While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The Defense Acquisition University has more than 200,000 customers — federal acquisition, technology and logistics officials who turn to DAU to learn the latest procurement practices.
Although professionalism certainly accounts for part of the school’s customer satisfaction equation, effective and comprehensive data and application backup is the technological counterpart, says Chris Lawless, systems engineer in the Network and Security Operations Center, located at DAU’s headquarters at Fort Belvoir, Va. “We need to make sure that we have the technology in place to be totally protected — from organizationwide data and applications like human resources, financial and administrative, to coursework preparation and exam grading at the instructor level,” says Lawless, who has worked for DAU under contract for the past eight years.
The school’s approach — a combination of two storage technologies that together provide the comprehensive backup the organization needs — is one that can work for many agencies, says Mike Karp, a senior analyst at Enterprise Management Associates of Boulder, Colo.
For the administrative side, DAU uses snapshot technology, which lets it take an image of data three times a day; on the instructional side, continuous data protection (CDP) backs up entire devices. Using both technologies makes a lot of sense because together they can protect agencies under most circumstances, Karp explains. “What you employ and how you employ it depends on the types of applications you use, the relative importance of various applications and data sets, and how frequently information changes,” he says.
If a user wants to be able to recover an entire volume — let’s say the C drive crashes — a snapshot will recover everything quickly. A snapshot, as its name implies, is like a photograph, capturing data at a specific moment in time.
CDP, by contrast, is event-based. That means that every time someone makes a change to data, the change is captured. With true CDP, captures take place in real time. For near-CDP, changes are captured every time a changed document, record or file is saved.
CDP systems work in two basic ways: block-level and file-level. The method an agency chooses will depend in large part on the storage system in use. Block-level is preferred for storage area networks and file-level for network-attached storage.
Although CDP and related technologies are still gaining steam in federal circles, adoption has come a long way, says William Clark, public-sector chief technology officer at Computer Associates. In part, he attributes the growing use of such tools to how disasters — events such as the Sept. 11 terrorist attacks; the flooding of federal buildings near the National Mall in downtown Washington; and hurricanes Katrina and Rita along the Gulf Coast — pointed out that agencies need stable backup and disaster recovery mechanisms.
The Supreme Court of Louisiana’s use of CDP technology is directly attributable to Katrina. Before the hurricane, the state court relied on tape backups, but immediately after the disaster, the IT team made implementing new backup and disaster recovery systems a priority.
“We knew we had to have something that protected the data, that was real-time, and that we could quickly enact,” says Peter Haas, director of technology for the Supreme Court of Louisiana in New Orleans. “The concept of a warm or cold site, or just tape, wasn’t going to do it.”
fact: 10% to 20% of primary volume — storage requirement for snapshots
SOURCE: Forrester Research
Haas and his team settled on CDP technology after testing several products. The court implemented XOSoft CDP in May 2006 and now replicates the e-mail system, databases and all other data on its servers for about 160 users.
The app has been called into service a few times. “We had a problem with an e-mail server that began to degrade, so we failed over and got the system up and running within about 10 minutes. Nobody on the staff even noticed,” Haas says.
For DAU, the journey started about six years ago, when it installed snapshot technology for regular backup of faculty and staff data. The university implemented a NetApp FAS940 filer, an enterprise storage appliance. Now that the FAS940 has reached its end of life, DAU is replacing it with a FAS3000.
The filer contains multidisk arrays, creating raw storage space that can be assigned to various mapped drives and sized appropriately for each department. FAS3000 runs NetApp’s Data OnTap 7G operating system, which lets DAU restore entire volumes or single data files and flexibly provision storage.
Users save documents to network shares so an entire department can access them, Lawless says. Three times each day, the system takes a snapshot of the drives to enable recovery if necessary.
Along with the filer, DAU uses NetApp SnapManager for Microsoft Exchange to grab images of e-mail databases and mailboxes twice daily. For disaster recovery, the snapshots reside at an alternate site.
Although the snapshot technology works well, it became clear that it was not enough. Increasingly, instructors and staff began relying on notebook computers they were using outside of the office, making it difficult to connect to the network often enough to back up crucial data. And because DAU policy prohibits backing up to personal systems, the potential for data loss became a real problem. DAU opted to combine CDP with its snapshots and deployed Atempo Live Backup for the approximately 400 notebook and 300 desktop PCs spread out between headquarters at Fort Belvoir and seven regional divisions throughout the United States.
The software runs on two identical dual-processor servers — with 8 gigabytes of RAM each — that host Microsoft Windows 2003 Enterprise and Microsoft SQL 2005 Enterprise Edition. One server, at Fort Belvoir, supports about 400 notebooks and desktops; the other supports users in the seven regions.
Live Backup uses push technology; a small client, installed on each desktop and notebook, initiates a connection back to the server each time a user makes a change. If a user isn’t connected to the network, the system caches changes and transmits them the next time the user is online.
The system is working so well, Lawless says, that DAU plans to expand it. Currently, users in the university’s seven U.S.-based regions send data to headquarters for backup, which can lengthen recovery time. To solve the problem, DAU will install a server in each region.