Data breach reporting: A job killer or business saver?

There’s quite a brouhaha bubbling up Down Under.

It all stems from a Sydney Morning Herald opinion piece written by the CEO of the Association of Data Driven Marketing and Advertising opposing the mandatory data breach reporting law introduced to the Australian Parliament by federal attorney general Mark Dreyfus.

The CEO, Jodie Sangster, raised some eyebrows (and generated plenty of pro and con internet content) by referring to a mandatory data breach reporting law as “Luddite thinking” that would be “an innovation killer and the extra compliance red tape will strangle technology-related organizations throughout the economy.”

Sangster’s biggest problem with the legislation is a clear definition of “serious harm,” a term introduced by Dreyfus in his own previous opinion piece. In it, he writes that “(b)usinesses will not be unfairly burdened by the proposed laws because the notification requirement will apply only to serious data breaches that may cause harm to individuals.”

Here’s what Sangster believes is the end result of a law without a clear definition of “serious harm”:

… will likely cause organizations to adopt the most risk-averse internal policy setting. This, in turn, will lead to the over-reporting of relatively minor data errors, as compliance managers act to protect their organization from prosecution.

It will also tend to penalize those with the most sophisticated data management systems, since they are the ones more likely to pick up on data errors. Small to medium businesses will likely take a “see no evil, hear no evil” approach; they will put off investments in data-driven technology for fear it will come back to bite them.

The costs will fall relatively more heavily on smaller entities – the innovators of the Australian digital economy – who don’t have sufficient internal resources dedicated to compliance. They will find themselves spending more time managing the reporting process and less on managing the right outcome for customers.

Interesting points, for sure. But regardless of what an organization is required to do by law, many security experts would still suggest that it notify customers of any data breach itself before somebody else does.

Last month, we wrote a blog post entitled “Experts: Be fast and forthcoming with details of a data breach.” It excerpted a Dallas Morning News story, with these quotes from Javelin Security & Research senior analyst Al Pascual:

“Release clear, descriptive, and prompt notifications,” Javelin said. “Notifications that describe in detail how a breach occurred can bolster an organization’s claims that they have corrected the security vulnerability … restoring some degree of confidence among consumers.”

Shutting down about information is the worst thing a business can do in a data breach.

“To avoid having a breach event’s narrative hijacked by the media or by adversarial organizations, prompt disclosure is imperative,” Javelin said. “A loss of control can imperil an organization’s reputation, diminishing the trust of business partners, consumers, and shareholders.”

In the same post, we pointed out an article by Healthcare IT News associate editor Erin McCann has strikingly similar advice from Gerry Hinkley, a partner at the Pillsbury Winthrop Shaw Pittman law firm who spoke at a HIMSS Media and Healthcare IT News Privacy and Security Forum.

Hinkley’s message: “Don’t give in to individuals who want to sugar coat this. … You do much better really saying what happened up front.” He said proper breach response can help limit cost, avoid litigation and help retain the integrity of the organization.

Let the debate continue.


Sydney Morning Herald: Data breach law a jobs killer

Sydney Morning Herald: Online privacy breaches a concern for us all


Experts: Be fast and forthcoming with details of a data breach

Americans agree government must do more to protect data, but can the government act?

Another U.S. retailer discovers the real cost of card holder data theft: customer loyalty

Posted in HIPAA Compliance, Information Technology Tips, PCI Compliance | Tagged | Leave a comment

The next big retail fraud? Jimmy John’s investigating possible data breach

Unauthorized activity on credit cards recently used at Jimmy John’s locations has led the sandwich chain to work with authorities on an investigation of a potential data breach. first reported on the issue Thursday, stating the chain “did not return calls seeking comment for two days” (not Freaky Fast) before issuing an email statement that it is “investigating the situation” and will provide an update “as soon as we have additional information.”

Financial institutions contacted by witnessed “card-present” fraud that allowed criminals to create copies of credit cards.

Beyond ATM skimmers, the most prevalent sources of card-present fraud are payment terminals in retail stores that have been compromised by malicious software. This was the case with mass compromises at previous nationwide retailers including Target, Neiman Marcus, Michaels, White Lodging, P.F. Chang’s, Sally Beauty and Goodwill Industries.

Jimmy John’s has more than 1,900 stores across the United States.

Sandwich Chain Jimmy John’s Investigating Breach Claims


What took so long? How data breaches can go months without being detected

Data breaches ending careers “right to the top” of C-suite

Posted in Information Technology Tips, PCI Compliance | Tagged , | Leave a comment

Potential for undetected breaches is CFOs’ biggest cybersecurity concern

Ever wonder what your company’s CFO is most worried about when it comes to cybersecurity? We may have your answer.

Dig deep down through Grant Thornton LLP’s bi-annual survey of CFOs and other senior financial executives for a pretty good hint. Right there on page 23 of the 28-page report:

What are your business’s top cybersecurity and data privacy concerns?

59% — Potential for undetected breaches
54% — Customer/client data privacy
50% — Unknown and identified risks
42% — Employee and workplace data privacy
32% — Compliance with data security laws

(Respondents were able to select more than one answer.)

More from the report: “Forty-two percent of chief audit executives listed data security/privacy as a risk area that has the potential to impact growth, and 70% include this risk in their internal audit plan. More than 40% of in-house counsel claim that the risk of a cybersecurity/data privacy breach has increased in the past year, but 17% are unsure what was being done to deal with these risks in their organization.”

(Oh, and here’s some good news from that same report: Sixty-eight percent of CFOs expect an increase in the average per-employee salary over the next year!)

Grant Thornton Spring 2014 CFO Survey


What took so long? How data breaches can go months without being detected

Data protection and the cloud

Data is money: Just as money belongs in a bank, data belongs in a data center

Posted in Information Technology Tips | Tagged , | Leave a comment

Up your HIPAA IQ with a little HIPAA FAQ

Are you wondering what all the HIPAA fuss is about? Here are a few basics go get you started, along with some reference to in-depth videos along the way.

What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996 that specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) which is essentially your medical record. HIPAA was intended to ease the sharing of Personal Health Information (PHI) between entities that have a need to know while maintaining an acceptable and reasonable level of privacy to the individual whose information is at stake.

What is HITECH?
In 2010, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in order to update HIPAA rules and provided federal funds for deploying electronic medical records (EMR), also referred to as electronic health records (EHR). HITECH upgraded HIPAA because medical records were now in digital form, and as a result, they needed new rules for protection and availability.

What does HIPAA cover?

HIPAA covers the Privacy, Security and Enforcement rules of PHI. The Privacy and Security rules contain information on how one must treat PHI (whether it’s electronic or not). The enforcement rules specify what happens if you don’t (the penalties).

The 3 pillars of HIPAA are:

  1. Integrity of information – the medical record must be accurate
  2. Confidentiality – The medical record should only be seen by those with a need to know and all uses of that data should be knowable by the individual.
  3. Availability – The medical record must be available, in essence, no reasonably avoidable downtime.

Download HIPAA Hosting White PaperWho’s the Boss for these rules? Are the HIPAA police real?
The Acts are administered by the Department of Health and Human Services (HHS) in the Office of Civil Rights (OCR). It is the OCR which has the right to enforce, audit, fine and charge companies and individuals for violations of the Act. They interpret the law in the Act and write the rules and regulations.

What are the rules and regulations?
The rules and regulations are documented in the Code of Federal Regulations (CFR). Parts 160 and 164 of the CFR are the two that pertain to HIPAA. When someone says they adhere to HIPAA rules, it means they adhere to the paragraphs in the Parts. For example, one of the paragraphs says:

Paragraph 164.308(a)(1)(i) Standard: Security Management Practices – Implement policies and procedures to prevent, detect, contain, and correct security violations.

We are then required to do precisely what it says – prevent, detect, contain and correct security violations. At Online Tech, we have such a written policy and in that documented policy we reference this paragraph number. Note that these rules say nothing about how you achieve these objectives – that is what we decide and document in our policies.

What do the rules say we must do (and not do)?

  • Protect the Availability, Integrity and Confidentiality of PHI
  • Have Business Associates Agreements with any vendors that touch protected health information (PHI)
  • Report any violations of PHI misuse to the OCR (yes, we actually must snitch if we see violations to the statutes).

They do not specify any specific technology platform or design, just that you must secure the data. There are industry best practices that they assume you would use, such as NIST for protecting data, or they would likely consider you negligent.

What are all these “safeguards” about?

The requisite safeguards in the HIPAA Privacy and Security rules are divided into three different sections: Administrative, Physical, and Technical.

  • Administrative safeguards are things like security training for all employees, or policies to never access client data.
  • Physical security includes things like requiring two forms of authentication in order to open the doors in our data center. It might be a combination of a badge, fingerprint, pin code, or key fob – anything that requires at least 2 things to prove you are who you say you are.
  • Technical security includes things like making sure that anti-virus software is on your server or using 2-factor authentication for remote VPN connections to a server.

What are the penalties for violating HIPAA?
The penalties for violating HIPAA rules are severe and range from $100 to $50,000 per violation (or per record) up to a maximum of $1,500,000 per year and can carry criminal charges which could result in jail time. They are incurred if PHI (or ePHI, Electronic Personal Health Information) is released to the public in unencrypted form of more than 500 records.

Serious stuff. The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Willful Neglect”.

  • Reasonable Cause ranges from $100 to $50,000 per incident (release of 500 medical records) and does not involve any jail time.
  • Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.

What does it mean to have a HIPAA audit?
A HIPAA audit means that you have performed a diligent risk assessment against the latest OCR HIPAA Audit Protocol. Let’s be honest: none of us can truly, objectively assess ourselves. Get an independent, third-party opinion or if you are working with a Business Associate and sharing protected health information (PHI), make sure to ask them for a copy of their independent assessment report. Then read it! You should see evidence of strong administrative, physical, and technical safeguards that protect patient information.

What is a Business Associate (BA)?
There are three types of entities described in the statute. The first is the patient. That’s easy. The second is the Covered Entity (CE) and the third is the Business Associate (BA). The CE performs medical services on the patient and has the most trusted access of the information. A hospital or an insurance company is a CE.

A BA is someone contracted by a CE for services that involve the exchange of patient information (PHI). to perform the contracted service. A traditional BA is a bill processing company that sends medical invoices and processes payments. They have and need access to the patient information (name, address) and the medical record (diagnosis code, charge etc.) to perform the work for the CE.

Is my business considered a Business Associate?
If your company comes into contact with patient information, you are considered a Business Associate. At first, not everyone was convinced if cloud providers were indeed Business Associates until David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute clarified:

“If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service”

Another point they make is that business associates must also adhere to the Breach Notification Rule – including the subcontractors of business associates. Covered entities and business associates should take note – the document also states that “these proposed changes would make covered entities and business associates liable under § 160.402(c) for the acts of their business associate agents, in accordance 61 with the Federal common law of agency, regardless of whether the covered entity has a compliant business associate agreement in place.”

When is a BAA required?

A Business Associate Agreement is required whenever a client is storing, processing or transmitting protected health information (PHI).

Does choosing a HIPAA compliant Business Associate make your business HIPAA compliant?

No. Every company must do their own risk assessment and mitigation planning that is specific to their own processes and procedures. That said, if you are working with a vendor who has performed the same level of due diligence, it saves you from having to spend a lot of time and money researching and detailing their protective practices to protect patient information. In our case, we provide all of our clients with our complete, independent HIPAA audit report. In turn, they can share this with their auditors to save time and money during their own audit.

What about Encryption, is it required?

Yes and no. Encryption is listed as “addressable” in the technical safeguards, instead of “required”. Why? The healthcare information ecosystem is wildly diverse, and there are many different ways of protecting patient information. The easiest way to prove you meet this requirement, is to use AES 256 bit encryption on all data to the NIST standard. If you have adequately encrypted the data, then you are NOT required to report a data breach as long as the encryption keys have not been jeopardized and patient information remains safely encrypted.

If you opt not to use the recommended AES 256 encryption, it’s on you to prove that your method is as good as, or better, than the NIST standard. If you can’t prove that your protections meet or beat the NIST standard, you may be liable for penalties that fall into the expensive “negligent” category.

What are some other HIPAA best practices?

There are a few things that clients should do as it will help with their audit:

  • Document data management, security, training and notification plans
  • Client should use a Password policy for their access
  • Encrypt PHI data whether it’s in a database or in files on the server
  • Do not use public FTP. Use other methods to move files
  • Only use VPN access for remote access
  • Login retry protection in their application
  • Document a disaster recovery plan

What other questions do you have about HIPAA? Leave them below, and we’ll answer them in future posts.

Posted in Cloud Computing, HIPAA Compliance | Tagged , , , , , | Leave a comment

Converge conference in Detroit: Before finding data breach solution, be sure your business is ready to receive it

More from the Converge information security conference in Detroit, this time recapping Enterprise Security Back to Basics presented by Joel Cardella, the director of information security, IT security, governance, risk and compliance at Holcim US.

(Also see a recap of Thursday’s The Challenge of Natural Security Systems.)

Why this back to basics talk? Cardella feels we’re being beguiled by all these large breaches that push people to a solution they aren’t yet ready to receive. He holds that the importance of this talk is getting organizations mature enough to be ready to buy what vendors are selling. It’s about asking if your company is sure you need what is being offered.

The goal for security is being able to become proactive from the normally reactive InfoSec environment. Each single record lost is worth $145 in a data breach. That’s up 15% this year from last year. When breaches affect thousands, or even millions, of records the cost is incredible.

Cardella defines risk as:

Threats x Vulnerabilities x Time = Risk

Threats are not something we can control. Vulnerabilities are things we can control and influence, both directly and indirectly. Time is also in our control. Taking care of something quickly can help drive the risk down. The point: Do what you can to secure your company as quickly as possible to immediately lower risk within your organization.


  • Security requires resources, you must invest in order to get a return
  • Act/think like an adversary.
  • Find and understand what’s happening in your network. Find your baselines.
  • Document everything. Especially if you deal with audits, you want to have everything written down.
  • Make a plan. Write that plan down. Even if it’s simple, write it down, and then flesh it out over time.
  • Keep your scope small.
  • Go back and do it all again. Verify, and find the things you missed.

Cardella says that in IT, it’s important to understand your business, and how the IT infrastructure supports that business. Knowing how your business uses the infrastructure means you can create and change it to be more effective and secure in the future.

Another really important basic is network segmentation. Not allowing systems to talk to each other within a network means that an attacker cannot break into one section because they have access to a different section. He admits that this takes a lot of time, and it’s important to seek out an expert who can help with firewall implementation. You also need to test to be sure that your network is actually segmented, not just that they should be segmented.

Managing the accounts that are on your system is incredibly important, and goes back to understanding how your company works, and who needs what access. Restrict access to employees and vendors to a need to know. Set up a classification scheme in order to determine the sensitivity of data, and thus what access is necessary for certain users in order to get to the information they need.

At the end of the day, Cardella explains that there is no magic bullet. InfoSec is multi-layered and multi-disciplinary. It costs time, money and resources. Focus on the implementation, not just the technology – that’s where much of the problem is.

Humans are the weakest link, so you can’t take for granted that a great technology is implemented correctly. Always ask “Are you sure?”, and prove that you’re secure through trials, testing, changing and repeating.


Converge conference in Detroit: InfoSec organizations must learn, modify and adapt like organisms

Online Tech opens its doors to fast-growing tech hub of Metro Detroit

Posted in Information Technology Tips | Tagged , | Leave a comment

Want a good job? Study computer or information science

Momma, don’t let your babies grow up to be cowboys. Don’t let ‘em pick guitars and drive them old trucks. Make ‘em be software engineers and network systems analysts and such.

With apologies to Waylon Jennings, it’s true that a recent study by the US Education Department found that more than 95 percent of computer and information science students were employed full-time four years after graduation. Engineering graduates had similar success.

The findings are based on a survey of 17,110 students conducted in 2012, about four years after the students obtained their bachelor’s degrees.

And there’s this: Just 16 percent of the students had STEM (science, technology, engineering, math) degrees, but those who did were paid significantly better than their counterparts.

Speaking of tech jobs, Online Tech is currently looking for senior sales engineers and a data center facilities engineer. Check out our careers page for details.

Associated Press: Survey finds math, science grads earn top dollar

Posted in Information Technology Tips, Online Tech News | Tagged | Leave a comment

Converge conference in Detroit: InfoSec organizations must learn, modify and adapt like organisms

Today is Day 2 of the Converge information security conference at Detroit’s Cobo Center, and it promises to be full of significant insights into IT security within organizations.

Here’s a recap of one of Thursday’s sessions, The Challenge of Natural Security Systems, presented by Rockie Brockaway, the security practice director at Black Box:

Brockaway started with a really important point: Information security is currently viewed as a tactical response within companies, when it should be treated as a function of the business. InfoSec’s role is to prevent the loss of business-critical data, promote innovation within other parts of the company and protect the brand. One of the biggest hurdles in InfoSec, Brockaway explains, is understanding what a company’s critical data is, and where it’s stored. Without that information, there’s no way to fully protect it and vulnerabilities will be created.

Another issue within enterprise InfoSec is the obsession with static models like walls. If a security measure is put into place without learning, modifying and adapting from new information, it will eventually be circumvented and will become useless.

So what should companies do to become more adaptive? Brockaway looks at business similar to animals, with small systems making up a larger organism. Using characteristics of adaptable organisms, he found traits that will help in the business sense.

First, he says, learn from your successes. There is value in understanding mistakes, but analyzing what is working helps give more information about attacks. The next is setting up a company in a semi-autonomous fashion, with little central control. One of the biggest issues with centrality is the issue of a single point of failure. Redundancy is key to the survival of a system, and with no redundancy, one issue could be devastating.

Another trait Brockaway mentions is the ability to use information to mitigate uncertainty. An animal survives by evaluating its surroundings and being aware of potential danger. Understanding a corporate IT environment and continuing to assess the surroundings means being able to see when things are out of the ordinary, and fixing potential vulnerabilities.

Lastly, Brockaway states that in order to be adaptable, organisms have many symbiotic relationships with other organisms. He translates this to having relationships with solution providers that can help open up a company to mutual benefits and stronger security.

There’s more to come about information security, so stay tuned! The Converge conference concludes today and it is followed Saturday by BSides Detroit.

Online Tech opens its doors to fast-growing tech hub of Metro Detroit

Posted in Information Technology Tips | Tagged , | Leave a comment

Online Tech opens its doors to fast-growing tech hub of Metro Detroit

The Metro Detroit area has been one of the country’s fastest-growing technology hubs for years, topping that list in 2012 and placing fifth in 2013.

In its 2014 Technology Industry report, Automation Alley says the automotive capital of the world has “quietly become a leader among the nation’s technology economies,” the largest tech hub in the Midwest with a growth rate significantly higher than more traditional technology regions like Silicon Valley.

Online Tech’s Metro Detroit data center.

“Everyone in Michigan knows the exciting story that is emerging, but Detroit has been under the radar nationally,” Online Tech co-CEO Mike Klein said in a press release announcing the company’s new Metro Detroit data center will officially open on August 1. “With smart people like Dan Gilbert making major investments in a wide range of local technology businesses, there is now a vibrant community of startups in Detroit that rivals anywhere in the country.”

As the installation of Henry Ford’s first moving assembly line transformed Detroit’s industrial past, world-class data centers will provide the infrastructure necessary to make today’s Motor City more productive and profitable, and also prepare the burgeoning tech scene for the next several decades.

More than a year ago, Online Tech co-CEO addressed this topic in a video entitled Data Centers Come to Town:

“You can’t have a really successful community with lots of high tech activity if there’s not a single intellectual property lawyer in town or a single accountant that knows how to do depreciation for software. Companies end up leaving those areas because they can’t get important help,” he said. “(Similarly, data centers) are seen as an important piece of the infrastructure. You can’t be a technology corridor if you don’t have at least one or two data center providers.”

Note: Tours of Online Tech’s new Metro Detroit data center are available upon request.


Request a visit of Online Tech’s fourth Great Lakes data center in Metro Detroit

Online Tech ready to meet Metro Detroit’s growing IT infrastructure demand

Smitten with the mitten: Online Tech honored for improving economy in state of Michigan

Celebrating Michigan’s metamorphosis to a digital, science and technology base

Metro Detroit has ‘become a leader among the nation’s technology economies’

Posted in Data Centers, Michigan Data Centers, Online Tech News | Tagged , , | Leave a comment

Americans agree government must do more to protect data, but can the government act?

The National Consumer League released a study last week based on surveys from identity fraud victims across the United States. It claims that just 28 percent of victims think the government’s requirements for protecting healthcare and financial data are sufficient.

“In this polarized political climate, it’s rare for Americans to express such agreement on any issue,” Al Pascual, a senior analyst at Javelin Strategy & Research, said in a press release. Javelin was a partner in the study. “But when it comes to the security of their personally identifiable information, the respondents said with one voice that the government must do more.”

With that kind of support, government action is assured. Right? Well, not so fast.

Let’s back up a few weeks to a significant political occurrence: Eric Cantor, the Majority Leader in the House, losing his Virginia primary to Dave Brat. In the words of political pundits – which we certainly do not claim to be – voting the No. 2-ranking Republican out of office is a sign of continued political gridlock. (Just Google ‘Cantor loss gridlock’ and read multitude of headlines.)

So what’s the tie-in to data breaches? An article by Eric Chabrow on titled Cantor’s Defeat: Impact on Breach Law.

Chabrow, the executive director of and, had this to say about the election result:

The rout of the No. 2 Republican in the House – Cantor lost by 11 percentage points – makes other lawmakers timid to act on nearly any bipartisan bill, even on what many would consider common-sense legislation. It’s a toxic atmosphere in Congress, which explains why a data breach notification measure and other cybersecurity reforms can’t get passed and sent to the Oval Office for President Obama’s signature. The current Congress is on the way to enact fewer laws than any since the 1940s.

Another obstacle: Getting lawmakers to agree on the bill’s language. There may be widespread agreement on a need for a national data breach notification law, but not necessarily on its provisions. Plus, business lobbyists likely will try to water down data breach legislation provisions to make them less onerous, and in turn help businesses save money. If those lobbyists succeed, support among consumer advocates in Congress for a national law could evaporate.

So if there’s little hope for a national law any time soon, at least state governments are taking action.

Just last month, Kentucky became the latest state to enact a data breach notification law that requires companies to provide notice to Kentucky citizens when a security breach involving personal data occurs. That leaves Alabama, New Mexico and South Dakota as the only states without notification laws. (The District of Columbia, Guam, Puerto Rico and the Virgin Islands are also on board).

Elsewhere, states that already had security breach notification laws are getting tougher. On July 1, a new Information Security Act took effect in Florida that repeals the state’s previous data breach notification law and increases companies’ reporting obligations and liability in the event of a data security breach. (Notable is the fact that Florida has more identification theft complaints per capita than any other state in the nation.)

But back to Chabrow, who argues different rules in different states isn’t the best solution.

… States, for instance, differ on the amount of days before organizations notify consumers their accounts might have been breached. Different rules for different states make it tough for businesses operating nationally because they must adhere to 47 different state statutes.

“The nuances of breach notification laws across the country … further complicate responding to multi-state breaches,” says Joseph Lazzarotti, who heads the privacy, social media and information management practice at the Jackson Lewis law firm in Morristown, N.J. “Companies have to exercise care when determining whether a particular incident constitutes a breach, and to whom notice must be provided.”

Creating uniform national requirements for data breach notification through federal legislation would seem to be a no brainer that business would back. In fact, lawmakers have introduced nine bills in this Congress that address data breach notification, according to a congressional database. But don’t count on Congress to pass any of them. Cantor’s defeat for the Republican nomination for the House seat in his Richmond, Va.-area district exacerbates the situation.

New Javelin Strategy & Research/National Consumers League study: Consumers losing trust in businesses, expect government action on fraud and data breach

Cantor’s defeat: Impact on breach law

Florida overhauls data breach notification law

Commonwealth of Kentucky enacts data breach notification law


OCR audit requirements following a self-reported HIPAA breach


Posted in HIPAA Compliance, PCI Compliance | Tagged , , | Leave a comment

Don’t Strand your Data (Stranded Backups)

Co-CEO, Online Tech

As a sailor, the notion of being stranded is really, really scary. As remote as the possibility (and location) may be, you have to develop a contingency plan for the rare event that you might find yourself in that predicament. The plan has to contemplate extreme isolation for long periods of time and/or risky transit back to society. But the plans can be so onerous to imagine, you put it away once they are developed and don’t bother to remind yourself of them, except to know they are there. Then, if the unexpected happens, you pull out your backup plan. If done right, it can save your life. It’s why sailors say every trip should be two way, there AND back (unless you go all the way around).

Your data’s life is much like that sailor. Your data needs to be backed up from a production environment AND it needs to be able to get back to a production environment in the case of disaster. But most offsite backup solutions leave your data in isolated locations with many barriers creating risky or unreliable transit back to your production environment. That sounds like a stranded backup plan to this sailor.

Traditional Backup-as-a-Service providers backup data from your server or laptop to an undisclosed data center or storage location. Most often, you don’t know the physical location where your backup data resides. If you have no idea where your data lives, how would you know if it was in the path of a pending hurricane or tornado? How could you prepare or react in advance? If you don’t know if physical location of your backup data, you might as well consider it stranded.

Let’s say that you DO know where your data lives, and you have significant volumes of mission-critical data. How do you get all of that data back to a ready-to-go production environment so you can restore to normal operations before the health of your business systems are severely compromised?

One class of backup solutions includes cloud-backup providers like Mozy, Carbonite, Duva, VaultLogix etc. There are 100s of companies that allow you to replicate data from your servers (or laptops etc.) to their storage environment. While this provides “point-and-click” backup, I’ve always been struck by what must go through if you actually experience data loss and have to recover your backup data. Consider the following scenario.

Let’s say you have 500 GB of data from 4 servers backed at a backup service provider. Your recovery begins with a search for servers, network, and other infrastructure to which you can restore your data. That can be a very time consuming if you haven’t invested in redundant infrastructure and already have it standing by. Whether you are buying it after experiencing a disaster and need everything expedited, or purchasing it in advance, it will be expensive. Next, you have to get the data from that backup silo, wherever that is, and onto that new infrastructure, wherever that is. If you have funded redundant equipment, housed somewhere, in various states of readiness to power-up, you have a backup service that has your data and separately an infrastructure stack sitting somewhere to take that data. This model has even worse IT resource utilization than most physical servers; you’re paying for it, but can’t use any of those resources in the meantime.

This approach ignores the fact that there’s already a ton of infrastructure stood up and available, thanks to the advent of cloud and hosting business models. These business models depend on the ability to turn up new infrastructure quickly with appropriate incentives on fast deployments; the sooner they can deploy, the sooner they can start billing. This means they already have “at-the-ready” infrastructure. Better yet, you don’t pay for until you need it. Imagine if your data was backed up to a data center with a complete spectrum of on-demand infrastructure at your disposal that you could contract and pay for only when you need it.

Bottom line? Don’t strand your data in some unknown place that can only send it back to you – at a really slow rate. Backup your data to a location that can immediately begin helping with your restoration and provides local access to your backup data from on-demand infrastructure.

Data is money: Just as money belongs in a bank, data belongs in a data center
Data protection and the cloud
Disaster Recovery white paper

Posted in Online Tech News | Leave a comment