Principles of Incident Response and Disaster Recovery - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

Principles of Incident Response and Disaster Recovery

Description:

RAID spreads out data across multiple units, and offers recovery from hard drive ... Used when immediate data recovery is a priority ... – PowerPoint PPT presentation

Number of Views:947
Avg rating:3.0/5.0
Slides: 55
Provided by: polari
Learn more at: http://polaris.umuc.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Principles of Incident Response and Disaster Recovery


1
Principles of Incident Response and Disaster
Recovery
  • Chapter 6
  • Contingency Strategies for Business Resumption
    Planning

2
Objectives
  • Know and understand the relationships between the
    overall use of contingency planning and the
    subordinate elements of incident response,
    business resumption, disaster recovery, and
    business continuity planning
  • Become familiar with the techniques used for data
    and application backup and recovery
  • Know the strategies employed for resumption of
    critical business processes at alternate and
    recovered sites

3
Introduction
  • Contingency planning addresses everything done by
    an organization to prepare for the unexpected
  • IR process focuses on detecting, evaluating, and
    reacting to an incident
  • Later phases focus on keeping the business
    functioning even if the physical plant is
    destroyed or unavailable
  • Business resumption (BR) plan takes over when
    the IR process cannot contain and resolve an
    incident

4
Introduction (continued)
  • Business resumption (BR) plan major elements
  • Disaster recovery (DR) plan lists and describes
    the efforts to resume normal operations at the
    primary places of business
  • Business continuity (BC) plan contains steps for
    implementing critical business functions using
    alternative mechanisms until normal operations
    can be resumed at the primary site or elsewhere
  • Primary site location(s) at which the
    organization executes its functions
  • BR plan operates concurrently with DR plan when
    damage is major or long-term

5
Introduction (continued)
6
Introduction (continued)
7
Introduction (continued)
  • Each component of CP (IRP, DRP, and BCP) comes
    into play at specific times in the life of an
    event
  • 5 key procedural mechanisms for restoring
    critical information and facilitating
    continuation of operations
  • Delayed protection
  • Real-time protection
  • Server recovery
  • Application recovery
  • Site recovery

8
Data and Application Resumption
  • Backup methods must be used according to an
    established policy
  • How often to back up
  • How long to retain the backups
  • What must be backed up
  • Data files and critical system files should be
    backed up daily, with one copy on-site and one
    copy off-site
  • Nonessential files should be backed up weekly
  • Full backups keep at least one copy in a secure
    location off-site

9
Disk-to-Disk-to-Tape Delayed Protection
  • Decreasing costs of storage media, especially
    hard drives and removable drives, precludes the
    time-consuming nature of tape backup
  • Storage area networks provide on-line backups
  • Lack of redundancy if both online and backup
    versions fail or are attacked dictates that tape
    backup is still required periodically
  • Disk-to-disk initial copies are efficient and can
    run simultaneously with other processes
  • Secondary disk-to-tape copies do not affect
    production processing

10
Disk-to-Disk-to-Tape Delayed Protection
(continued)
  • Types of backups
  • Full backup
  • Differential backup
  • Incremental backup
  • Full backup
  • Includes entire system, including applications,
    OS components, and data
  • Pro provides a comprehensive snapshot
  • Con requires large media time consuming

11
Disk-to-Disk-to-Tape Delayed Protection
(continued)
  • Differential backup
  • Includes all files that have changed or been
    added since the last full backup
  • Pro faster and less storage space than full
    backup only 1 backup file needed to restore from
    full backup
  • Con gets larger each day and takes longer one
    corrupt file loses everything
  • Incremental backup
  • Includes only files that were modified that day
  • Pro requires less space and time than the
    differential
  • Con multiple incremental backups are required to
    restore from the last full backup

12
Disk-to-Disk-to-Tape Delayed Protection
(continued)
  • Fastest backup method incremental backups
  • Fastest recovery time differential backups
  • All on-site and off-site storage must be secured
    and must have a controlled environment
    (temperature and humidity)
  • Media should be clearly labeled and
    write-protected
  • Tape media types
  • Digital audio tape (DAT)
  • Quarter-inch cartridge (QIC)
  • 8 mm tape
  • Digital linear tape (DLT)

13
Disk-to-Disk-to-Tape Delayed Protection
(continued)
  • Typical backup scheduling
  • Daily on-site incremental or differential backup
  • Weekly off-site full backup
  • Tape media should be retired and replaced
    periodically
  • Popular strategies for selecting the files to
    back up
  • Six-tape rotation
  • Grandfather-Father-Son
  • Towers of Hanoi

14
Disk-to-Disk-to-Tape Delayed Protection
(continued)
  • Six-tape rotation
  • Uses a rotation of six sets of media
  • Five media sets per week are used with one extra
    labeled Friday2
  • Friday full backup is taken off-site
  • Friday1 and Friday2 are rotated off-site every
    week
  • Provides roughly 2 weeks of recovery capability
  • Variation keep a copy of each off-site Friday
    tape on-site for faster recovery

15
Disk-to-Disk-to-Tape Delayed Protection
(continued)
  • Grandfather-Father-Son (GFS)
  • Uses five media sets per week
  • Allows recovery for previous 3 weeks
  • First week uses first set, second week uses
    second set, third week uses third set
  • Following week starts with first set
  • Every 2nd or 3rd month, a group of media sets are
    taken out of the cycle for permanent storage and
    replaced with a new set

16
Disk-to-Disk-to-Tape Delayed Protection
(continued)
  • Towers of Hanoi
  • More complex approach
  • Based on statistical principles to optimize media
    wear
  • 16-step strategy assumes that 5 media sets are
    used per week on a daily basis
  • First media set is used more often and must be
    monitored for wear

17
Disk-to-Disk-to-Tape Delayed Protection
(continued)
18
Disk-to-Disk-to-Tape Delayed Protection
(continued)
19
Disk-to-Disk-to-Tape Delayed Protection
(continued)
20
Disk-to-Disk-to-Tape Delayed Protection
(continued)
21
Redundancy-Based Backup and Recovery Using RAID
  • Redundant array of independent disks (RAID) uses
    online disk drives for redundancy
  • RAID spreads out data across multiple units, and
    offers recovery from hard drive failure
  • 9 established RAID configurations RAID Level 0
    through 10
  • RAID Level 0 (disk striping without parity)
  • Not redundant
  • Spreads data across several drives in segments
    called stripes
  • Failure of one drive may make all data
    inaccessible

22
Redundancy-Based Backup and Recovery Using RAID
(continued)
  • RAID Level 1 (disk mirroring)
  • Uses twin drives in a system
  • All data written to one drive is written to the
    other simultaneously
  • Is expensive and is an inefficient use of disk
    space
  • Vulnerable to a disk controller failure
  • Disk duplexing mirroring with dual disk
    controllers
  • RAID Level 2
  • Specialized form of disk striping with parity
    that is not widely used
  • Uses the Hamming code for parity
  • No commercial implementations of this

23
Redundancy-Based Backup and Recovery Using RAID
(continued)
  • RAID Levels 3 and 4
  • RAID 3 uses byte-level striping while RAID 4 uses
    block-level striping
  • Parity information is stored on a separate drive
    and provides error recovery
  • RAID Level 5
  • Balances safety and redundancy against costs
  • Stripes data across multiple drives
  • Parity is interleaved with data segments on all
    drives
  • Hot-swappable drives can be replaced without
    shutting down the system

24
Redundancy-Based Backup and Recovery Using RAID
(continued)
  • RAID Level 6
  • Combination of RAID 1 and RAID 5
  • Performs two different parity computations or the
    same computation on overlapping subsets of data
  • RAID Level 7
  • Proprietary variation on RAID 5 in which the
    array works as a single virtual drive
  • May be implemented via software running on RAID 5
    hardware
  • RAID Level 10
  • Combination of RAID 1 and RAID 0

25
Redundancy-Based Backup and Recovery Using RAID
(continued)
26
Database Backups
  • Databases require special considerations when
    planning backup and recovery procedures
  • Are special utilities required to perform
    database backups?
  • Can the database be backed up without
    interrupting its use?
  • Are there additional journal files or database
    system files that are required in order to use
    backup tapes or disk images?

27
Application Backups
  • Some applications use file systems and databases
    in unusual ways
  • Members of the application development and
    support teams should be involved in the planning
    process

28
Backup and Recovery Plans
  • The backup and recovery setting should be
    provided with complete recovery plans
  • Plans need to be developed, tested, and rehearsed
    periodically
  • Plans should include information about
  • How and when backups are created and verified
  • Who is responsible for backup creation and
    verification
  • Storage and retention of backup media
  • Review cycle of the plan
  • Rehearsal of the plan

29
Real-Time Protection, Server Recovery, and
Application Recovery
  • Entire servers can be mirrored to provide
    real-time protection and recovery in a strategy
    of hot, warm, and cold servers
  • Hot server the server in production
  • Warm server backup server that is running and
    may handle overflow work from hot server
  • Cold server offline, test server
  • If hot server goes down, warm and cold servers
    are promoted while the hot server is being
    repaired
  • Bare metal recovery technologies designed to
    replace operating systems and services when they
    fail

30
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
  • Application recovery (or clustering plus
    replication)
  • Applications are installed on multiple servers
  • If one fails, the secondary systems take over the
    role
  • Electronic vaulting
  • Bulk transfer of data in batches to an off-site
    facility
  • Receiving server archives the data
  • Can be more expensive than tape backup and slower
    than data mirroring
  • Data must be encrypted for transfer over public
    infrastructure

31
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
32
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
  • Remote journaling (RJ)
  • Transfer of live transactions to an off-site
    facility
  • Only transactions are transferred in near
    real-time to a remote location
  • Facilitates the recovery of key transactions in
    near real-time

33
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
34
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
  • Database shadowing (or databank shadowing)
  • Storage of duplicate online transaction data and
    duplication of databases at a remote site on a
    redundant server
  • Both databases are updated, but only the primary
    responds to the user
  • Combines electronic vaulting with remote
    journaling
  • Used when immediate data recovery is a priority
  • Also used for data warehousing, data mining,
    batch reporting, complex SQL queries, local
    access at the shadow site, and load balancing

35
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
36
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
  • Network-attached storage (NAS)
  • Usually a single device or server attached to a
    network to provide online storage
  • Not well suited for real-time applications due to
    latency
  • Storage area networks (SANs)
  • Online storage devices connected by fiber-channel
    direct connections between the servers and the
    additional storage

37
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
38
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
39
Site Resumption Strategies
  • If the primary business site is not available,
    alternative processing capability may be needed
  • CPMT can choose from several strategies for
    business resumption planning
  • Exclusive control options
  • Hot sites
  • Warm sites
  • Cold sites
  • Shared-use options
  • Timeshare
  • Service bureaus
  • Mutual agreements

40
Exclusive Site Resumption Strategies
41
Exclusive Site Resumption Strategies (continued)
  • Hot site
  • Fully configured computer facility
  • Duplicates computing resources, peripherals,
    phone systems, applications, and workstations
  • Can be 24/7 if desired
  • Can be a mirrored site that is identical to the
    primary site

42
Exclusive Site Resumption Strategies (continued)
43
Exclusive Site Resumption Strategies (continued)
  • Warm site
  • Provides some of the same services and options as
    a hot site
  • May include computing equipment and peripherals
    but not workstations
  • Has access to data backups or off-site storage
  • Lower cost than a hot site, but takes more time
    to be fully functional

44
Exclusive Site Resumption Strategies (continued)
45
Exclusive Site Resumption Strategies (continued)
  • Cold site
  • Provides only rudimentary services and facilities
  • No computer hardware or software are provided
  • Communications services must be installed when
    the site is occupied
  • Often no quick recovery or data duplication
    functions on site
  • Primary advantage is cost

46
Exclusive Site Resumption Strategies (continued)
47
Exclusive Site Resumption Strategies (continued)
  • Other options
  • Rolling mobile site configured in the payload
    area of a tractor-trailer
  • Rental storage area with duplicate or second
    generation equipment
  • Mobile temporary offices

48
Exclusive Site Resumption Strategies (continued)
49
Shared Site Resumption Strategies
  • Timeshare
  • Leased site shared with other organizations
  • Possibility that more than one organization might
    need the facility simultaneously
  • Service bureaus
  • Service agency that provides physical facilities
    in the event of a disaster
  • May provide off-site data storage

50
Shared Site Resumption Strategies (continued)
  • Mutual agreement
  • Contract between two organizations to provide
    mutual assistance in the event of a disaster
  • Each organization is obligated to provide
    facilities, resources, and services to the other
  • Good for divisions of the same parent company,
    between business partners, or when both parties
    have similar capabilities and capacities
  • A memorandum of agreement (MOA) should be drawn
    up with specific details

51
Service Agreements
  • Service agreement
  • A contractual document guaranteeing certain
    minimum levels of service provided by a vendor
  • Service agreement should specify
  • The parties in the agreement
  • Services to be provided by the vendor
  • Fees and payments for those services
  • Statements of indemnification
  • Nondisclosure agreements and intellectual
    property assurances
  • Noncompetitive agreements

52
Summary
  • Contingency planning includes everything done to
    prepare for the unexpected and recover from it
  • BR plan includes the DR plan for resuming
    operations at the primary site and the BC plan
    for moving to an alternate site if needed
  • 5 procedural mechanisms for restoration of
    critical data delayed protection, real-time
    protection, server recovery, application
    recovery, and site recovery
  • Backup plan is essential
  • Retention period for backups must be specified

53
Summary (continued)
  • 3 types of backups full, differential, and
    incremental
  • RAID systems provide online disk drives for
    redundancy
  • Databases require special considerations for
    backup and recovery planning
  • Mirroring and duplication of server data storage
    provide real-time protection
  • Electronic vaulting, remote journaling, and
    database shadowing store data at remote locations

54
Summary (continued)
  • Business resumption strategies include hot sites,
    warm sites, cold sites, timeshare, service
    bureaus, and mutual agreements
  • Service agreements guarantee certain minimum
    levels of service by the vendor
About PowerShow.com