Published: 12 Sep 2002
The further data gets from the data center, the harder it is to manage. When employees work on the road or remotely - which IDC estimates 47 million corporate users will do this year - IT has little choice but to create an effective policy for managing far-flung storage. And that includes not only laptops and PDAs on the road, but also home office computers. Roughly 30 million employees last year engaged in some sort of telework during the workweek, according to a Cahners In-Stat survey.
The stakes for IT are high. The Computer Security Institute estimates that when a single laptop is lost or stolen, it costs $32,000 on average to replace data and proprietary information. And PDAs - although they may seem cheap and unassuming - were pegged with a hefty replacement cost of $2,500 in a recent Gartner study. "There's so much more mission-critical corporate data on mobile devices now," says Stephen Drake, an IDC analyst. "IT is forced to take them seriously - and to think about things like management, administration and security because of the growing mobile workforce."
Ensuring the security of mobile or at-home data is a complex job for security professionals. But when it comes to preventing data loss and preparing for disaster recovery due to disappearing equipment, imploding hardware or user fumbles, the buck stops with IT storage managers. Laptops and home office computers require backup schemes that - like good enterprise desktop procedures - require as little user intervention as possible (see "Local backup for laptops"). PDAs need workable backup and synchronization procedures - or read-only applications that minimize the impact of loss or theft.
Like it or not, enterprise data will keep circulating in a wider and wider orbit from the heart of the enterprise. Halfhearted attempts at managing data at the outer edge invite disaster - even concerted efforts run amok. Lesson by lesson, IT is learning how to cope.
Corralling far-flung hard drives
Any worthwhile IT department implements regular network backups and has a plan for disaster recovery. But managing remote laptops or home computers is a different kettle of fish. No one is there to crack the whip in person, so a mature, automated backup process is mandatory - studies show only one out of 10 employees perform manual backups. Also, unless remote users connect via a VPN, encryption during remote network backup is a must. And with connections often sporadic and/or dial-up-based, backup software needs to minimize connect time.
At Deluxe Corp., Shoreview, MN, one of the world's largest check printers, Tina Reilly, senior technical analyst, manages storage for a 300-person international sales force that never comes to the office. "We work with financial institutions ... so if our sales reps lose that information, it's very critical," Reilly says. To serve these home-based, traveling sales people, Reilly recently outfitted all of them with identical new Dell laptops loaded with Mobiliti's Network/Unplugged, a mobile synchronization and backup solution.
Because laptop hard drives aren't interchangeable, Reilly needed the homogenous Dell hardware, so IT could stock identical replacement drives preloaded with a standard mix of OS and apps in preparation for bare metal recovery. She also required a complete backup of current user data - a challenge with non-technical, permanently dispersed users, many of whom rely on dial-up connections. What to do? "We went to their sales convention and did the first initial backup for them via LAN," says Reilly. "So when they got their laptops, all they had to do was keep up with the incrementals."
|Local backup for laptops|
When dial-up is the only connection available, it's sometimes harder to convince remote users to perform network backups than to back up to a local device. As usual, the quicker and easier the backup, the better. The range of backup devices includes:
Zip drives. Iomega has an entire line of removable magnetic media drives, including models that slip into the expansion bay of Compaq, Dell, IBM, and Toshiba laptops. A six-pack of 250MB cartridges costs $80.
CompactFlash cards. You can't back up a whole hard disk with one. But in conjunction with automatic backup software, a $150 256MB card plugged into a free Type II PC Card slot can do incrementals without the user being the wiser.
Microdrives. Like CompactFlash memory cards, these slip into a Type II PC Card slot, but they provide cheaper storage by the megabyte. A 1GB microdrive in a PC Card adapter sells for less than $300. IBM and Kingston are leading vendors.
CD-RW. Buy your laptops with a CD-RW drive already installed, and you can simply leave a disc in there for periodic backups. To ensure problem-free incrementals, the disc needs to be in packet-write format, which reduces capacity to 540MB. Be forewarned: Users can't do much else while the CD-RW records.
External hard drives. User intervention is required, but you can easily find a unit with enough capacity to back up a laptop full of data. Choose a model based on a 2 1/2-inch laptop hard drive, because - although laptop models are slower than desktop drives - they're far more resistant to shock.
If you opt for an external device, a word about connections. Laptops and drives equipped with FireWire or USB 2.0 ports will increase the likelihood that users will actually back up data, because USB 1.0/1.1 devices are pretty slow. If the laptop has only a USB port, you might consider connecting an external device to a PC Card adapter.
For automatic external backups, CMS Peripherals sells a line of devices preloaded with backup software that kick in as soon as a connection is made. Finally, the Amacom Flipdisk boasts the greatest versatility of any external drive, with PC Card, FireWire, USB 1.0/1.1 and Parallel interfaces in one device.
Mobiliti's Network/Unplugged speeds up those incrementals in a couple of ways. Like other remote packages - such as Computer Associates' BrightStor Mobile Backup, Legato's NetWorker Laptop, NovaStor's NovaNet-Web, Novell's iFolder, and Storactive's LiveBackup - Network/Unplugged takes a store-and-forward approach. The software aggregates and compresses incremental file backups on local drives and automatically starts backing up when a connection is available - a 40-bit encryption algorithm protects data in transit. Delta transfer technology synchronizes files between host and client systems, uploading only the portions of files that have changed instead of the whole file. Reilly, who says she's impressed by the quick backup times, paid $43,000 for the 300-client license and dedicates a single server to remote sales force backup.
Of course, not all IT departments back up their laptops with specialized mobile packages. Bucknell University, Lewisburg, PA, deployed the same version of Veritas' NetBackup Professional across roughly 500 faculty and staff, around 150 of whom use laptops. Initially, the main reason was the lack of a viable tape backup solution for laptop users.
Gene Spencer, associate vice president of information systems for Bucknell, was surprised by the immediate benefits of NetBackup Pro's self-service features. "Having users be much more self-sufficient in terms of getting files back from the system when they need to restore a file ... changes our support model and allows us to provide users with solutions that are actually much easier for them." NetBackup Pro lets users choose between two backup profiles, one for remote and one for local use. Remote users get the benefit of store-and-forward, delta transfer and 128-bit encryption. And data compression increases automatically with slower connections.
Spencer dedicates two backup servers to support his 500 users. Laptop users that roam the campus tend to connect via wireless LAN; backup over dial-up is "not totally unreasonable," but not especially fun, either. A major drawback of NetBackup Pro is that it doesn't support Mac or Linux users who are obliged to copy files to a server by hand. But after messing with tape backups and other manual solutions, Spencer says NetBackup Pro has provided Bucknell with its first effective solution spanning both local and remote users.
Getting serious about PDAs
Laptops are merely desktop PCs with legs. With tiny storage and a much higher risk of loss, PDAs require an altogether different approach. But according to W. Curtis Preston, founder of The Storage Group consultancy, Oceanside, CA, many companies still make PDAs the user's responsibility. Often, the sum total of IT's storage management policy is to admonish users to plug into a desktop cradle once a day. The basic attitude is, "either you synch or you don't," says Preston.
"There are two types of organizations," says Jeff Warner, product manager for Extended Systems, Boise, ID, a provider of mobile infrastructure, "organizations that look at mobile devices as a strategic tool and have an estimated cost of ownership - and organizations that are just reacting and kind of sweeping it under the rug." The risks of turning a blind eye can be political as well as financial, Warner says, because spiffy PDAs typically fall into executive hands first.
Among IT departments that have developed a real plan, ensuring the integrity of handheld data devolves to two basic strategies: flash backup and server-based synchronization.
Flash backup is a cheap and simple way of guarding against the main enemy of PDA data: dead batteries. All users do is pop a $50 flash memory module loaded with auto-backup software into a PDA expansion slot. "When you're doing mission-critical stuff and you're in the field, these things can fail," says Alex Hinds, CEO of BlueNomad, Redwood City, CA, developer of the BackupBuddy program for Palm devices. "So if you don't have access to a desktop, laptop or modem, it's convenient to have a backup available to you on a card." Lose the PDA, however, and you're out of luck.
Managing data on PDAs gets serious when you start connecting them directly to a server and begin synchronizing, downloading or backing up data. Most often, companies choose the server option for simple group scheduling or contact management. "The application already exists on the device - a Palm, a Pocket PC, a Symbian, a RIM - all of them already have e-mail, a calendar and a contact manager," says Warner. "And obviously, groupware systems like Lotus Notes and Microsoft Exchange are already there, so no one has to create an application or a database on the back end."
Pushing PDAs to the edge
A few bold businesses, however, have begun deploying mobile versions of real enterprise applications on PDAs. Naturally, the notion of tiny, easily misplaced devices carrying valuable enterprise data - or worse, providing remote access to enterprise applications - gives IT nightmares (see "Seven ways to secure a PDA"). To support sales or field forces, however, some companies see real benefits in forging ahead.
Steve Allocco, a project manager for Pyxis Consulting, Wellesley, MA, chose Synchrologic's Mobile Suite of synchronization and management software to deploy a CRM application on PDAs for a major financial institution in the northeastern U.S. A full client version of the app was already on laptops, but less than a third of the 60 mutual fund wholesalers for whom it was intended were using it. "They were sending out a lot of data, which was taking a long time to transfer," Allocco says. Worse, the wholesalers found the laptops too bulky and the app too complex to use in the field.
Pyxis proposed a simple alternative: Push a small quantity of targeted sales information about the accounts wholesalers regularly deal with and display that data, such as spouse's names, sales data, etc., in a simple custom application running on a Palm handheld. Pyxis used Synchrologic's data and file synchronization servers to extract updated information from the CRM database every night and downloaded it to wholesalers when they synched up every morning.
|Seven ways to secure a PDA|
Last year, an estimated 250,000 cell phones and PDAs were lost in airports, according to the Gartner Group. The consequence of misplacing most of those devices was no worse than losing a day planner. But some small, unknown percentage contained critical data and access to enterprise applications.
Securing PDAs with sensitive data - or access to it - should be taken seriously. Basically, you need to apply the same rigor to PDA security that you would to any other enterprise-class device, with a clear security policy and a uniform suite of security software. Consider the following:
1. Password protection. Enforce alphanumeric passwords with no less than seven characters. Adding gestures, supported by some security software, can make break-ins nearly impossible. Several products - such as Trust Digital's Policy Editor or IS/Complete's PDA Restrictor Enterprise - enable you to manage password policies for groups of PDAs or reset individual passwords remotely.
2. Asset tagging. Slap on non-removable labels and bring PDAs into your asset numbering system. You'll avoid confusion when storing, distributing and repairing devices as well as discourage theft. You'll also be far more likely to get PDAs back when employees leave the company.
3. Lost and found. Just as with laptops, it never hurts to display contact information when a device boots. Alternatively, for those who want to remain anonymous, IDstrip.com prints stickers that have a toll-free phone number and a unique numeric identifier.
4. Encryption. PDA file encryption packages such as Trust Digital's PDA Secure abound, offering algorithms ranging from MD5 to 512-bit Blowfish.
5. The bomb. With some software, such as Asynchrony Software's PDA Defense, a destruct sequence can wipe the PDA clean - if the device isn't synched in 48 hours or in the event of too many password attempts in a row.
6. Biometrics. Fingerprint identification is available for PDAs - Applied Biometrics' PINprint Pilot will do the trick, among others. Signature recognition is less accurate, but Communication Intelligence's Sign-On provides a inexpensive solution for Pocket PCs and Palm devices.
7. VPN connection. Better combine top-notch password/encryption with this one. Microsoft Pocket PC 2002 comes with VPN capability built in; Palm devices require an add-on client such as Certicom's movianVPN.
Rather than pay for PDA modems, the client opted to use the modems on the wholesalers' existing laptops to transfer data between the server and PDA client. This provided free security, since the laptops were already connected to the home office via VPN. And the Synchrologic suite offered another security benefit: the ability to change passwords from the server management console in the event a PDA was lost or stolen.
But the nagging problem of dead PDA batteries was an even more pressing issue than security. "When they're dead too long, you lose all the data," says Allocco. "We were sending down databases that were about 1.5MB. How do we get that back out to them?" Rather than deploy flash modules to back up read-only data, Allocco's solution was to create the PDA version of a bare metal recovery disk on the server that, in the event a user's storage got wiped out, would send out the application first - and then a refresh of the entire database.
Allocco solved another common difficulty with handhelds: People load them with games until they run out of memory and call the help desk. Worse, users tend to be dishonest about what they've installed. The Mobile Suite's management module not only let Allocco see a PDA's contents when the user synched with the host, but he could also delete stuff. "Next time they synched," says Allocco, "they would be looking for Tiger Woods Golf for a very long time."
The wireless workhorse
Enterprise applications running on handhelds are still the exception. But handhelds that serve field service workers have been around for decades. When those devices are used for data collection, the integrity of that data has a direct impact on the bottom line.
Last year, Saul Cohen, vice president of information technology oversaw the development of a new field service application for U.S. Fleet Services in Horsham, PA. The company has 60 branch offices in 28 states and provides on-site, truck-to-truck fueling services to such companies as FedEx, Coca-Cola, and Nabisco. Cohen's project was to automate the process of recording the details of truck refuels, a paper affair subject to errors by truckers and whoever keyed in the data.
Cohen came up with a wireless handheld application that required zero manual data input. The hardware of choice was a Pocket PC equipped with an 802.11 network card and a barcode scanner. For each delivery, all the driver had to do was scan the barcode that had been pasted on the customer truck then download data from the truck's fuel gauge, which was also 802.11-enabled. When the truck rolled back into the garage, it communicated with an 802.11b access point installed there that hooked the handheld to the corporate WAN and uploaded the data for the day.
Along the route, delivery data was collected in a SQL for a CE 2000 database on the Pocket PCs. Cohen used XTNDConnect Server from Extended Systems to send out daily route information, push new application versions and configure devices remotely. Storing everything on 128MB CompactFlash cards ensured data integrity. Moreover, every time a driver completed a delivery, they needed to print a receipt before the transaction was complete. Each driver had an extra battery and the Pocket PC rode in a recharging cradle in the truck when it wasn't being used.
Getting control and keeping it
Despite Cohen's best efforts at making the application easy, he discovered that the biggest problem was training. At one point, he even rode shotgun and coached drivers en route. There's a lesson to be learned from that: Outside the office, more responsibility for making things work inevitably devolves to the user, because you have reduced power of enforcement and less ability to help. To ensure data integrity, explicit policies and procedures for remote users - and in some cases training - are absolute necessities.
That fact shouldn't discourage your efforts to make everything as automated as possible for far-flung users. But particularly in lean times, you need to choose management, synchronization and backup solutions that cause the least IT disruption possible. As Pyxis' Allocco puts it: "You keep your central organization. We're not trying to decentralize IT. We're just trying to extend information that makes sense."
Fortunately, off-the-shelf solutions abound. The market leaders in backup and groupware generally supply just enough remote options to make setting up a specialized package seem like more of a hassle. On the other hand - particularly with PDA applications - only specialized or custom-written software provides exactly what you need and integrating it with your existing system makes the most sense. Either way, remote data demands to be taken seriously. As Jeff Warner from Extended Systems says: "The device is always much more disposable than the data that's on it."