I'm a big fan of Tom Clancy type spy thriller novels. I just read a book which reminds me of these, and which Clancy himself called "A spy story for the 90's -- and it's all true." The book is called The Cuckoo's Egg by Cliff Stoll. I won't give away any spoilers here, but you can read the collective summary if you want to know what happens.
This is a classic story of what happens when you see something out of place and instead of just fixing the problem you really investigate. You start digging and pretty soon you find that there are dozens of things that need to be reworked, and dozens more that need to be done and done right. With no funding for a project, it can be damn near impossible to carve the time out of your paying job to do them, so most go undone. In his book, Cliff doesn't let his main issues fall to the wayside, he sticks with them and sees that things get done as well as they can be.
While the book is nearly 20 years old, the lessons it teaches are true today. Cliff has to overcome sloppy practices, a determined and perseverant adversary, invasion of his personal life, lack of support from those he is trying to help, etc. And in the end, he is essentially unrewarded for his efforts. These are problems that security professionals -- and many others -- face every day. But Cliff won't back down or give up, he is able to look at the problem as an opportunity to learn and explore. His reward comes from the joy of discovery, from seeing the problem to its conclusion, and making connections with people in the same situation.
It's easy to respect and admire someone like this, but it's not as easy to become them ourselves. It is much easier to push things off to another day or let things drop by the wayside as we hurtle along through life. But I think that one of the things that makes me happiest is when I pursue the things that Cliff did: truth, discovery, and resolution. It also tends to make the products of my work better because we care about what I am doing, not just trying to get it done so I can move on to something else.
It's hard to be enthusiastic about every aspect of we all do for a living. In fact, if we really enjoy doing something and decide to make money from it, we will soon find that we enjoy it less. But what would it take to do every task like we enjoyed it? Probably not that much more effort than we already put into it. That could be changing the duty enough to make it more interesting, like turning it into a game. Or it could mean trying to learn all you can from theories to history to other techniques. Or it might just mean that you embrace the unembraceable and focus on being as good as you can.
But you've got to find some way to persevere through the difficult jobs to get to the end. In Information Security, it is absolutely essential to do things right and see them through to completion. It is like that in many other fields and aspects of our lives. If you give up or half-ass it at any point, it diminishes the results of your labor. But working hard through every step gives a great feeling of accomplishment and self-esteem as well as makes for a better end result.
Thursday, May 24, 2007
Tuesday, May 22, 2007
Simplify, Simplify, Simplify
I am back from my recent hiatus and have finally gotten caught up enough to write a couple of lines here. While on trips, it always becomes obvious how much better a simple solution is when compared with a complicated one. For example, when trying to backup images from a camera. It was a hassle to try to get them onto the computer then to a jump drive or a flickr.com account.
A much easier solution would be to use a device to dump the pictures directly to an iPod. The Apple iPod Camera Connector is the descriptively named device made by Apple to do the job. It works pretty well, too. It will even move RAW photos, though the iPod can't display them. This helped out greatly since my friend had dozens of gigs worth of these large photos and no way to store them to make room for more. While this certainly wasn't the simplest solution, it worked well and stayed within our budget.
With simple solutions, it is easy to see their flaws and compensate. The problems which can occur in a system increase exponentially with complexity. In other words, the more things that are involved, the more likely something is to go wrong and the more difficult they will be to solve. When giving directions to my house, I usually give them a route with very few turns. Because the directions are simple, they can be more precise and are easier to follow.
Also, the more difficult and complex something is to use, the less likely people are to use it. To stay with the example above, I drive a very simple route home from work every day. I could probably shave 5-10% off my trip time by taking alternate routes depending on conditions and using back streets rather than the main ones. However, this adds stress to my drive and introduces frustrations. Using the most direct route, I can sit back and relax on my drive, focusing instead on my music or on what I'll do with my free time.
Reducing the complexity of a system usually increases its security (or decreases its likelihood of failure). If a process requires four easy steps, it is much more likely to be followed closely than a similar process which requires several times more steps. In automated systems, more steps means that there are more places to troubleshoot when a problem arises. More worrisome, the more likely a single step is to fail silently and/or catastrophically.
So KISS! That Wikipedia link can elaborate for you if you are interested, but repeating what others have written is not keeping it simple. I'd hate to multiply entities beyond necessity, so I'll quit while I'm ahead.
A much easier solution would be to use a device to dump the pictures directly to an iPod. The Apple iPod Camera Connector is the descriptively named device made by Apple to do the job. It works pretty well, too. It will even move RAW photos, though the iPod can't display them. This helped out greatly since my friend had dozens of gigs worth of these large photos and no way to store them to make room for more. While this certainly wasn't the simplest solution, it worked well and stayed within our budget.
With simple solutions, it is easy to see their flaws and compensate. The problems which can occur in a system increase exponentially with complexity. In other words, the more things that are involved, the more likely something is to go wrong and the more difficult they will be to solve. When giving directions to my house, I usually give them a route with very few turns. Because the directions are simple, they can be more precise and are easier to follow.
Also, the more difficult and complex something is to use, the less likely people are to use it. To stay with the example above, I drive a very simple route home from work every day. I could probably shave 5-10% off my trip time by taking alternate routes depending on conditions and using back streets rather than the main ones. However, this adds stress to my drive and introduces frustrations. Using the most direct route, I can sit back and relax on my drive, focusing instead on my music or on what I'll do with my free time.
Reducing the complexity of a system usually increases its security (or decreases its likelihood of failure). If a process requires four easy steps, it is much more likely to be followed closely than a similar process which requires several times more steps. In automated systems, more steps means that there are more places to troubleshoot when a problem arises. More worrisome, the more likely a single step is to fail silently and/or catastrophically.
So KISS! That Wikipedia link can elaborate for you if you are interested, but repeating what others have written is not keeping it simple. I'd hate to multiply entities beyond necessity, so I'll quit while I'm ahead.
Tuesday, November 07, 2006
How Not to Fix a Problem
I haven't posted in a couple of weeks (oops, I forgot!), so I figured I would put something up quickly that's fairly relevant to the typical blog posts and is somewhat topical. Posting this last week would have given you, dear reader, time to observe more and be a bit more informed about the issues discussed.
If you're in the United States, you had the opportunity to choose the lesser of two evils today and vote for many of your government officials. If you are in the rest of the world, I'm sure you can feel our pain. But maybe not as much pain as many of us actually feel. See we use these electronic voting machines here which are not very well liked. If you haven't heard about this by now, consider yourself lucky.
Now don't get me wrong, some of these things probably work well. But nobody is ever going to hear about things that work as well as they should. For those unsung heroes who designed these machines, I salute you. For the others, please find a suicide cult and join it soon.
I'm not going to go through and rehash old arguments made by others. If you want to read those, you'll find plenty of links. The basic problems are that the machines are difficult to use, they frequently break, and it's possible to manipulate the votes. And instead of fixing the problems, the companies that make them are fighting people who expose the flaws.
What the companies should be doing is making "bulletproof" devices and inviting people to try and break them. There should be no question whatsoever that things are on the up-and-up when it comes to our freedom. Further, there should be independent code audits and security tests to verify that there are no ways to breach the integrity of the machines. In fact, I'm one of the people who thinks that the code should be opened up for review by everyone. Why not leverage the power of a million or so people looking over the code for any problems? Publish the code! You only have something to lose if it's broken and insecure and you've been hiding that fact.
With these devices, you don't design them so they can work, you design so they can't fail! Take a look at ATMs -- they do this for the most part. Very few people accidentally pull out stamps when they mean to withdraw money. Diebold, one of the largest manufacturers of voting machines also makes ATMs. They obviously have the expertise to make touch screen self service devices work, so why is it so hard to actually pull it off?
Every system has its advantages and disadvantages when compared to others, but there is almost always a way to design a system that creates fewer disadvantages than the current system, while increasing the advantages. When something works consistently and intuitively, there may still be ways to tweak the system to get greater efficiency. But the electronic voting machines seem to have created a problem just as big as the one that they purport to solve. Votes are still being counted inconsistently, ballot tampering is still possible, and the devices have added unreliability and complexity to the system.
Ideally, a perfect solution will be efficient, simple to understand, intuitive to operate, and will minimize the possibility of mistakes. Which brings us to our lesson for today: A solution should not fix some problems only to create different, bigger ones! That seems to obvious to have to state, but often times people lose sight of the basics and need to be reminded of them. It happens to us all at one time or another, so it's worth pointing out.
If you're in the United States, you had the opportunity to choose the lesser of two evils today and vote for many of your government officials. If you are in the rest of the world, I'm sure you can feel our pain. But maybe not as much pain as many of us actually feel. See we use these electronic voting machines here which are not very well liked. If you haven't heard about this by now, consider yourself lucky.
Now don't get me wrong, some of these things probably work well. But nobody is ever going to hear about things that work as well as they should. For those unsung heroes who designed these machines, I salute you. For the others, please find a suicide cult and join it soon.
I'm not going to go through and rehash old arguments made by others. If you want to read those, you'll find plenty of links. The basic problems are that the machines are difficult to use, they frequently break, and it's possible to manipulate the votes. And instead of fixing the problems, the companies that make them are fighting people who expose the flaws.
What the companies should be doing is making "bulletproof" devices and inviting people to try and break them. There should be no question whatsoever that things are on the up-and-up when it comes to our freedom. Further, there should be independent code audits and security tests to verify that there are no ways to breach the integrity of the machines. In fact, I'm one of the people who thinks that the code should be opened up for review by everyone. Why not leverage the power of a million or so people looking over the code for any problems? Publish the code! You only have something to lose if it's broken and insecure and you've been hiding that fact.
With these devices, you don't design them so they can work, you design so they can't fail! Take a look at ATMs -- they do this for the most part. Very few people accidentally pull out stamps when they mean to withdraw money. Diebold, one of the largest manufacturers of voting machines also makes ATMs. They obviously have the expertise to make touch screen self service devices work, so why is it so hard to actually pull it off?
Every system has its advantages and disadvantages when compared to others, but there is almost always a way to design a system that creates fewer disadvantages than the current system, while increasing the advantages. When something works consistently and intuitively, there may still be ways to tweak the system to get greater efficiency. But the electronic voting machines seem to have created a problem just as big as the one that they purport to solve. Votes are still being counted inconsistently, ballot tampering is still possible, and the devices have added unreliability and complexity to the system.
Ideally, a perfect solution will be efficient, simple to understand, intuitive to operate, and will minimize the possibility of mistakes. Which brings us to our lesson for today: A solution should not fix some problems only to create different, bigger ones! That seems to obvious to have to state, but often times people lose sight of the basics and need to be reminded of them. It happens to us all at one time or another, so it's worth pointing out.
Thursday, October 26, 2006
Lock Up Your Valuables
If you're going to keep backups of your important information, it only makes sense to protect those backups. This is doubly true if you're storing your backups off site. If you have your backups on the internet, this is a no-brainer. The best way to do this is to put the data in some kind of container that is locked away digitally. No one can see through the container, and nobody can open it without the key. In the digital world, this is accomplished by encryption.
There are several types of stored data encryption software, from FOSS to Top Secret; from mobile phone software to hardened enterprise appliances; from file-by-file to whole disk. Each of these types has its place in the world of Information Security. I will attempt to treat the most relevant ones here. Hopefully by the end of this post you'll know what encryption is, why it's important to encrypt your valuable data, and what the best method is for you.
Encryption and cryptography are much too broad to cover in depth here, but if you'd like to learn more about its history, it's details, and its uses, I recommend you start with the Wikipedia page and with Bruce Schneier's best known books, Applied Cryptography and Practical Cryptography. I haven't read either of these, but I have a decent idea of the principle ideas behind cryptography and encryption. I have neither the aptitude nor the desire to learn more about these fields. Here is a very brief explanation and history of cryptography and encryption, which may or may not be technically accurate (but it's close enough).
Cryptography is the use of codes or ciphers to transmit information between two parties in clear view in order to make the meaning of the message incomprehensible. Both parties must have a key to decrypt the code. This can be done by memorizing a substitution pattern, by using a physical device, by using a computer to keep track of the encryption and decryption code, by making use of a one-time pad, etc. Each of these has its advantages and disadvantages. As a general rule, usability comes at the cost of security. All cryptographic techniques can be broken by modern computers given enough time, but some are easier than others due to flawed implementation.
The earliest cyphers were simple letter or word substitute cyphers, such as replacing each character with a number or letter. Julius Caesar used a cipher named after him which relied on both parties having a cylinder of equal size -- a physical decryption key of sorts. Not a whole lot happened until the advent of basic computers -- in the mid 1800s by Charles Babbage! But during World War II, the use of cryptography (and cryptanalysis) really took off. The most famous bits of cryptography during this era were the Enigma machine and the Polish mathematicians' breaking of this (by hand, no less), the American decoding of the Japanese diplomatic and, after Pearl Harbor, tactical encryption, and the American Marines' use of Navajo "Code Talkers" to relay messages to and from the front lines. Modern powerful multipurpose computing machines have ushered in the age of Modern Cryptography and its various methods and techniques for encryption.
Now that the obligatory background information, we can start on the meat of the post. I find that it is best to think of encryption software by its functionality. What does the software do and how can that be useful? In this sense, there are three categories of stored data encryption: file level encryption, file vault encryption, and whole disk encryption. Note that I will not be discussing cryptographic protocols, such as SSL/TLS, for securing data as it crosses a network.
File level encryption or filesystem level encryption is a method of encrypting individual files on a disk. Usually this requires the user to manually select to encrypt a file. Some software allows the user to specify that a directory in its entirety is encrypted, including new documents created or put into this directory. Windows uses the Encrypting File System (EFS), and OS X uses their FileVault. Each of these automate decryption when the user logs into the computer. However, this means that anyone who has access to this login has access to the sensitive files. It also makes transporting the files encrypted a challenge: they are decrypted in transit, but are difficult to copy when encrypted (or rather, they are difficult to decrypt after they have been moved when encrypted). Other programs can be used which can overcome the latter difficulty, but which do not solve the first one and may not provide the same ease of use as the integrated products.
What I call "file vault encryption" others call "disk encryption". I think this is easily confused with "full disk encryption" so I will continue to use my terminology, despite the possible confusion with Apple's FileVault. Whatever you want to call it, file vault encryption creates a single file in which all data is stored encrypted. Typically the software will mount this file as an additional hard drive in your computer, making access to the data easy. This type of encryption is very easy to transfer to another computer or to medium -- you just copy the single file. However, it typically requires entering a secondary password after logging into the computer.
Full disk encryption or whole disk encryption usually refers to encrypting the entire boot device. This ensures that all of the data on the disk will be encrypted, including temporary files, working files like the ones Microsoft Word creates, and the scratch disk or virtual memory. Encrypting all of this data is most appropriate for mobile computers which are likely to be lost or stolen. However, this security costs performance. Also, once the user logs into the computer, all files are copied and transmitted unencrypted. In addition to the fact that transporting the data requires additional encryption, if the hard drive is damaged or if the boot sector is overwritten, the data is essentially irretrievable.
Of these three types, each has its proper use. The least useful type of stored data encryption of the three is the file level encryption. It offers the fewest benefits with the highest risks. In fact, I would argue that it is completely useless in comparison with file vault encryption, which performs many of the same functions with the added bonus of transportability. In addition, the fact that the vault is mounted to a drive letter clearly delineates which data is encrypted and which data is not encrypted. Full disk encryption should be used anywhere the risk of computer theft or loss is moderate, in addition to some high security environments. And some form of encryption should be used on all backed up data.
Of the many dozens of attacks where personal information has been lost, it is unclear how many were preventable by encrypting the data. However, it is a good bet that every lost or stolen laptop or backup tape would have yielded no data if proper encryption methods had been used. And many of the hacking incidents may have been preventable if the sensitive information had been encrypted properly. While it may seem costly for a company to implement, the encryption software and practices cost hardly anything compared to an incident like the Department of Veteran's Affairs suffered.
The take away lesson here is to keep your important stuff protected. It's not enough to just keep it in a safe place, you should keep it in a secure place. Whether that is a safety deposit box at your bank, a safe in your home, or a vault at Ft. Knox, you can't afford to let your valuables just sit around unprotected. How cheap it would seem in retrospect to buy a safe than to try replacing a family heirloom after it is stolen.
There are several types of stored data encryption software, from FOSS to Top Secret; from mobile phone software to hardened enterprise appliances; from file-by-file to whole disk. Each of these types has its place in the world of Information Security. I will attempt to treat the most relevant ones here. Hopefully by the end of this post you'll know what encryption is, why it's important to encrypt your valuable data, and what the best method is for you.
Encryption and cryptography are much too broad to cover in depth here, but if you'd like to learn more about its history, it's details, and its uses, I recommend you start with the Wikipedia page and with Bruce Schneier's best known books, Applied Cryptography and Practical Cryptography. I haven't read either of these, but I have a decent idea of the principle ideas behind cryptography and encryption. I have neither the aptitude nor the desire to learn more about these fields. Here is a very brief explanation and history of cryptography and encryption, which may or may not be technically accurate (but it's close enough).
Cryptography is the use of codes or ciphers to transmit information between two parties in clear view in order to make the meaning of the message incomprehensible. Both parties must have a key to decrypt the code. This can be done by memorizing a substitution pattern, by using a physical device, by using a computer to keep track of the encryption and decryption code, by making use of a one-time pad, etc. Each of these has its advantages and disadvantages. As a general rule, usability comes at the cost of security. All cryptographic techniques can be broken by modern computers given enough time, but some are easier than others due to flawed implementation.
The earliest cyphers were simple letter or word substitute cyphers, such as replacing each character with a number or letter. Julius Caesar used a cipher named after him which relied on both parties having a cylinder of equal size -- a physical decryption key of sorts. Not a whole lot happened until the advent of basic computers -- in the mid 1800s by Charles Babbage! But during World War II, the use of cryptography (and cryptanalysis) really took off. The most famous bits of cryptography during this era were the Enigma machine and the Polish mathematicians' breaking of this (by hand, no less), the American decoding of the Japanese diplomatic and, after Pearl Harbor, tactical encryption, and the American Marines' use of Navajo "Code Talkers" to relay messages to and from the front lines. Modern powerful multipurpose computing machines have ushered in the age of Modern Cryptography and its various methods and techniques for encryption.
Now that the obligatory background information, we can start on the meat of the post. I find that it is best to think of encryption software by its functionality. What does the software do and how can that be useful? In this sense, there are three categories of stored data encryption: file level encryption, file vault encryption, and whole disk encryption. Note that I will not be discussing cryptographic protocols, such as SSL/TLS, for securing data as it crosses a network.
File level encryption or filesystem level encryption is a method of encrypting individual files on a disk. Usually this requires the user to manually select to encrypt a file. Some software allows the user to specify that a directory in its entirety is encrypted, including new documents created or put into this directory. Windows uses the Encrypting File System (EFS), and OS X uses their FileVault. Each of these automate decryption when the user logs into the computer. However, this means that anyone who has access to this login has access to the sensitive files. It also makes transporting the files encrypted a challenge: they are decrypted in transit, but are difficult to copy when encrypted (or rather, they are difficult to decrypt after they have been moved when encrypted). Other programs can be used which can overcome the latter difficulty, but which do not solve the first one and may not provide the same ease of use as the integrated products.
What I call "file vault encryption" others call "disk encryption". I think this is easily confused with "full disk encryption" so I will continue to use my terminology, despite the possible confusion with Apple's FileVault. Whatever you want to call it, file vault encryption creates a single file in which all data is stored encrypted. Typically the software will mount this file as an additional hard drive in your computer, making access to the data easy. This type of encryption is very easy to transfer to another computer or to medium -- you just copy the single file. However, it typically requires entering a secondary password after logging into the computer.
Full disk encryption or whole disk encryption usually refers to encrypting the entire boot device. This ensures that all of the data on the disk will be encrypted, including temporary files, working files like the ones Microsoft Word creates, and the scratch disk or virtual memory. Encrypting all of this data is most appropriate for mobile computers which are likely to be lost or stolen. However, this security costs performance. Also, once the user logs into the computer, all files are copied and transmitted unencrypted. In addition to the fact that transporting the data requires additional encryption, if the hard drive is damaged or if the boot sector is overwritten, the data is essentially irretrievable.
Of these three types, each has its proper use. The least useful type of stored data encryption of the three is the file level encryption. It offers the fewest benefits with the highest risks. In fact, I would argue that it is completely useless in comparison with file vault encryption, which performs many of the same functions with the added bonus of transportability. In addition, the fact that the vault is mounted to a drive letter clearly delineates which data is encrypted and which data is not encrypted. Full disk encryption should be used anywhere the risk of computer theft or loss is moderate, in addition to some high security environments. And some form of encryption should be used on all backed up data.
Of the many dozens of attacks where personal information has been lost, it is unclear how many were preventable by encrypting the data. However, it is a good bet that every lost or stolen laptop or backup tape would have yielded no data if proper encryption methods had been used. And many of the hacking incidents may have been preventable if the sensitive information had been encrypted properly. While it may seem costly for a company to implement, the encryption software and practices cost hardly anything compared to an incident like the Department of Veteran's Affairs suffered.
The take away lesson here is to keep your important stuff protected. It's not enough to just keep it in a safe place, you should keep it in a secure place. Whether that is a safety deposit box at your bank, a safe in your home, or a vault at Ft. Knox, you can't afford to let your valuables just sit around unprotected. How cheap it would seem in retrospect to buy a safe than to try replacing a family heirloom after it is stolen.
Thursday, October 19, 2006
Backups
This tip will either be a waste of time or it will save you more grief than you can imagine. Backing up your important information can make the difference between taking 10 minutes to restore your data versus weeks and hundreds of dollars to get none to all of it back. I lost my data once and didn't have the money to spend restoring, so I spent over a year and a half trying out different software and techniques before I was finally able to rebuild the data I lost -- a lot of irreplacable pictures.
So now that you know you should be backing up your data, how do you do that? The first step is to identify what you want to back up. This isn't as easy as it might sound at first. Things tend to get scattered all across your hard drive, floppies, CDs, etc. The only thing worse than not backing up anything is backing up everything but a key document -- by the time you realize you've lost it, it may be be too late to recover. Once you've got it all collected, find a spot on your hard drive where you can store everything.
Now that the first step is completed, it's time to look at your backup options. Which backup method you choose is largely a matter of personal preference. The four general ways to backup data are online, nearline, offline, and offsite. There are benefits to each, as well as drawbacks. Here are some brief descriptions.
Online storage backups are not really backups, they are redundancies in the way the data is stored, meaning that a single dead hard drive does not lead to data loss. However, for the purposes of our discussion, it can be considered a method of backup. Typical online storage would be something like an internal RAID with fault tolerance, NAS/SAN, or some other method of keeping data instantly accessible and current in the event of a failure. Also, you don't have to think about performing backups, data is automatically backed up whenever you change or update it. However, in the event of a complete system failure, all information will be lost. This could be due to theft, lightning and other natural disasters, structure failure, fire, etc.
Nearline storage allows you to keep data close at hand, but not fully current or instantly accessible. This would be a true replication of data, so that it exists both on the computer and on another device. Typical nearline storage devices are USB flash drives, external hard drives, secondary internal hard drives, or any other type of storage usually connected to the computer or across a network. The backed up data is quick and easy to access in the event of a primary storage failure. This type of backup is probably most common in home environments.
Offline storage is that which is backed up, usually on removable media such as blank CDs or DVDs (optical media), floppy disks, zip disks, storage tapes, etc. These media are easily stored elsewhere, since they are typically much cheaper and more portable than the other solutions. Offline storage requires that you locate the media and put it in a reader attached to your computer. One of the biggest problems with this type of storage is that sometimes the media goes bad. This is especially true for optical media.
Offsite storage is typically an offline storage system where some or all of the media is kept in another physical location. For example, if you backup your home computer's data to DVD and store the DVD in your desk drawer at work, you have an offsite backup. This may accomplish your goals just fine, or you may want to look at a more secure solution, such as a safety deposit box or a professional service which will pick up and store your media.
Another form of offsite storage is internet-based storage. There are plenty of sites out there that will give you free storage, from free web hosts, to file sharing sites, to dedicated backup sites, to jumbo sized email hosts. Some of these are better than others for keeping backups of sensitive information. For example, the backup sites linked all claim to encrypt your data so that only you can retrieve it. In general, I don't trust proprietary encryption and I don't trust somebody else to encrypt the data for me. So you'll probably want to encrypt it before uploading (that's a topic for another day...).
While any data backup is better than none at all, I recommend keeping a few different backups using different methods. My important data resides in several locations. First, it is on my local hard drive. Once a week or so I copy this to a file server running a RAID. Every once in a while I'll copy the backup to an internet-based offline storage system. This ensures that I can survive several failures without loss of data.
Don't forget how critical your backups are! Don't store the backups where they may get stolen, lost, damaged, or otherwise be useless. Also don't forget to keep this data secured and/or encrypted. And it might be handy to test your backups regularly to make sure you can restore the information. Many businesses learn these lessons the hard way by losing their only copy of data, by having the information leak out because they treated their backups as if they were blank, or by not being able to get their data back when they really needed it. I warned you.
Businesses pracitce "Risk Management," determining an acceptable amount of risk to allow as a tradeoff for cost. But they're only protecting their money; you have to protect much more valuable property. Whether you're backing up your Great Grandmother's cookie recipé, your college thesis paper, or your pictures of your kids' first Christmas, these things are irreplacable. With the free tools outlined here, the only cost to you is your time.
The final lesson in data backup is trust. Backups are an insurance policy and the most important part of insuring against loss is trust. So don't listen to the lizard or the duck when they tell you that cheap insurance is better. The truth is that if you ever have to cash in one of these things, they'd better pay off. If you don't have 110% confidence that you can recover quickly and easily after a disaster, then it's time to start looking for somebody that you can trust to make that happen.
So now that you know you should be backing up your data, how do you do that? The first step is to identify what you want to back up. This isn't as easy as it might sound at first. Things tend to get scattered all across your hard drive, floppies, CDs, etc. The only thing worse than not backing up anything is backing up everything but a key document -- by the time you realize you've lost it, it may be be too late to recover. Once you've got it all collected, find a spot on your hard drive where you can store everything.
Now that the first step is completed, it's time to look at your backup options. Which backup method you choose is largely a matter of personal preference. The four general ways to backup data are online, nearline, offline, and offsite. There are benefits to each, as well as drawbacks. Here are some brief descriptions.
Online storage backups are not really backups, they are redundancies in the way the data is stored, meaning that a single dead hard drive does not lead to data loss. However, for the purposes of our discussion, it can be considered a method of backup. Typical online storage would be something like an internal RAID with fault tolerance, NAS/SAN, or some other method of keeping data instantly accessible and current in the event of a failure. Also, you don't have to think about performing backups, data is automatically backed up whenever you change or update it. However, in the event of a complete system failure, all information will be lost. This could be due to theft, lightning and other natural disasters, structure failure, fire, etc.
Nearline storage allows you to keep data close at hand, but not fully current or instantly accessible. This would be a true replication of data, so that it exists both on the computer and on another device. Typical nearline storage devices are USB flash drives, external hard drives, secondary internal hard drives, or any other type of storage usually connected to the computer or across a network. The backed up data is quick and easy to access in the event of a primary storage failure. This type of backup is probably most common in home environments.
Offline storage is that which is backed up, usually on removable media such as blank CDs or DVDs (optical media), floppy disks, zip disks, storage tapes, etc. These media are easily stored elsewhere, since they are typically much cheaper and more portable than the other solutions. Offline storage requires that you locate the media and put it in a reader attached to your computer. One of the biggest problems with this type of storage is that sometimes the media goes bad. This is especially true for optical media.
Offsite storage is typically an offline storage system where some or all of the media is kept in another physical location. For example, if you backup your home computer's data to DVD and store the DVD in your desk drawer at work, you have an offsite backup. This may accomplish your goals just fine, or you may want to look at a more secure solution, such as a safety deposit box or a professional service which will pick up and store your media.
Another form of offsite storage is internet-based storage. There are plenty of sites out there that will give you free storage, from free web hosts, to file sharing sites, to dedicated backup sites, to jumbo sized email hosts. Some of these are better than others for keeping backups of sensitive information. For example, the backup sites linked all claim to encrypt your data so that only you can retrieve it. In general, I don't trust proprietary encryption and I don't trust somebody else to encrypt the data for me. So you'll probably want to encrypt it before uploading (that's a topic for another day...).
While any data backup is better than none at all, I recommend keeping a few different backups using different methods. My important data resides in several locations. First, it is on my local hard drive. Once a week or so I copy this to a file server running a RAID. Every once in a while I'll copy the backup to an internet-based offline storage system. This ensures that I can survive several failures without loss of data.
Don't forget how critical your backups are! Don't store the backups where they may get stolen, lost, damaged, or otherwise be useless. Also don't forget to keep this data secured and/or encrypted. And it might be handy to test your backups regularly to make sure you can restore the information. Many businesses learn these lessons the hard way by losing their only copy of data, by having the information leak out because they treated their backups as if they were blank, or by not being able to get their data back when they really needed it. I warned you.
Businesses pracitce "Risk Management," determining an acceptable amount of risk to allow as a tradeoff for cost. But they're only protecting their money; you have to protect much more valuable property. Whether you're backing up your Great Grandmother's cookie recipé, your college thesis paper, or your pictures of your kids' first Christmas, these things are irreplacable. With the free tools outlined here, the only cost to you is your time.
The final lesson in data backup is trust. Backups are an insurance policy and the most important part of insuring against loss is trust. So don't listen to the lizard or the duck when they tell you that cheap insurance is better. The truth is that if you ever have to cash in one of these things, they'd better pay off. If you don't have 110% confidence that you can recover quickly and easily after a disaster, then it's time to start looking for somebody that you can trust to make that happen.
Subscribe to:
Comments (Atom)