The traditional backup approach poses a couple of challenges for organizations dealing with simultaneous security threats. Continuous data protection (CDP) addresses traditional backup challenges. It protects backups from unwanted changes and enables granular recovery of files, databases, or an entire storage device. Let’s analyse the role of CDP, how it works, and the right way to implement it.
Recovering from a business continuity event often requires data restoration to return critical business functions to full operation. Further, business function recovery must be completed before the business suffers irreparable damage. Traditional backups may not be sufficient, especially in today’s ransomware threat environment. Continuous data protection helps to achieve recovery well before the maximum tolerable downtime is reached, regardless of the cause of the interruption.
Business Continuity Event Recovery
A business continuity event, or BCE, is any incident that interrupts one or more business functions. A BCE can be caused by human and non-human factors, including
- Ransomware attack
- System breach
- Weather event
- Power outage
The five components of BCE recovery are mean time before failure (MTBF), recovery point objective (RPO), recovery time objective (RTO), work recovery time (WRT), and maximum tolerable downtime (MTD). Figure 1, from the video Business Continuity Planning, shows how these elements affect recovery.
Figure 1: BCE Recovery
MTBF represents how long we expect a business function to continue operation, given the underlying technology. MTD is the length of time a business function can be down before the business suffers irreparable damage. Whether an organization can recover before the MTD is reached depends on the RTO, RPO, and WRT.
The RPO is the point at which the organization can recover by restoring backups. It is determined by backup frequency and reliability. RTO represents the time it takes to retrieve and restore the needed backups.
When using traditional backup approaches, backups miss the transactions and other data created or modified after the last backup. Also, if the last backup is damaged in some way or made unavailable by an attack, the recovery will miss the RPO. In either case, the organization must re-enter data and make the needed changes to existing data to achieve full business functionality within the WRT.
If an organization cannot recover on-premises within the MTD, the disaster recovery plan (DRP) is executed. The DRP is a sub-plan of the DRP.
Challenges of Traditional Backups
Traditional backup processes are challenging to manage when trying to achieve recovery within the MTD. This is due to
- Decreasing backup window size: To backup production databases, the databases cannot be in use. Consequently, backups must take place during an established window in which no related business functions are operating. Global business operations due to internet business presence can make finding frequent windows difficult. This increases the length of WRT.
- Reliability of backups: Backups are not always available. Unless organizations regularly test backups with test restores, the most recent backup can be corrupted somehow.
- Restoration time: Depending on the type of backup and the media used, restoring a backup for one or more business functions can extend beyond the RTO.
- Failure of 3-2-1: The commonly used 3-2-1 rule stipulates that there should be three backup copies, a backup should reside on two different media (e.g., disk and tape), and at least one online copy of a backup should be kept offsite. However, this rule falls short as ransomware threat actors are increasingly able to locate and encrypt online backups. Quick recovery is often hampered, even if a copy of a backup is kept offline.
The Role of Continuous Data Protection
Continuous data protection (CDP) addresses traditional backup challenges. It protects backups from unwanted changes and enables granular recovery of files, databases, or an entire storage device.
How it works
Anil K. Y. Ommi writes that CDP usually consists of a journal volume, a CDP appliance, and a write splitter. A journal volume is used to store each change made to a protection volume. This is a continuous process with little to no lag between the production change and the journal entry creation. Each journal entry includes information needed to restore data quickly to a specific point in time that is often just moments before a BCE.
Based on Ommi’s article, Figure 2 shows one example of how continuous data protection works when using a cloud service.
Figure 2: CDP Example
- When an application writes data, it is divided into two write streams by a splitter. One stream is sent to the production storage device, and one is sent to a CDP appliance.
- The CDP appliance writes the data to on-premises journal storage. It also sends the data to a remote CDP appliance. In this example, the remote appliance is hosted by a cloud service provider; an organization could also place it in a leased secondary data center.
- Both the on-premises and cloud journals are replicated to a journal backup device.
Things to consider before implementing CDP
As with all security controls, implementation is unique to each operating environment and the related risks. Behzad Behtash provides a starting list of things to consider. The first is not to assume that all data must be protected with CDP. At a minimum, however, organizations should use CDP to protect data used for critical business functions. Interruption of a critical business function can cause irreparable harm to an organization. It also results in compliance violations.
Aligned with protecting critical business functions, organizations must also determine the MTD for each function. This always includes setting an acceptable RPO, RTO, and WRT. These objectives will help determine how to back up each data set, including user-created documents.
There is often more than one solution for CDP. For example, Behtash writes that Exchange “includes built-in replication and disaster recovery features for email.” Cloud SaaS solutions might also provide CDP as add-on services.
Finally, organizations must address how the backups are accessed. Access control and infrastructure design must include the protection of backup devices. Two ways we can do this are with immutability and microsegmentation.
Restricted access to replicated information is needed to protect against threats like ransomware. One way to do this while complying with the 3-2-1 rule is to store one copy of replicated data on offline media. However, this is not easy when there are continuous updates.
A new rule, 3-2-1-1 addresses CDP requirements. The added “1” represents immutable storage. As I wrote in a previous article, data on immutable backups cannot be changed once written. Encryption by ransomware threat actors is not possible, and no security incident can adversely affect data integrity.
In the example in Figure 2, immutability should exist on at least the replicated journal storage. An organization should use immutable storage for at least one of the two needed copies of a journal.
Organizations that have moved to zero-trust network design, or are planning the move, can also consider microsegmentation to protect backup copies. Figure 3 shows how engineers might integrate this into our example. Backup copies are isolated alone on network segments that only the CDP appliance and an admin workstation can access.
Direct access to the backups in this example is limited to a data center workstation with no access to the internet. It is also kept disconnected from the network except when needed to manage or restore the backups. The workstation is hardened and requires strong privileged access management.
Figure 3: Microsegmentation of Backups
Backups are the primary safeguard against many BCEs. They must be able to quickly recover within the MTDs of all affected critical business functions. This is difficult to do with traditional backups, even when tape is no longer used.
Further, ransomware gangs often include making online backups unusable. This makes paying the ransom a requirement for returning to business operation.
CDP addresses these issues by providing quick (and sometimes user self-service) recovery of needed information. The addition of immutability protects backups from ransomware attacks. These two characteristics of CDP enable quick recovery from ransomware attacks and other BCEs.