Hot Spots: Protecting the unprotected

You've been warned: Unprotected laptops may be putting your company's data at risk.

This article can also be found in the Premium Editorial Download: Storage magazine: A look inside Hitachi's TagmaStor high-end arrays:

No question, enterprise organizations are careful about protecting their storage assets. Backing up storage area networks (SANs) and network-attached storage (NAS) is a nightly operation, and storage security is becoming a critical piece of the overall security puzzle. Protecting information assets is so important that much of the storage industry is focused on this space. Larger vendors such as EMC, IBM, StorageTek and Veritas earn...

huge chunks of their revenue with data protection products and services, while data protection startups such as FilesX, Neartek and Revivio are gaining attention in data centers.

While terrorist threats, regulatory compliance and security have ignited the data protection market, there remains a dramatically underserved piece of the information infrastructure: corporate laptops. The Enterprise Strategy Group (ESG) estimates that a mere 20% to 25% of enterprises provide data protection services for these mobile PCs. Many companies that claim to offer laptop data protection simply mandate that users move critical files to corporate servers. That's hardly a 21st century solution.

The dangers are real
Why is laptop exposure so pronounced? Because when it comes to laptop data protection, many firms still don't get it. Storage managers often adopt a "what's the big deal" attitude, assuming that critical corporate data is stored on the back-end Symmetrix, while laptops remain the domain of PowerPoint presentations, rogue applications and MP3 files. That type of thinking isn't only outdated, it's also dangerous. Laptop data protection is paramount for three reasons:

  • Laptops contain critical data. In recent years, laptop computers containing sensitive data from organizations such as the Australian Department of Defense, GMAC Insurance and Wells Fargo Bank have been stolen. While petty thieves probably grabbed these laptops, public exposure of this data could put companies--and potentially countries--at risk. What's more, if companies don't have backup copies of the information stored on their laptops, they'll face additional problems as they try to rebuild lost data based on older versions and human memory.
  • Laptops are always at risk. Unlike SANs that live in locked data centers, laptop computers are mobile and are more likely to be damaged or stolen. According to computer insurance firms, laptop theft is a billion-dollar industry that's growing. Even when laptops are stationary, they're easy to compromise. Disgruntled employees can easily grab a laptop on their way out the door, while a third-shift IT administrator could walk into the CFO's or CEO's office, reformat the hard drive on their laptops and destroy all the system data.
  • Lots of laptops mean lots of data. Suppose a company has 10,000 employees and 25% of them have been issued laptops. If the average laptop has a 40GB hard drive, that's a total of 100TB of unprotected data. Yes, some of this capacity will be unused or contain non-critical data, but much of it will store data that needs to be protected.
As PC prices continue to decline, many companies have opted to provide laptop computers to all employees, thus exacerbating the threat to laptop-resident data.

Clearly, mobile systems can no longer be ignored, but the scope of laptop backup can present a daunting challenge. After all, backup policies, operations and management of thousands of distributed systems are difficult, even under the best of circumstances. Rather than simply delve into the latest versions of available backup tools, smart storage managers should take a project-oriented approach to laptop backup by following these five steps:

  1. Determine the scope and business strategy. The brute force approach to laptop data protection would be to back up all laptops all the time. This would accomplish the goal of protecting critical mobile data, but at a heavy capital and operational cost. A more prudent strategy is to find a solution that meets business, financial and technical goals. How many users should really be covered? What's the actual data that needs protection? Is the data unique or do copies of that data reside on corporate (and protected) assets? Where do the users live? Are they truly remote or do they travel out of the home office? What type of network access do these users have--broadband or dial-up? Answering these questions will determine the real need and give IT architects a blueprint for the appropriate solution design.
  2. Explore your technical options. Some storage managers may immediately default to a familiar Legato or Veritas backup product. This may be the right direction, but these systems were architected for server backup, so it's worthwhile to investigate more PC-centric alternatives such as iFolder from Novell or LiveBackup from Storactive. Because of their PC-friendly architecture, these tools may provide administration, management and reporting benefits for enterprises that want to manage laptop backup independent of back-end systems. Given the cost and administrative effort of backing up numerous distributed systems, it's also worth considering backup services from providers such as Arsenal Digital, Connected and LiveVault. A backup service may look pricey at first glance, but could actually be a bargain on a TCO basis. To do a true comparison, build a model that factors in administrator time, software licensing, maintenance and equipment costs.
  3. Link data protection with laptop security. Backup is critical, but you also want to protect your assets against theft and minimize damages if a laptop gets stolen. To implement best practices, storage managers should engrave laptops with company names and serial numbers, password-protect laptops at the BIOS and system level and encrypt file systems or critical directories. For the most critical-use laptops, consider physical locks and cables from Kensington or Kryptonite as well as alarms and tracing services from companies such as Caveo, Targus and TrackIT.
  4. Train administrators and users. If you decide to administer a solution on your own, make sure that administrators and help desk personnel are well trained and can spot and remedy problems as they arise. This not only involves product training, but also means understanding user requirements, business processes and IT methodologies. Users should monitor backup activities, report problems and help storage managers improve their backup processes through regular feedback. On the security side, it's up to laptop owners to be attentive to security and use common sense to protect their systems and the mission-critical data they contain.
  5. Develop a process for laptop replacement. Inevitably, even the most meticulous data protection can't prevent the occasional laptop theft or damage. What happens when your best salesperson's laptop dies on a key sales call at the end of the quarter? Smart storage managers will anticipate these occurrences by creating a laptop replacement process. Again, the key here is to assess the business need. Keep a few spares on site to overnight to remote users who need immediate replacement and make sure you can rebuild the laptop and files so you can ship a bootable, no-hassle system. For the majority of users who can work on a borrowed laptop for a few days, build a more cost-effective process that's less of a fire drill, but efficiently provides a replacement unit.
Bottom line
Laptops are ubiquitous and important pieces of the overall IT infrastructure, so data protection can be just as important for mobile devices as it's for back-end systems. To adequately protect the potentially massive amounts of data stored on these devices, enterprises must acknowledge the importance--and risks--of mobile computing tools and start building processes to protect their data.

Because laptops adhere to different business processes and technical restrictions, it's best for storage managers to take a ground-up approach. Think outside the box in terms of technical solutions, as well as processes, and don't forget to include overall laptop security in your plan. A comprehensive plan will keep users happy and prevent embarrassing headlines or costly intellectual property theft.

This was first published in September 2004

Dig deeper on Secure data storage

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSolidStateStorage

SearchVirtualStorage

SearchCloudStorage

SearchDisasterRecovery

SearchDataBackup

Close