What’s expected from you in your role as a CISO is expanding as companies rely heavily on more complicated information systems. There is a barrage of threats and more reliance on technology as businesses leave the pencil and paper behind. Status quo is not an option with so much change occurring within the IT industry, so let’s cover one aspect that is often overlooked; an effective backup system solution. When all is well, there is nothing to worry about it. A poorly configured backup system, however, can make life more than a little tricky when you can’t restore your files effectively or efficiently. Let’s cover just a few aspects that help relieve the worry. We can start with…
Strong Client-Side Encryption
CSE is a measure to keep data secure when it leaves your computer and travels to another destination. Its contents are decrypted with a key, with which only you have access to. As an Information Officer, you know how valuable your company’s information is. This added layer of protection ensures that the management of data security is controlled from your location. Merging CSE with protocols to manage the security of keys themselves is important too. So that’s one side of it — encrypting data on the client-side. But data is always on the move, so read on.
Verified and Encrypted Transit
Computers are just things. They don’t know each other or even that they exist — unless us humans tell them so. When two of them are first introduced (by us), they constantly check to make sure they are still who they say they are. So when moving data around, the source and destination should always be verified to ensure that the information remains only between them. Adding encryption to this process yet adds another layer of protection. Both the clients and servers should use a secure transport like SSL/SSH with host authentication that uses private/public keys. Using things like SMB or NFS for transferring backups is not recommended. Whatever your information is, somebody else wants it. If you effectively patrol the data, you have the upper hand. But things happen. Systems are comprised of computers, and computers are vulnerable to many things. So how can you recover when data is lost due to some unforeseen event?
Tested, Well-Documented and Rapid Recovery
There are a lot of things to consider when designing your backup system. What’s your recovery time objective? What’s your budget? What exactly are you going to back up? Should you test it daily, weekly, monthly? The difficult task is finding a balance that works for you, and when you do — test it! There’s nothing worse than having a failsafe measure, well… fail. Document your backup results and tweak protocol to optimize your solution. This way, a potential catastrophic event can instead be a minor disturbance. Remember, a backup is not a backup until you have tried restoring it!
And There’s More…
Let’s face it. You have a lot on your plate. The increasing demands on information security make your objectives more challenging and your goals further from reach. Having a well-defined backup solution in place is a facet of data management that cannot be ignored. Consider all of the data that your business relies on — accounts receivable/payable, sales and customer databases, supplier information, so on and so forth. It’s unimaginable to lose any of that important info — and to what…human error? Hardware failure? Software crash? Take a good look at your system, revisit your strategy and make sure the solution is efficacious in restoring your files.
If you are implementing or building your own solution by bundling different tools, you should explore these:
- zbackup http://zbackup.org/
- rzbackup https://github.com/jalli/rzbackup/tree/master/scripts
- rsync https://rsync.samba.org/
Any combination of these tools should serve you well. If you’d like to take a deeper look into revisiting your back up solution take a look at Jarl’s blog: A Word About Backup Solutions.