Data Protection: A More Holistic Approach

“Prying eyes, they’re watching you, watching your data move…”

(Sung to the tune of ‘Private Eyes’ by Hall and Oates)

SecurityGood luck getting that out of your head. Well… those of you old enough to remember that song. This post is all about data protection — more importantly, holistic data protection.

When we launched the new Velocity Replication Accelerators (VRX) in February of 2013, it started a yearlong process of travel and talking for me. Initially I focused on replication, which made sense as replication is in the product description. As the year went on and I spoke to customers and partners outside of the U.S., I realized that some terms, like RPO, didn’t resonate. This changed my overall topic and message, and I found myself talking about replication and backup windows. Eventually these two things morphed together, and it was simply “data protection.” Data protection is fairly generic and typically includes replication and backup. As I spent more time thinking about data protection, moving data into and out of the cloud, and what it really means to protect data, it occurred to me that holistic data protection is what we need to think about… but what is holistic data protection?

Holistic data protection involves three key components:

1. Availability

2. Integrity

3. Security

Availability is managed with replication, backup, and redundant systems. This part is fairly straightforward, and is common in most organizations. Non-critical data is backed up to tape or disk, while mission critical data is replicated offsite. Replication helps to meet strict recovery point and time objectives, and helps the business to be resilient against failure. Backup and restore from tape or disk takes much longer, hence its use for non-critical data. The ultimate goal is to have all data replicated to the disaster recovery site, whether in its native format via array or software based replication, or in its backup state via an offsite tape copy or deduplicated backup replica.

Integrity is managed by arrays and disk sub-systems, and involves making sure that the data written to disk (I use disk to mean spinning rust or flash) is the same when it is read as it was when written. Some applications and file systems have their own methods of verifying, and maintaining, data integrity. There are many ways to accomplish this, and I am not going to go into them here. This feature is common on enterprise arrays (big iron), and usually the applications that require big iron. Data integrity checking is also common on object-based storage systems and software, and is moving into midrange systems.

Finally, we get to data security. Security has many meanings when it comes to data, and some context is usually necessary. Security can mean access, making sure that only authorized users, or applications, have access to the data. It can also mean that the data is encrypted at rest or in flight. Encrypting data at rest on disk protects the data if the media is lost or stolen. In this case media could be a tape, drive, laptop, etc. It is important to keep in mind that data encryption at rest probably won’t help if a server or application that has access to the data is compromised. If the drive is mounted, and the encrypted data is readable, a hacker has free access to everything. This is why encryption at rest is best used as protection against media theft.

What is more important is the encryption of data in-flight. Encryption of data in-flight can have several meanings, and what you are getting depends on who is selling you the solution. One option is to encrypt the data that is sent across the SAN, iSCSI or Fibre Channel, to protect against someone gaining access to the fabric and capturing packets/frames. The second issue occurs when the data leaves the four walls of the data center. This is the one we address at Silver Peak, encrypting data protection traffic across the WAN. This could be replication or backup traffic between the primary and disaster recovery sites.

Over the last nine months, data monitoring by the NSA has been getting a lot of attention, creating a renewed interest in encryption. While this is one of the factors that businesses should be concerned about, there is another issue that doesn’t get much attention. The second issue is the relative insecurity of most network connections from bandwidth providers.

Many businesses believe that bandwidth purchased from a national carrier in the United States is relatively secure. Unfortunately this isn’t really true. Even with a private network connection, there are many opportunities for data sent across the WAN to be stolen. When an MPLS, or public, network is used, the problem is more severe. An MPLS network, by its nature, is shared by many subscribers. It can be misleading when purchasing an MPLS connection as some providers refer to this as a “virtual private network.” Most IT people understand a VPN to mean encryption and security, but when this is used with an MPLS circuit, that is not what it means. MPLS networks share bandwidth between many customers, and attempt to only send data between a subscriber’s two sites. If you have an MPLS network, you should imagine that it is the same as sending your data across the Internet.

The cavalier attitude of sending critical data in the clear has come to an end. Encryption is a must.

In my next post I will explore options to encrypt data in flight, and some of the challenges that organizations face when they try to replicate and backup over encrypted connections.