Backups and Disaster Recovery " Two out of every five enterprises that experience a disaster go out of business within five years." (Gartner, Disaster Recovery Plans and Systems are Essential, Robert Witty, Donna Scott, September 2001)‏ Having a Plan B Business Continuity Planning and Disaster Recovery Individual User Requirements How, What and When to Backup ? Restoring Data from Backups Confidentiality of offsite Backup Data Backing up over a Network Some Automated Backup Scripts

Backing up, security and Plan B When we don't back up, we have no security. Plan B is what we will do when what we normally do fails. Keeping some candles and a lighter is a backup for an electricity cut. The same goes for food you can eat if the refrigerator fails and there are no food shops nearby. This is all common sense. BUT, computer backup requirements are complex and while the same common sense applies, knowledge of more complex requirements has to be kept updated for us to be able to implement backup procedures and recovery plans. Having a computer backup often just means having another copy of the data in a safe place.

Business Continuity Planning andDisaster Recovery Backing up can also be about having up to date copies of entire systems and having alternative hardware ready to run these backups and alternative office space. A routine of planning, training and preparing for the BCP plan to swing into action may be needed and the BCP will need testing and maintenance. The degree of attention to "Plan B" will depend upon the nature of the security threats you are protecting against. If your interest is in air-traffic control you will probably want your disaster-recovery system, plan and staff are all kept operational and ready to switch over when needed at a moment's notice.

Hotsites, Warmsites and Coldsites A dedicated off-site DR site ready to switch in at short notice is called a "hotsite". A site which is cabled, has furniture and systems on which software can be installed and backups recovered is called a "warmsite". Time to restore operations might be a few hours. A coldsite needs more preparation in the event of a disaster. Organisations paying for use of disaster recovery facilities will want to share the cost with organisations assumed unlikely to suffer disasters at the same time, but the time needed for business systems to become operational again is greater.

Individual PC Users If you only use a computer for wordprocessed letters and small spreadsheets which are printed out, photocopied and snail mailed then you have little reason to take backups of the files, as your paper copies are the backups. As the computer and data it accesses become more central to your work and communications, the costs of losing data and systems availability will increase.

PC User Threats Protected Against Mistakes, e.g. in deleting things you shouldn't. Loss of work through hardware or software failure. Data destroyed through malicious software. Theft of the PC - so long as the backups are not stolen at the same time. Fire - backup media needs to be elsewhere or in a fireproof safe.

Why don't we do it consistently ? Obtaining security through constant vigilance is seen as a waste of time when everything works as it should. Taking daily backups and locking these in a safe can take many hours over a year if done manually. A security trade off has to be made between the risks and costs of losing and having to recreate work, and the cost and time spent taking backups.

Automated Backups Taking backups of parts of a system can be automated, and more easily over a network than using removeable media. BUT: due to a shortage of programming skills, few computer users ever learn how to write simple scripts and schedule routine jobs.

What to backup ? 1. Source documents you have created. 2. Program configurations which have taken time to learn and research. 3. Original software media. How easily could this be re-obtained ? 4. Or the whole system ? Businesses were advised regularly to backup the entire system, including the operating system, device drivers, applications and data but this is now unrealistic.

Why not backup the full system ? After hardware failure or theft you would be unlikely to obtain an exact replica of the working hardware. You would need different drivers and configurations. Disk drives are larger than removable media backup devices. As of Oct 2008 a tape drive capable of backing up a 400GByte hard disk cost typically 7-10 times as much. In many cases reinstalling a working system only requires the data to be backed up. Keep backup copies of original installation media for all software and a per-system index. When an application or OS is upgraded, older configurations can often be reused or merged.

When and how often ? Relevant questions include: "How often do files, software and configurations change ?" and "What is the cost and how much time is needed to recover lost work if the system fails just before it was due to be backed up ?" For an individual, ing a copy of work in progress whenever it has changed more than trivially as an attachment to the user's own webmail account might be adequate. Have a backup of important source documents on media lodged less frequently at another trusted address also. Backup software configurations if configuring software involves much work.

Full and incremental backups Because a full backup may involve multiple backup volumes (tape cassettes or DVD-Rs), traditionally full backups are taken less frequently intervals than incremental backups. E.G. a full backup might be taken every week over the weekend, and nightly incremental backups might be taken of changes made after each working day. Restoring this system will require the full backup, and up to 5 incremental backups depending upon how far into the working week the state of the restored system will be updated.

Backup Generations Normally the backup media will be managed such that a minimum number of generations of the data are stored at any one time. For example, if weekly full backups are kept and nightly incremental backups, the same tapes might be recycled every 4 weeks. If a system fails while the weekly backup is being performed, it can still be restored to its status 24 hours previously. Having at least 3 full generations available is considered good practice. This approach helps to protect against data loss which goes undetected for some time.

Which directories need backup ? On Unix user data is typically in /home/$USER. All user configurations are stored in hidden files and directories with names starting with "." in the /home/$USER directory. System- wide configurations are stored in /etc. Some applications may keep configurations and data elsewhere -.e.g. Mailman on Debian uses /var/lib/mailman. Local software is often kept in /usr/local. On Windows the My Documents folder is used for user data - but most Windows installations give every user administrator rights. The Windows registry configuration database needs special software to backup.

Data Restoration If you have suffered a data loss, backed up data need to be handled and restored carefully. BUT, those likely to be responsible for getting the system back online will be under pressure to act quickly. There is a danger that if the original data was lost due to a mistake or bug, that the same mistake or bug will recur in connection with backup media. If the device used to read the backup media has not been used for a long time, its correct operation must be carefully tested and confirmed first.

Data Restoration slide 2 If the operating system driving the backup device, or the device itself are not both in a fully confirmed working state, the only remaining most-recent copy of the backup data should not be put at risk. Use hardware “write protect” mechanisms on media if available. Duplicate the backup media on a more trusted system prior to restoration.

Backup System Planning For a data and systems dependant business, a well organised backup system and a considered recovery plan will be needed. A systems review is needed, and decisions made about data needing regular backup, and what the backup intervals (e.g. weekly, nightly etc.) should be. Staff will need training in appropriate procedures, e.g. to store all data belonging to the organisation on a network file server instead of on local PC hard disks. All applications required for the organisation to function must be identified, and copies of installation media catalogued and kept in fire-proof storage.

Will Recovery Work ? You won't be certain until you've tried. To be confident that the backups are valid you need periodically to attempt to restore samples. Backups and procedures may be tested more comprehensively if you can afford to test the disaster recovery plan. This is comparable to having fire evacuation practices. These procedures are costly because they displace normal work, but the cost is small compared to something going wrong in a real emergency.

Confidentiality of Data in Backup Files and Media The difficulty is that the requirement not to compromise confidentiality has to be traded off against the requirement to hold the backup as independently as possible from the working data. If you want more security than a fireproof safe at the system location, e.g. because the safe could be wheeled off by well equipped attackers, or broken into, or because the fire resistance is not total, you will need to keep off-site backups. This risks data compromise, e.g. in a security van, and in the off-site storage location. The level of protection needed depends upon how valuable this data is to a potential attacker.

Backing up using a Network Taking off-site backups can be automated if the system to be backed up and the system storing the backups are networked. To prevent loss of confidentiality, the connection should be encrypted, e.g. using a VPN or a secure shell connection. Instead of transferring full copies regularly, the 2 sites can be synchronised, so that only the changes are transferred. The RSYNC protocol is used for this purpose. Multiple generations of data should be kept on the backup site. The authentication and encryption keys used should only be used for the backup subsystem, which should be isolated from the system on which it operates as much as possible.

Further Reading At the end of the HTML version of these notes are some shell scripts which implement a fully automated network backup system using RSYNC over SSH to backup a set of directories on a hosted server, to the system administrator's home network. Wikipedia Business Continuity Planning article: