Managing data risk in your backup and restore operations

Transcription

1 Managing data risk in your backup and restore operations By Richard Cocchiara, Karin Beaty, Paul Riegle and Sascha Johannes Contents 1 Executive summary 2 Protecting data in transit and at rest 2 Security features for data at rest 3 Protecting your network and servers 5 Establishing standards-based processes and policies for data access 7 Analyzing your risks with data protection analysis 7 Summary Executive summary A recent IBM study of IT risks demonstrates that the world is a risky place and getting riskier by the day. Reducing IT risks will be a key factor in the future success of any company and the careers of those charged with managing it. As your organization grows in size and complexity, so do your data volumes and IT infrastructure. This expansion can mean great opportunities for increased efficiencies and wider market reach, but it can also mean more risk for your data, whether from theft and fraud, or attempts at denial of service. Successfully balancing opportunity with risk requires a solid data risk management strategy that includes building dependable backup and restore policies and procedures into your business systems and processes. With any given backup policy, however, data is constantly on the move or being stored making security the top priority for best standards and practices. This white paper describes how IBM SmartCloud Managed Backup can help you successfully address these concerns using time-tested processes and policies, as well as security-rich data centers and technologies such as encryption, compression and authentication. In it we examine how key security components are built into our offerings; including using both embedded functions and integration with existing enterprise-class security offerings. It is our hope that the depth of this information will provide you with a deeper understanding of our dedication to managing your data and related IT risk.

2 The offerings we will discuss include: IBM SmartCloud Managed Backup remote data protection can deliver automated, scalable cloud-based backup and recovery operations for data on your geographically distributed servers to help improve your security posture, business resiliency and operational efficiency. IBM SmartCloud Managed Backup on-site data protection is a professionally managed backup and recovery service that uses enterprise-quality hardware, software, installation and provisioning within your data center or IBM s, and includes operational support hosted by IBM in disaster recovery centers worldwide. IBM SmartCloud Managed Backup fastprotect online can facilitate security-rich, cost-effective cloud-based data desktop backup designed to provide scalable, virtually continuous data protection for critical data assets, along with simplified restore capabilities. IBM SmartCloud Managed Backup data protection analysis can deliver a comprehensive and unbiased assessment of an organization s IT infrastructure and backup processes, along with related business processes and organizational risk. In addition, we will address the following questions: Is my data safe in transit and at rest? What prevents hackers from gaining access to my data? Is my data properly handled and deleted? Who can access my data? What are the benchmark measurements? Is my data backup strategy compliant? Protecting data in transit and at rest Security features for data in transit Without proper security measures, data that is being transferred over a network, or is in flight, can be susceptible to unauthorized access or eavesdropping. IBM SmartCloud Managed Backup offerings utilize leading data encryption and deduplication technologies to help protect data both in flight and at rest. Encryption for remote data protection Remote data protection can offer enhanced security during client-server data transfers through support for Secure Sockets Layer (SSL), a 128-bit Advanced Encryption Standard (AES) that can be used for any network communications where security is a concern, such as over the Internet. Encryption is built into the client and server software, eliminating the need for security keys. Remote data protection can provide optimal flexibility by allowing the choice of encryption method to be made either on a client-by-client basis or for an entire group of clients. Encryption is available for virtually all data transmission from any client to the remote data protection server or between the remote data protection server platforms using remote data protection replication. Encryption for on-site data protection On-site data protection can provide 128-bit client-side file-level data encryption and allows users to generate an encryption key of up to 63 characters in length to provide in-flight encryption. On-site data protection can also provide an optional enhanced encryption capability for data at rest on tape that is designed to comply with Federal Financial Institutions Examination Council (FFIEC) standards. This capability is delivered through IBM Tivoli Key Life Cycle Manager software, which supports 256-bit AES data encryption and allows users to implement and manage a revolving set of keys that can be scheduled to automatically change on a calendar basis. Security features for data at rest Data deduplication for remote data protection Data deduplication, an advanced compression technique, helps ensure that data is not readable to anyone at the remote vault location. Data deduplication can identify redundant data at the source and store only unique chunks of information across files, file systems and servers. These data chunks on average less than 12 KB in size as well as the index information needed to tie them together is spread across as many disks as possible in the system and each is concatenated or tacked onto other random data chunks. Only the remote data protection administration system can determine the distribution algorithm and then tie the relevant chunks together to make the information readable. 2

3 The net result is that the data stored in the system (as well as the indices) is distributed across the system. In addition, the need for the backup server to rehydrate the data means that even an unauthorized user who has gained physical access to a disk under false pretenses would, at worst, see only concatenated shreds of unrelated data strung together. With data deduplicated prior to leaving the protected host, less bandwidth is needed, enabling you to protect more data over existing bandwidth and for longer periods. Deduplication and tape encryption for on-site data protection Historically, the security of data stored on tape-based backup systems has been a top concern. Highly portable in nature, tapes with crucial company data are easy targets for theft. Some tape formats also provide a tape header utility that describes how to read the data on each tape, making the data even more exposed to possible theft. On-site data protection utilizes a disk storage unit by EMC Data Domain, which includes global compression technology that can combine inline deduplication with compression. Inline deduplication scans data and is designed to eliminate duplicate data from being stored on disk. Data Domain also uses local compression (similar to a tape drive) when writing to disk, which can reduce your data volume by up to 20 times over time. When this technology is used, data deduplication occurs while the backup software is sending data to disk and not on the on-site data protection backup client. To create efficiencies with various data and policy types, including full backups and database backups, only unique data is stored. In addition, on-site data protection using Tivoli Storage Manager software offers an optional robust tape encryption option available for data at rest through Tivoli Key Life Cycle Manager software. Tivoli Key Life Cycle Manager software can enable security-rich tape drive encryption and provide a usermanaged interface for configuring and administering keys and certificates, and a relational database (IBM DB2 ) to maintain metadata on keys and certificates and information on devices. As described previously, Tivoli Key Life Cycle Manager software is designed to comply with FFIEC standards, support 256-bit AES data encryption and allow users to implement and manage a revolving set of keys that can be scheduled to automatically change on a calendar basis to help reduce impact on performance. Multitenancy for on-site data protection using Tivoli Storage Manager Both remote data protection and on-site data protection allow for user data separation on a shared platform. In the case of on-site data protection, using Tivoli Storage Manager collocation allows for the segregation of data by tape and by user. With collocation enabled, the server keeps files belonging to a group of user nodes on a reduced number of sequential-access storage volumes assigned to those nodes only. Collocation not only allows the segregation of data by user but can also reduce the number of volume mounts required when common users restore, retrieve or recall a large number of files from the storage pool. Collocation thus can also reduce the amount of time required for these operations. Each registered user server is placed into a specific collocation group that tells Tivoli Storage Manager to direct the specific data for each group to their respective common set of tapes. Protecting your network and servers Blocking threats and unauthorized access to your network and servers from internal and external sources is a critical aspect of data protection. Managed backup cloud offerings incorporate extensive firewall implementations and security-rich solution designs combined with access control software technology. Remote data protection The remote data protection platform is protected by a firewall implementation with restricted firewall port access (permitting only those required for service) and near-real-time, around-theclock remote monitoring for malicious activity. The platform runs access-control software to monitor the file system and help ensure that no changes have been made. 3

4 Single site location or multiple branch IBM or customer Customer servers Disk library Tape library WAN Backup network Master server Primary backup infrastructure Virtual private network (VPN) IBM service platform Global support center Figure 1. IBM SmartCloud Managed Backup infrastructure Organizations using remote data protection can choose to deploy a vault either publicly or privately addressed. Public deployment takes place in an Internet-facing IBM data center for backup traffic. A private deployment takes place within the secure network at a location of your choice. Both on-site data protection and remote data protection offerings include a private internal management network that can provide IBM support staff with remote access to each backup infrastructure. The management network enables the automation of the site monitoring for alerts, backup validation and data collection. This network is protected through a security-rich firewall and VPN that permits only specific hosts to gain access and even then only after they enter the proper validation sequence. This same VPN is used to provide a security-rich replication service between sites. On-site data protection In addition to using the private management network described above, on-site data protection also uses a private backup network that connects your server to the backup server using virtual local area networks (VLAN) connectivity. The private backup network is a dedicated, isolated Ethernet network with no external connectivity and only those hosts subscribed to the VLAN can be granted access. Each host subscribing to the backup service is provided with a unique nodename. The unique nodename is used much like a login id, requiring a unique user-generated password that the administrator creates during the initial setup. Using this nodename and password combination allows access to your data, and helps ensure that no other data is visible. Industry-standard ip tables filter all 4

5 incoming packets, allowing only a narrow range of communication ports assigned to the service on the incoming stream from the client to the server. All unneeded services are disabled, with the exception of those required to run reporting, monitoring and backups. On-site data protection also includes installed firewalls for remote VPN access and blocked in-bound Internet traffic. Your service is provisioned on separate VLANs, and access control lists (ACLs) are applied to each VLAN interface, protecting each customer. Software firewalls run on each backup server, and system-level intrusion detection monitors file changes. Establishing standards-based processes and policies for data access Ensuring that your data is properly handled starts with establishing policies and procedures based on time-tested standards and industry-leading best practices, such as IT Infrastructure Library (ITIL ). However, first and foremost, IBM policy is to handle your data per your requirements, which set the parameters for the handling and protection of your data. As part of those requirements IBM works to ensure that the right levels of access and authentication are maintained, whether to a network, server or physical data center. Striking the right combination of user-based privileges and conservative data access control provides the capability to perform backup and restore tasks with optimal efficiency and flexibility without sacrificing data security. Access and authentication Remote and on-site data protection services can provide three levels of authentication and access control. The first level is designed to authenticate user or administrator access to the system. Although most enterprise backup and restore systems operate around a model of authenticating only a machine and not the human user, remote data protection works on the concept that both, hosts and users, must be authenticated. Registration establishes an identity for each client with the server. Once the server identifies the client, it assigns a unique client ID, which is passed back to the client for activation. Client activation passes the client ID back to the client, where it is stored in an encrypted file on the file system, effectively closing the loop. Whenever remote client operations are performed, this ID is used to validate the client with a challenge/ response mechanism. In addition to client activation, each user is provided with a unique account and password that must be individually authenticated before he or she can restore data from the system. Specifically, remote data protection defines what activities the user or administrator can perform at initial system implementation. As the client systems are defined and registered, user accounts are assigned to these systems with each account being allotted a set of defined privileges. Remote data protection also determines what data the user or administrator can view or perform other activities against. Once granted the ability to perform web restores, users can view and operate the privileged activity only for data that belongs to them. This is managed through the ACLs. Files with singleowner ACLs are restorable only to the originating user account. Files with global or world ACLs are restorable to all users assigned to the client system where the file originated. Files with group ACLs (a list of users on a system) are not restorable by any user and must be restored by an administrator. With on-site data protection using Tivoli Storage Manager, support staff access is granted based on RSA SecurID authentication. Each user must have a valid log in on the 5

6 Tivoli Storage Manager server, a registered token, and a validated and registered SecureID password. IBM follows a strict ITCS104 security policy for each backup server. The IBM security scan runs once a month to validate compliancy, and a compliancy script is run on the server daily to help ensure adherence to the security policy. Physical access to data Stringent security controls and mechanisms also control access to physical data centers, and support personnel are trained, certified and routinely audited to help ensure that data handling is in compliance with these procedures. Access to IBM data centers follows IDC best practices and grants individual access requests only to support personnel authorized to access each specific backup infrastructure. Access can be granted on an as-needed basis by support personnel for anyone else requiring access. IBM personnel in IBM data centers are bound by policies including ITCS104 for physical security requirements, IBM Business Conduct Guidelines and other legal and corporate mandates. If the IBM SmartCloud Managed Backup infrastructure is hosted in the IBM Cloud and housed in our world-class IBM Business Continuity and Resiliency Services (BCRS) data center, then certain physical conditions may apply. IBM SmartCloud Managed Backup backup infrastructures can consist of either a locked rack on the data center floor or a dedicated data center locked cage with one or more racks within. Installed biometrics can further restrict access to raised-floor areas or areas where client data might be present, and personnel do not have the necessary login to the vault, nor is administrative access to vault data permitted. IBM can also restrict access by: Overwriting client recovery device operating systems between events to remove access to operating system image, existing logins, application layer and all middleware that could be used to view, transmit or interpret data Prescribing a dual-control approach of executing and observing when executing scripts on the client s behalf Reinforcing adherence to cleanup checklist by executing another tool to perform a low-level delete of the desk to change the geometry of the device Utilizing numbered containers, digital container photos and scanned barcodes for media handling and in accordance with the capabilities and policies of the local courier service provider Performing frequent unannounced audits and daily site readiness meetings to enforce adherence to processes Note: If the IBM backup cloud infrastructure is deployed on your premises instead of an IBM data center, then you are responsible for the physical security of the data. In addition, safeguards are in place after data has reached the end of the retention period. If a backup set is deleted for example, overwriting the data during daily maintenance or if test data has been generated during a recovery test in the provisional data center, we can erase the old data and in many cases, deliver the log from the erase job. Fastprotect online for your laptops and desktops Similar to remote and on-site data protection services, fastprotect online can provide a security-rich solution with continuous data protection specifically for laptops and desktops that can include the following: Encryption keys Users designate data to be protected with a private encryption key. Users must keep track of their own encryption keys, as IBM does not manage this for them, and the encryption file does not get stored on the server unless it is explicitly backed up by the end user. There is a process in the FPO service to transfer service from the machine with the drive failure to another machine, where all the remote files from the failed machine will be available for restore. 6

7 Protection for data in flight Data can be encrypted during transfer using a 128-bit SSL format. Web restores can be accessed via SSL connections. Protection for data at rest Data is stored on disk in an encrypted format using 128-bit Advanced Encryption Standard (AES), making it unreadable. Networking security Firewalls are installed for remote VPN access. No in-bound internet traffic is permitted. Clients are provisioned on separate VLANs with ACLs applied to each interface. Analyzing your risks with data protection analysis As part of the IBM SmarCloud Managed Backup portfolio, the data protection analysis can provide an objective review of your current backup and restore environment. IBM experts can use a nonintrusive data gathering process to analyze a representative set of metadata from your backup environment and to help you identify potential risks of exposure and alert you to any infrastructure or backup problems. Our detailed analysis includes tailored, actionable suggestions to help you increase your IT efficiency and optimize spending in focal areas such as server location and IP address, operating (OS) level, total data on server, amount of data to be backed up, backup window, retention period, recovery time objective (RTO) and largest backups (GB). Comprehensive centralized reporting covers identified locations, devices, servers, clients and backup network. In addition, our data protection analysis tool is completely transparent to and accessible by a simple laptop with the software tool. You can remove the laptop and uninstall the backup agents at any time. Although you have visibility of all the metadata that is being collected, your data will not be readable because no there is no available authentication information. Moreover, the node will be deleted from the laptop after completion of the analysis. During the analysis, all data is handled by the qualified IBM Tier 2 SmartCloud Managed Backup Global Service Delivery team. Summary With the changing nature of the workplace and explosion in data volumes, managing data risk has become vital, and security is a top priority for backup and restore policies. As a large enterprise that deals with the above challenges on a daily basis, IBM can understand and relate to your concerns. With decades of experience maintaining continuous operations for our company and for businesses in practically every industry and in every part of the world we can team with you to help map the road ahead for your data risk strategy. IBM SmartCloud Managed Backup offers a choice of targeted data protection solutions backed by security-rich data centers, time-tested technologies and standards-based processes to help protect your critical business data. And with experience managing over 3,400 information protection clients with more than 138 petabytes of data, you can be confident knowing that IBM has the expertise and resources to help safeguard your information. For more information To learn more about IBM SmartCloud Managed Backup, please contact your IBM marketing representative or IBM Business Partner, or visit the following website: ibm.com/services/continuity Additionally, financing solutions from IBM Global Financing can enable effective cash management, protection from technology obsolescence, improved total cost of ownership and return on investment. Also, our Global Asset Recovery Services help address environmental concerns with new, more energyefficient solutions. For more information on IBM Global Financing, visit: ibm.com/financing 7

8 Copyright IBM Corporation 2011 Produced in the United States of America All Rights Reserved IBM, the IBM logo, Tivoli and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml Other company, product or service names may be trademarks or service marks of others. Please Recycle BUW03021-USEN-01