The Next Normal of Data Protection

Auteur : Pash Hrnic, Field Solution Architect

Data is a precious resource for any organization. Although data protection is only a small facet of an effective data management program, it is one of the most crucial. A company’s ability to provision, classify, govern, process and store their data plays an important role in how well they are protected. This article will explore the next normal of data protection and demonstrate that with improved data management comes stronger means of protecting it.  

Les jetons déconnectés sont les types de jetons les plus courants. Ils nécessitent une authentification à deux facteurs, généralement un code PIN, avant d’autoriser l’accès. Bien que les jetons déconnectés n’aient pas besoin d’être branchés à l’appareil prévu, l’authentification est saisie manuellement via un petit écran sur le jeton lui-même. 

In traditional data protection models, structured and unstructured filesystems were protected with disk to tape or disk to disk solutions. If data was lost or service failed due to disaster, corruption or general hardware failure, the data would be rebuilt and recovered to where it needed to be.

As more business-critical applications were adopted and the impact of downtime costs assessed, recovery time objectives1 (RTO) needed to improve to become manageable. Organizations faced challenges – such as database and application consistency – and application pools needed to be backed up in synchronicity to maintain consistency and integrity of data. Array-based snapshots2, storage-integrated replication technologies3 and 10G networks4 paved the way for rapid-restores and the next-generation of data protection solutions. Through this transition, the push for backup applications to integrate with storage systems had a positive impact on recovery point objectives5 (RPO) as snapshots can now be taken of an application and its data down to the minute. As organizations began to adopt cloud services,6 this forced them to look for data protection solutions that could span across on-premises and cloud environments, while maintaining similar (or better) RPOs and RTOs.

Modern workloads require an updated data protection solution. This is evident as the CDW Cloud report indicates that 56 percent of IT leaders have committed to a hybrid cloud strategy for business systems. Just ten years ago it was normal for organizations to run a good portion of their Tier 1 applications7 from bare metal servers8 (monolithic architecture)9. Fast forward to 2021 and the shift in business systems has accelerated exponentially. Virtual, hybrid, all cloud and multicloud infrastructure such as Infrastructure as a Service10 (IaaS), are becoming the norm in today’s world and more organizations’ databases are being deployed on dedicated platform offerings like Platform as a Service11 (PaaS). Similarly, email, office communications, IT service management, HR and customer relationship tools are moving to Software as a Service12 (SaaS)-based models. Endpoints and mobile devices are surging in numbers and organizations are decoupling their applications from monolithic server architecture in favour of containerization13. This is critical in order to identify the right solutions that can span across the various architectures to protect services and data assets.

The pace of IT and business technology moves at warp speed, and this results in important opportunities for organizations to become more agile and efficient. One advantage of this evolution is operating at cloud speeds, which allows new features and improvements to existing data protection products to be rolled out on a regular basis with a service pack and version updates. The adaptability of tools to leverage new and existing cloud application programming interfaces14 (API) for integrations with SaaS, PaaS and IaaS is driving the rapid evolution to keep up with modern IT workloads.

To fully appreciate the modern approach and evolution of data protection, it is worth understanding how backup targets have evolved. Traditionally, the 3-2-1 Rule has been considered best practice for organizations to make copies of their data. The rule states that three copies of the data (the production data and two backup copies) should be stored on two different types of media, with one copy offsite. For example, a full backup would see an initial copy to disk, then a second copy written to tape, or a secondary storage appliance. Ideally, that tape and/or secondary storage appliance would be deployed offsite. This rule still holds true today, though the targets and media may look a little different.

Modern data protection tools have incorporated flexibility on storage targets into their design. For instance, on-premises disk and tape libraries are still viable options, as is object storage15, whether it be a public cloud offering or a service deployed on-premises.

At a high level, the advantages of using object storage for backup data include:

1. Speed – In contrast to hierarchical architectures, file objects are stored in a flat address space which makes access time considerably faster.
2. Scalability – The flat address space facilitates scalability, as organizations or their cloud object store provider can simply add extra nodes to increase capacity.16

As organizations look to replace legacy tape and disk technologies with more affordable and reliable solutions, finding options that offer the ability to write to object storage targets is a desired feature in data protection products. For those using cloud-based workloads, it makes sense to keep the backup copies on a storage location that is close to the application workload, in order to maintain rapid restores and keep a low RTO. The architecture for modern day cloud applications allows them to reside in one availability zone while the data can be backed up to a geographically diverse location. For example, data can be stored in another cloud zone or region, with a different cloud provider or even on-premises.

The ultimate goal of the 3-2-1 Rule is to ensure reliable data protection by keeping a certain amount of backup copies near-line to facilitate rapid restores, as well as an offsite copy of data that can be recalled in the event of complete site or systems failure.

Data protection applications had to evolve to mitigate a new wave of risks. In addition to power outages and natural disasters, organizations are more likely to suffer a data loss from a systems failure, ransomware attack, human error or insider threat today. In the battle against ransomware, backup solutions have become the last line of defence against bad actors.

Modern day backup suites have introduced technologies such as air-gapping17 and ‘write once read many’18 (WORM) copies. While WORM copies have existed for years, integrated and automated air-gapping is a relatively new concept that came about with the upsurge in ransomware attacks. Early air-gapping solutions wrote copies to removable media and kept them offline. More modern air-gapping solutions are integrated into backup applications and involve removing network accessibility to a dataset that is backed up. WORM copies completely deny changes to backup sets for a definable or infinite period, which is done at the device and application level.

Both WORM copies and air-gapping function to make backup copies inaccessible and immutable, consequently rendering them impervious to ransomware and similar types of cyberthreats.

Another solution to counter both ransomware and insider threats is anomalous behaviour detection.19 This solution functions by leveraging artificial intelligence and machine learning to identify patterns in users’ interactions with files. If the pattern is unusual and deviates from normal operations carried out by that user, automated actions can be executed to either alert system administrators or bar access to data.

Data protection applications have evolved to support a wider array of features and have become much simpler than legacy tools in the process. Data protection infrastructure elements can now be installed across physical and virtual appliances, on-premises and across cloud provider IaaS or marketplace instances to protect cloud-based workloads.

When it comes to authoring protection and data lifecycle policies, a simple approach is best. Historically, the imperative approach would be to write a policy that contained all the steps required to complete a backup, such as data source, storage target and schedule. However, a declarative and more simple approach defines what the end state of the backup should be and then has the end user decide which SLA the data should be assigned. Thus, in a declarative policy, elements of the backups are defined once, and data assets are associated with policies based on their required SLA.

Data is the crown jewel for most organizations today. Like a precious stone, data can be cut down and processed, broken down into smaller gems and reconstructed to form a larger adornment. Each piece of that jewel always needs to be accounted for and should be protected from counterfeit and theft. It is only through effective management and protection that an organization can truly benefit and realize the value of its most important asset – its data. The next normal and continued evolution of IT workloads and rapid data growth is just one more step in the journey toward effective data protection and management.