less than 12 KB in size as well as the index information needed to tie them together are spread across as many disks as possible in the system and each is concatenated onto other random data chunks. Only the IBM SmartCloud Managed Backup administration system can determine the distribution algorithm and then tie the relevant chunks together to make the information readable. The net result is that the data stored in the system (as well as the indices) is distributed across the system. In addition, the need for the backup server to rehydrate the data means that even an unauthorized user who has gained physical access to a disk under false pretenses would, worst case, see only concatenated shreds of unrelated data strung together. With data deduplicated prior to leaving the protected host, less bandwidth is needed, helping you to protect more data over existing bandwidth and for longer periods. SmartCloud Managed Backup Common Service Architecture and Management Multiple Locations Centralized Backup Infrastructure Managed Private Cloud, Dedicated Hosted Cloud and/or Shared Cloud Servers Unified Backup Domain Media Libraries Wide area network (WAN) Primary backup infrastructure VPN Backup devices Centralized Management Monitoring 3
4 The solution has client-side deduplication integrated into the service. It removes redundant data at the source and can lead to reduced central processing unit (CPU), memory and input/output (I/O) utilization rates. It applies to flat file data, database and applications that are supported by the service. In virtual environments, one can offload the deduplication functionality to an alternate backup client to reduce the impact of backup on the virtual client. In addition, the IBM SmartCloud Managed Backup service infrastructure includes the IBM System x 3650 M3 server, which is well suited to manage this load due to the availability of multiple CPU sockets and high-performance x86-based CPUs. By using a software-based deduplication engine, IBM can provide a single integrated and highly flexible deduplication solution. IBM can choose the location of deduplication occurrence on a per-backup-event basis, allowing multiple datasets within a single client to receive individualized treatment. Because the implementation is software based, the backups taken using one deduplication method are restorable using either deduplication method. This can identify duplicate data across datasets, regardless of how they are handled. Additionally, the software-based engine allows IBM to tightly couple the application and deduplication metadata during replication, allowing replicated backups to become immediately available. This coupling represents a significant improvement over previous replication techniques that required the storage to be indexed or the metadata to be manually manipulated raising concerns about the timeliness and reliability of replicated backup events. IBM can also use the integration afforded by a software-based approach to tune the deduplication engine based on the type of backup being performed to help provide the optimal balance of data reduction and throughout. Client-side deduplication allows IBM to help significantly reduce network utilization by decreasing the need to repeatedly retransmit data, which can result in fewer load data protection places on the network. When used in concert with IBM s file system journal integration, which allows the backup software to process only changed files, backup runtimes are also dramatically reduced without as much impact on the customer s machines. Service Management Best Practices Service Management Support Structure IBM SmartCloud Managed Backup support consists of a large team of trained specialists, who are located around the world, including: Steady State Global Support Center Operates around the clock and helps monitor all infrastructure and services at Tier 1 and Tier 2 levels Global Transition and Deployment Focuses on transition and deployment support, as well as asset management support services at Tier 3 Infrastructure and Network Support Services Helps integrate virtually all production infrastructure and services, configures and maintains all network devices and covers security-related software and configuration Services Management Focuses on client care and governance, new service rollouts, documentation and training Project Management Office Supports large contract and major upgrade implementations, as well as providing project management for service offering improvements The service is complimented by a robust reporting capability, offering our clients increased management views of performance, usage and billing integration. Resolution expertise Service execution Monitoring Reporting Governance process and meetings Communication Visibility Document of understanding 4
5 Service Management Support Governance A key factor for success is open and frequent communication between the customer and IBM SmartCloud Managed Backup. This communication comes through regular governance meetings and reporting as well as notifications of service impacting activity (backup failures, maintenance events and outage notifications). IBM believes that communication is key to organizing and using that power for your benefit. With effective communication, IBM can demonstrate value as an extension of your IT team helping to protect your data. Better efficiencies in customer data segregation IBM SmartCloud Managed Backup allows for user data separation on a shared platform. For example, using Tivoli Storage Manager Collocation allows for the segregation of data by tape and by user. With collocation enabled, the server keeps files belonging to a group of user nodes on a reduced number of sequential-access storage volumes assigned to those nodes only. Collocation not only allows the segregation of data by user but can also reduce the number of volume mounts required when common users restore, retrieve or recall a large number of files from the storage pool. Collocation thus can also decrease the amount of time required for these operations. Each registered user server is placed into a specific collocation group that tells IBM SmartCloud Managed Backup to direct the specific data for each group to their respective common set of tapes. Deduplication devices store data in one aggregate volume in order to realize global commonality and are designed to make better use of available storage. Although most customer data will reside on the same aggregate disk, no customer can access another customer s data because the data is stored based on a unique client name and server definition properties configured during the client installation process. When retrieving data, each client must authenticate using the backup server, validate its internet protocol (IP) as the correct source for that client, and then can only browse the data it wrote. Data from each host that IBM helps protect retains its association with the originating host throughout its lifecycle. No other host within any segment of a customer s organization can access another host s data unless that permission has been specifically granted on a per-host basis. By controlling access to backups taken on a per-host basis, IBM can help protect your data not only from outside threats but also from unauthorized internal access by members of the customer s organization who may not have administrative access to the host in question. Finally, IBM has automated auditing tools available that can track the origination of all restore events in order to correlate them with a valid customer request. Establishing standards-based processes and policies Proper management of your data starts with establishing policies and procedures based on time-tested standards and industry-leading best practices, such as IT Infrastructure Library (ITIL). However, first and foremost, IBM s policy is to manage your data per your requirements, which set the parameters for handling and protecting your data. As part of those requirements, IBM works to provide the right levels of access and authentication, whether to a network, server or physical data center. Striking the right combination of user-based privileges and conservative data access control helps perform backup and restore tasks with optimal efficiency and flexibility without sacrificing data security. Access and authentication IBM SmartCloud Managed Backup can provide three levels of authentication and access control. The first level is designed to authenticate user or administrator access to the system. Although most enterprise backup and restore systems operate around a model of authenticating only a machine and not the human user, the solution works on the concept that both hosts and users must be authenticated. Registration establishes an 5
6 identity for each client with the server. Once the server identifies the client, it assigns a unique client ID, which is passed back to the client for activation. Client activation passes the client ID back to the client, where it is stored in an encrypted file on the file system, effectively completing the cycle. Whenever remote client operations are performed, this ID is used to validate the client with a challenge or response mechanism. In addition to client activation, each user is provided with a unique account and password that must be individually authenticated before he or she can restore data from the system. With IBM SmartCloud Managed Backup, support staff access is granted based on Lightweight Directory Access Protocol (LDAP) authentication. Each user must have a valid login on the backup server, a registered token, and a validated and registered LDAP password. IBM follows a strict ITCS104 security policy for each backup server. The IBM security scan runs once a day to validate compliancy and a compliancy script is run on the server daily to help provide adherence to the security policy. Physical Security Protecting your networks and servers Blocking threats and unauthorized access to your network and servers from internal and external sources is a critical aspect of data protection. Managed backup cloud offerings incorporate extensive firewall implementations and security-rich solution designs combined with access control software technology. IBM SmartCloud Managed Backup includes a private internal management network that can provide IBM support staff with remote access to each backup infrastructure. The management network facilitates the automation of the site monitoring for alerts, backup validation and data collection. This network is protected through a security-rich firewall and virtual private network (VPN) that permits only specific hosts to gain access and even then only after they enter the proper validation sequence. This same VPN is used to provide a security-rich replication service between sites. In addition to using the private management network described above, the solution also uses a private backup network that connects your server to the backup server using Virtual Local Area Networks (VLAN) connectivity. The private backup network is a dedicated, isolated Ethernet network with no external connectivity and only those hosts subscribed to the VLAN can be granted access. Each host subscribing to the backup service is provided with a unique node-name. The unique node-name is used much like a login ID, requiring a unique user-generated password that the administrator creates during the initial setup. Using this node-name and password combination allows access to your data and helps verify that no other data is visible. Industry-standard IP tables filter all incoming packets, allowing only a narrow range of communication ports assigned to the service on the incoming stream from the client to the server. All unneeded services are disabled, with the exception of those required to run reporting, monitoring and backups. The solution also includes installed firewalls for remote VPN access and blocked in-bound Internet traffic. Your service is provisioned on separate VLANs, and access control lists (ACLs) are applied to each VLAN interface, protecting each customer. Software firewalls run on each backup server, and system-level intrusion detection monitors file changes. Physical access to data Stringent security controls and mechanisms also help control access to physical data centers, and support personnel are trained, certified and routinely audited to help manage data compliance with these procedures. Access to IBM data centers follows International Data Corporation (IDC) best practices and grants individual access requests only to support personnel authorized to access each specific backup infrastructure. Access can be granted on an as-needed basis by support personnel for anyone else requiring access. IBM personnel in our data centers are bound by policies including ITCS104 for physical security requirements, as well as strictly enforced IBM Business Conduct Guidelines and other legal and corporate mandates. If the IBM SmartCloud Managed Backup infrastructure is hosted in the IBM cloud and housed in our world-class IBM Business Continuity and Resiliency Services (BCRS) data center, then certain physical conditions may apply. IBM SmartCloud Managed Backup infrastructures can consist of either a locked rack on the data center floor or a dedicated data center locked cage containing one or more racks. Installed biometrics can further restrict access to raised-floor areas or 6
7 areas where client data might be present, and personnel do not have the necessary login to the vault, nor is administrative access to vault data permitted. IBM can also restrict access by: requirements, including the National Nuclear Security Administration (NNSA) Policy Letter NAP-14.x and Department of Defense (DoD) M scrubbing. Overwriting client recovery device operating systems between events to remove access to operating system image, existing logins, application layer and all middleware that could be used to view, transmit or interpret data Prescribing a dual-control approach of operating and observing when running scripts on your behalf Reinforcing adherence to cleanup checklist by using another tool to perform a low-level delete of the desk to change the geometry of the device Utilizing numbered containers, digital container photos and scanned barcodes for media handling and in accordance with the capabilities and policies of the local courier service provider Performing frequent unannounced audits and daily site readiness meetings to enforce adherence to processes Applying strict controls to what IT equipment may be brought in and taken out of any IBM facility (Note: If the IBM SmartCloud Managed Backup infrastructure is deployed on your premises instead of an IBM data center, then you are responsible for the physical security of the data.) In addition, safeguards are in place after data reaches the end of the retention period. If a backup set is deleted for example, overwriting the data during daily maintenance or if test data has been generated during a recovery test in the provisional data center, we can erase the old data, and in many cases, deliver the log from the erased job. When tapes have reached the end of their lifecycle, they are destroyed on-premise by a tape services provider. A certificate of destruction is furnished by the provider in order to better manage compliance for secure destruction. Depending on the customer s preference, the destruction may be witnessed by both IBM SmartCloud Managed Backup personnel and customer personnel. Similarly, disk devices storing customer data are subjected to a data scrub in order to completely sanitize the disks prior to being removed from service. Several different disk scrub types are available based on the customer s specific Analyzing your risks with data protection analysis As part of the IBM SmartCloud Managed Backup portfolio, the data protection analysis tool can provide a more objective review of your current backup and restore environment. IBM specialists can use a nonintrusive data- gathering process to analyze metadata from your backup environment and to help you identify potential risks of exposure and alert you to any infrastructure or backup problems. Exhaustive centralized reporting includes identified locations, devices, servers, clients and backup network. Also, our data protection analysis tool is highly transparent to and accessible by a simple laptop configured for this purpose. You can remove the laptop and uninstall the backup agents at virtually any time. Although you have visibility of the metadata that is being collected, your data will not be readable because there is no available authentication information. Moreover, the node will be deleted from the laptop after the completion of the analysis. Summary Business complexities have rendered organizations susceptible to risks from data loss and corruption, and mitigating these risks is an immediate priority. As an industry-leading provider of cloud-based resiliency services, IBM combines best-of-breed hardware, software and services to provide you with an expansive cloud solution. Our highly trained specialists make it possible for your IT personnel to focus on more important business priorities. IBM can demonstrate the use of advanced technology for an effective backup system, along with service management best practices, physical security measures and wide reporting and analytics capabilities for enhanced security review. We have extensive experience managing thousands of information protection clients with more than 1 million backups per month, which can increase your confidence in our ability to safeguard your information. 7
8 For more information To learn more about the IBM SmartCloud Managed Backup, please contact your IBM marketing representative or IBM Business Partner, or visit the following website: ibm.com/services/continuity Copyright IBM Corporation 2012 IBM Global Services New Orchard Road Armonk, NY Produced in the United States of America IBM, the IBM logo, ibm.com, SmartCloud, Tivoli, and System x are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of The Minister for the Cabinet Office, and is registered in the U.S. Patent and Trademark Office Not all offerings are available in every country in which IBM operates. This document is current as of the initial date of publication and may be changed by IBM at any time. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Actual available storage capacity may be reported for both uncompressed and compressed data and will vary and may be less than stated. Please Recycle BUW03021-USEN-02