Data Access, Availability and Recovery
Data: It’s the reason you have a computer—though the data collected and processed is more valuable than the computer itself. Data loss or compromise could mean the end of your business, destroy your company’s reputation, cost you the ability to process credit cards or result in legal penalties. It often represents an irreplaceable asset. Whatever your business, you should understand the issues regarding data access, availability and recovery, and take appropriate measures to secure the confidentiality, integrity and availability of your data.
There is no one-size-fits-all solution. The first place to start is with risk and security assessments. These tools should help you understand your requirements, gaps and possible risk. Every organization faces risks, and you can choose to accept, mitigate or transfer risk. Every organization will have requirements for data access controls, availability and recovery. A formal risk assessment is a guide to help determine reasonable and appropriate policies, procedures and controls.
Data Access Control
Data access controls are the policies, procedures and technologies that restrict data access to those individuals and systems that require it. The governing security principle is least privilege. This form of access is on a need-to-know basis. Data access controls implement confidentiality and include a variety of security measures. Account management, authentication and authorization systems may come to mind. But you also must consider media controls, physical controls, and system and network security. While security and access control are important, be careful to balance it with the criticality of your data and the size of your organization. A SOHO operation isn’t going to use biometrics on the “data center” doors. A bank or co-location data center probably will. The kind of business you are in or the state where you reside or do business may impact your requirements. Various legal requirements, from the Health Information Portability and Accountability Act (HIPAA) to the Sarbanes-Oxley Act (SOX), also will impact your decisions.
Based on the assessment of your data access control requirements, there will be a wide range of options. Overprotecting your data can be almost as bad as underprotecting it, so be careful. Protection from reasonably anticipated threats balanced with the value of the data and the cost of security measures (both real and operational/convenience cost) should be considered. Too much security can paralyze an organization, just as too little can place it in jeopardy.
Basic system and network security should apply to any organization. Border firewalls, patching systems, anti-virus software, host firewalls and being aware of intrusions are fundamental from the home office to the large corporation. In addition to references like the System Administration Networking and Security (SANS) Institute and the National Institute of Standards & Technology (NIST), the Center for Internet Security (www.cisecurity.org) has a wide spectrum of operating system, network device and application security configuration templates and evaluation tools. These tools can help ensure the security of the PCs and servers that process your data. In higher-security environments, additional workstation security is recommended. Consider the use of security templates, encrypted file systems and restricted accounts for end-user PCs. This is of particular concern for laptops that can be lost or stolen. Asset tracking should be used, similar to account management to ensure the proper issuance, return or disposal of computers that might contain sensitive data. Don’t forget to have a process to sanitize storage media when you reuse or dispose of any computer media.
The next level of data access control is user and system access management. Issue accounts to individuals who need them and ensure their privileges let them access what they are authorized to and prohibit unauthorized access. In a small office, this is a fairly simple task. Everyone may have basically similar access rights, or the accounts and access rights can be reviewed directly by the system administrator who knows what the authorization decisions should be. However, as the size of an organization increases, this quickly becomes unmanageable. A formal process is needed to issue accounts and manage each account’s lifecycle, including:
- An acceptable use policy.
- A record of who authorized the account and access rights, if applicable by system.
- A unique account ID—not shared accounts.
- A mechanism for enforcing password strength and forcing periodic password change.
- A review of access rights and account authorization upon job change.
- A mechanism for revoking access when a user terminates employment.
- A periodic review of accounts and access rights to find orphaned accounts or accounts with excessive access privileges.
- Review of system audit logs for login failures, access violations and other anomalous account activity, such as remote logins.
To minimize complexity, larger organizations should consider centralized authentication, authorization and logging systems. These systems help ease the burden of account management, but they raise some issues of their own. Organizations with diverse technologies will find that they often need all three of these authentication, authorization and accounting (AAA) systems, causing synchronization problems. Integration with third-party applications can be problematic. This is becoming less of an issue for larger applications, such as corporate enterprise resource planning (ERP), e-mail and calendaring systems. Vendors of these systems recognize the need for central management and are adopting standards-based AAA systems and directories as optional authentication and authorization references. Smaller application vendors in industry niches are more slowly adopting these technologies. As a result, centralizing AAA to the extent practical will help make data access control manageable.
Availability is the requirement that authorized persons can access data when they need it. High-availability servers often have redundant disks and power supplies, and can continue to operate with a variety of component hardware failures. Servers and applications with failover protocols and hot standby systems to fully redundant load-balanced systems can operate virtually nonstop in the wake of a single system failure and, in some cases, multiple system failures.
Determining requirements is the first step. How long can you function without access to your data? What will the financial, reputation and lost opportunity costs to your organization be? Do you have a way to conduct business at some level in the absence of a critical system? What systems are truly critical to your business? Answering these questions should provide some guidance. Ultimately, availability level is a business-risk-mitigation decision.
Availability is typically measured by the number of nines in the uptime percentage (i.e., three nines is 99.9 percent uptime). Five nines is considered ultra-high availability. There also is a significant cost difference between being down three days, one day, four hours or five minutes a year. The cost curve is not linear—it’s more like an exponential curve as you approach an ultra-high-availability environment. So, be realistic about business continuance options. The important thing is once you decide your availability requirements, the entire computing environment needs to be updated to achieve the desired results. For example, disks and power supplies have a greater probability of failing than most components, so their redundancy will increase availability, but not to five nines. If the goal is five nines availability then everything that impact