How much data does the federal government hold? No one truly knows. It is unclear exactly how much data the federal government generates, but it’s likely in the single-digit petabytes. (A petabyte is equivalent to a million gigabytes.)
In 2013, Informatica estimated that U.S. federal agencies alone “currently store an average of 1.61 petabytes of data, a figure projected to rise to 2.63 petabytes by 2015.” Writing in Nextgov in 2018, Dan Tucker, vice president overseeing Booz Allen Hamilton’s digital solutions team, and George Young, the vice president of U.S. public sector at Elastic, noted that the “the petabytes-on-petabytes of data that agencies generate, collect and retain, is typically scattered across IT silos.”
As World Backup Day 2019 nears on March 31, data security remains a major concern in federal IT. According to a May 2018 Office of Management and Budget report, only 27 percent of agencies reported that they had the ability to “detect and investigate attempts to access large volumes of data, and even fewer agencies report testing these capabilities annually.” Simply put, the report states, “agencies cannot detect when large amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across government and industry in recent years.”
How can federal IT leaders and their staff best protect government data from loss, theft or damage? Follow these best practices to get started.
1. Prioritize Which Data and Systems to Back Up
Disaster recovery and data backup touch every branch of the government. IT leaders must ensure that employees can access critical data as well as communicate with one another at all times.
The first step in any backup plan is performing an inventory of all data and systems and prioritizing those which are most critical to back up (and thus, potentially recover) first.
The Justice Department makes backup, restore and recovery a priority within its IT operations. “Restore point objectives and recovery time objectives are critical for our mission-essential systems,” Justice Department CIO Joseph Klimavicz previously told FedTech.
An RPO is the maximum period that an agency its willing to lose data on its systems because of an event, and an RTO is how quickly an agency can recover — from the moment of a disaster to the moment it returns to normal operations.
“These objectives require discipline and purposeful use of application and data architectures,” he says, adding that the agency selects backup and recovery to achieve its architectural and price point objectives.
Some IT leaders might prioritizes backing up email, or chat and videoconferencing applications, or records management for reporting and analysis. Every agency will have different priorities. What is key is determining which data to back up.
2. Use a Tiered Data Management Strategy
Agencies should be aware that there are a wide range of data backup and recovery solutions available.
As data backup vendor Acronis notes on its website, “there are multiple types of backup solutions and tools available on the market that deliver different” recovery point objectives and recovery time objectives and handle different scopes of data recovery.
Further, as Acronis notes, agencies can use hardware appliances, software solutions, cloud backups or all-in-one hybrid backup solutions, which, it notes, gives users the “freedom to install the software or use it as a cloud service at will.”
And agencies should follow the “3-2-1” rule when it comes to backups. They should have at least three copies of their data: the primary and two backup copies. They should store those copies on at least two different forms of media: their primary data repository and a secondary repository (a backup disk device or tape). And they should also keep at least one backup (cold) copy offsite.
3. Perform Regular Backups of All Critical Information
A data backup plan or system is not that useful if agencies do not actually back up their data. Data backups should be done at regular intervals.
The United States Computer Emergency Readiness Team lists six preventive measures to help protect systems against ransomware attacks; backups are at the top:
“Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process,” CERT says. “Ideally, this data should be kept on a separate device, and backups should be stored offline.”
Regular backups also mitigate the damage that a ransomware attack can do to an agency. As Drew Shanahan, a technical architect of software solutions for CDW, notes in a blog post, “Regularly backing up your data off-premises will prevent ransomware from stealing your data.”
4. Create Offsite Backups for Added Security
As has been noted, agencies should definitely back up data to an offsite location.
These include disaster recovery so that the agency replicates backup data to a remote site, “to enable recovery of data or recovery of application use should disaster strike the local site.”
Another reason is the consolidation of backup operations. Agencies that are spread out geographically may have branch offices perform offsite backup to a central location rather than each branch maintaining backups onsite, Dell EMC notes.
“This would require performing backup over WAN from the branch office to another, typically, central location,” the company notes. “Depending on the scope of backup needs and circumstances in their production facilities, such an approach can make more efficient use of IT resources as well as affording a greater degree of corporate control over backup practices.”
Offsite backup is also more cost effective, according to Dell EMC. “Depending on the scope of their data backup needs and circumstances in their facilities, for some organizations offsite backup in the form of backup over WAN may be more cost effective than backing up data onsite,” the company says.
Shanahan says that a key point of failure is getting data offsite consistently and quickly. “Typically, this is done by storing tapes somewhere else, which could be anywhere from a dedicated storage facility to a shelf at an employee’s home,” he says. “The dedicated offsite option is expensive and requires time to organize and arrange tapes as they rotate offsite. It also takes longer to retrieve tapes and can be very expensive. Having data stored offsite elsewhere is inexpensive, but it is also insecure and doesn’t solve the problem of a quick retrieval.”
5. Use Disaster Recovery as a Service and Cloud-Based Backup
Cloud backup options can help agencies in multiple ways. Cloud backups serve as a reliable, offsite method for storing critical data. “When the data that needs to be recovered is more than a couple weeks old, then the data is usually kept offsite at a storage facility or with a cloud provider,” Shanahan says.
“Cloud services’ pay-as-you-go pricing model is ideal for rarely used disaster-recovery environments,” Mike Chapple, an associate teaching professor of IT, analytics and operations at the University of Notre Dame, writes in FedTech. “Rather than running backup data centers full of equipment that sits idle most of the time, agencies can pay to store data in the cloud and avoid overhead computing costs until the site is activated.”