Remote offices, branch offices (ROBO), small offices, and home offices (SOHO) have become ever more dominant characteristics of business organizations. SOHOs have grown rapidly, as more organizations permit their employees to work from home. Government organizations have not been immune to this trend , as they have become more geographically dispersed than ever before. Mobile dispersed work forces frequently means dispersed data assets. These are data assets having tremendous value with potentially dire consequences if lost or compromised. They have to be protected. They have to be easily recoverable in the event of a disaster, outage, malware, theft, or accident. IT professionals will typically say that’s common sense.
Regrettably, Voltaire was correct in his assertion that common sense is not so common. There are two crucial responsibilities here. The first is to protect the applications and their data. The second is more difficult in making both easily recoverable. Data protection and recovery processes for data centers are well known with decades of experience. Professionals utilize that which they know best and therefore apply these data protection and recovery procedures to ROBOs and SOHOs. Applying those processes to ROBO and SOHO is the root of way too frequent “gotchas”. There are several reasons why.
- IT professionals are numerous and generally experienced in the data center. It is rare indeed to have any trained IT pros in a ROBO. They are a non-factor in SOHOS. In fact ROBO IT tends to be a secondary responsibility of some other position. This means there is a dearth of data protection and recovery knowledge, expertise, as well as experience at both ROBO and SOHO locations.
- Most of the effort for ROBOs and SOHOs is on protecting not recovering. This is understandable since protection is minimally a daily process whereas recovery is a once in a while process. However, as important as the protection process is, the recovery process is always one of urgency.
- ROBO and SOHO primary IT compute devices utilized are laptops, tablets, combos, phablets, and smartphones. These are known as mobile “endpoints”. Physical (a.k.a. physical machines or PM), virtual servers (a.k.a. virtual machines or VM), and desktops have become a bit more rare and found primarily in the larger ROBOs. Data protection and recovery for PMs, VMs, and desktop workstations are a definite but well understood problem. But for those mobile endpoint devices it is generally a misguided after-thought. Data center IT too often labors under the false assumption that the vast majority of the organization’s mission critical data resides on its servers. That assumption keeps proving to be a major mistake. Users keep creating valuable organizational data assets on their mobile endpoints that never make it to the data center. Proposals, presentations, spreadsheet analysis, data analytics, market research, software development, and more.
- Unlike PMs, VMs, and desktops, those mobile endpoints are more vulnerable to being compromised, lost, or stolen. When a mobile end point such as a laptop is lost or stolen so too are the credentials on that laptop. As recent news stories have noted, it is not very difficult to bypass the simple end point security if there is any at all. A lot of mischief can be accomplished in a short period of time (data theft, malware insertion, Trojan horses, Ransomware, etc.) before those credentials can be cut off. The aftermath can take months of extensive IT manually labor-intensive effort to clean up.
The common workarounds to many of these problems mostly come up short or fail out right. They depend too much on ignoring normal human behavior. Here are some of the most pernicious examples:
- Implement virtual desktop infrastructure (VDI) to the endpoints. In theory this should automatically keep all applications and data in the data center. In practice, not so much. Users often become highly dissatisfied with VDI because of poor response times from high Internet latency, high VPN latency, and VDI resource under provisioning (costly storage, servers, memory, and bandwidth). That dissatisfaction displays itself with local virtualization and utilizing that local image as their primary. Defeats the purpose of VDI.
- Require users to manually copy their data to data center servers or storage. No matter how stringent the policy, and how diligently enforced, this methodology is simply an unsustainable “no-op”. In other words, it just does not work. And still does nothing in the event of an endpoint theft.
- Utilize private and or public file sync and share technology to keep all user data available local as well as in the data center or to the data center. This workaround enables data copies in the data center but fails to lock down the data or device credentials in the event of a theft.
What then are the best practices to protect and recover data in ROBOs and SOHOs? It starts with recognizing that ROBO requirements are different from the data center. It requires a thorough data threat analysis. But most importantly, there should be a reliable, repeatable, simple process for recoveries with minimal to no local expertise in the ROBO.
Beginning with the remote servers, it is essential to start with the essentials. Determine the required recovery point objectives (RPO) or how much data loss can be tolerated for each PM and VM workload. Then determine the recovery time objectives (RTO) or how long it will take to recover and be up and running in production again for each PM and VM workload. RPOs and RTOs often determine the methodology required to both protect and recover data. For example, if some of the VMs require a RPO and RTO at zero or near zero then some form of VM replication will likely be required. Low RTOs require local oriented recoveries, VM mounting, or VM turn-up. The key to ROBO recoveries is simplicity. One-pass recoveries. No expertise required at the ROBO. Or all recoveries managed by the data center or a managed service provider.
The bigger protection and recovery problems are the endpoints that have become the staple of ROBOs and SOHOs. As previously discussed, endpoints are mobile. Endpoint protection and recoveries have to be both self-contained as well as centralized to an internal data center, third party data center typically managed by a managed service provider (MDP). Those endpoints typically require relatively low RPOs and RTOs. That requires relatively frequent automated backups of changed blocks, which utilize minimum endpoint resources to the internal drive and a copy of those backups to the data center or cloud based MSP. The internal drive for fast local recoveries of files and centrally for bigger recoveries when a disaster occurs such as a Ransomware attack.
But protection for mobile endpoints has to go further. It has to protect against lost or stolen endpoints. That requires geo-location of the endpoints and remote wipe. The geo-locate is to find lost units. The remote wipe is to remove any or all of the valuable data to prevent it from being used, leveraged for other nefarious purposes, or sold from stolen or unrecoverable units. That issue is specific to laptops and combo units. It is less so for tablets and smartphones, which tend to have those capabilities built-in.
Asigra delivers complete ROBO and SOHO data protection and recoveries required today via its software and hundreds of managed service providers.; For more information go to: https://www.asigra.com/enterprise or check out how we help the makers of Absolut Vodka (Pernod Ricard case study) protect their data across 42 territories with a centralized data protection strategy. That strategy empowers them to perform recoveries of individual files, databases, and emails easily, quickly, and reliably.