Data Resilience 101
What is data resilience?
You know when your car breaks down or when the fuses blow, and the lights go out at your house? Often both of those things are problems, but you can work around them: You can call breakdown recovery or grab a taxi, and if the lights go off, sometimes the power is still on elsewhere, or you have a torch. Both of those situations and the workarounds supply a level of resilience – when there is a problem or something breaks, you can still walk around the house at night and see where you are going or make it work or the airport on time.
Data resilience is your ability to take a hit on your data availability or integrity and keep your organization running.
Why do you need data resilience?
Let’s get this out there: All organizations rely on their data; they always have. That accountancy firm from a hundred years ago had loads of data – it was just on paper. Architects, mechanics, the hospital, manufacturers, software developers, those of us who write blogs – everything we do has data at its core or associated with it. Many organizations even have data about their data – how much there is, where it is, who has access to it, how long they should hold it – the list goes on.
Let’s take an example – an oil pipeline. How much data is associated with pumping oil through a pipe? Probably quite a bit: flow rates, volumes pumped, pressure, leaks, maintenance records, valves, staff, locations, emails, diagrams, bills, wages, security information, etc.
What happens if all that data is lost or modified? No oil. No bills are issued, or revenue paid. Maybe a massive environmental disaster.
So – data. How about that – it’s critical to your organisation.
How to make data resilient
Data resilience requires planning. All organizations have some of the same types of data (like finance or HR) – but its value is different depending on the organisation.
Step 1: Collect the business requirements for data resilience – these will inform what to protect, how often to protect it, and how quickly it may need restoring after a data resilience event:
- Know what data is essential to your organization. Work with department heads and those who use the data to perform their jobs. Categorise the data into high, medium and low based on the sensitivity of data (such as HR or medical) and how it would affect your organization if it were changed or unavailable.
- Know where the data is – if you can’t find the data, you can’t control it and protect it.
- Know who needs access to the data and how often
- Work out how long each area of your organization could function without access to its data. This will allow you to work out the maximum time you could be without access to data, known as the RTO or ‘Recovery Time Objective.’
- Work out how much data you can afford to lose – this is known as the RPO or ‘Recovery Point Objective’.
For some organizations – those last two will be zero. As in, the data needs to be ‘always available’ with ‘no loss’. Ouch – those are some tough asks – but not impossible. There will always be some risk of data loss due to Murphy’s Law – (if something can happen, it will) – but we can do our best to minimize the likelihood.
Step 2: Data resilience design
Data resilience design requires answers to the previous questions, but it also needs to consider the systems you are using. Is all of your CRM in Salesforce? Staff using Dropbox for corporate data without permission? Email and finance data in Microsoft 365?
Here are some pointers for design:
- Control where the data is and where it can go
- Secure those locations – understand who can access the data
- Make those systems and locations as available as they need to be. This is key as the budget likely won’t stretch to allow every system to have 99.999% uptime. The payroll server only needs to run once a month, for example. That real-time ambulance tracking system – that one needs those five-nines of availability.
- Despite all that resilience – you do need to take a backup.
For me – the cloud offers a cost-effective way of achieving a high level of availability at an affordable price, as those expensive infrastructure and maintenance costs are shared across many organisations.
Step 3: Back up the data
This is probably the number one thing on the list of data resilience must-haves. Backups. Back up your data somewhere that lives separately from your primary data (i.e. – consider AWS instead of Azure if your primary data is hosted in Microsoft, and vice-versa).
All the security and outsourced hosting won’t protect you from every incident – in fact, most cloud service providers bury it in their terms of agreement that they are not responsible for your data loss. When looking at your resilience plan, it’s important to ask - are you hosting your data in the cloud? In someone else’s cloud platform?
There is a backup for that as well – often called cloud-to-cloud backup or SaaS Backup
Backups provide you with a point-in-time recovery option. Between those points-in-time, however, there could be some data loss (most enterprises backup systems every hour, for example).
Step 4: Archive or backup? You may need both.
Need to make sure there is as close to zero loss on those legal emails or conversations about patients? For that, you need a real-time copy of everything that happens. This can be in the form of replication to an offsite location for virtual systems or an information archive for cloud systems to capture real-time data, like emails or Teams conversations.
Even if you have backups in place, if you work in an industry with any level of compliance requirement, having an archive can be the fastest and easiest way to source a copy of your communications. Where a backup brings you a step further – it can back up files, images, projects and other data in addition to your communications. When it comes to legal requirements, it’s crucial to practice as much due diligence as possible. You can read more about the difference in archive and backup here.
Summary – data resilience
The first rule of data resilience is to ensure you implement backup. The second rule of data resilience is to always have a backup. You can hone your data resilience approach by taking input from your organization. Likely nobody will be comfortable with data loss, but they may be able to operate without some data for a period of time (RPO vs RTO).
Follow the steps and plan your approach. Not only will this enable you to concentrate your efforts and budget in the right areas, but it will also enable you to show the board or the regulator what you are doing and why.
And don’t forget the third rule of data resilience – always have a backup, and make sure it is stored away from where the primary system is. Run all of your environment inside Microsoft 365? An excellent choice – but don’t keep the backups there as well, just in case.
Todd Gifford, BEng, CISSP, has 22 years of cybersecurity experience and is the CTO of Optimising IT, a UK-based Managed Service Provider whose goal is to help you pragmatically manage risk. Connect with Todd on LinkedIn or visit Optimising IT to learn more about how they can help you choose and implement the best cloud-to-cloud backup solution for your business.