The pros and cons of tape versus disk and cloud based backups, with tape winning in some areas and disk in others, are weighed up by Tony Dearsley, pictured, of Kroll Ontrack UK.
Tape seems to be favoured for long time archiving solutions and disk and cloud for routine backups. To ensure that there is no confusion; a backup is created so that data, and therefore a business, may be restored in the event of a critical systems’ failure. On the other hand an archive is created for long term storage of corporate communications and documents, often for a period of five to seven years, or longer depending on legal requirements. IT policies vary from one company to the next, so let us consider the issues which arise where everything is tape based.
Structured archiving is not a mature discipline and is often based upon an ad hoc solution, for example, it may consist of retaining a copy of every routine month-end backup, kept at a specialist storage provider or in-house. Alternatively, it may comprise a targeted backup of specific information conducted every week, month, quarter, year (or even all). Whichever approach is taken you will end up with a box of tapes in storage.
Risks associated with tapes
So what are the risks associated with these tapes? The first, is the risk that a company will not be able to access the data on the tapes as quickly as it would like to when it needs to, for example, when a regulator is asking for information. Tapes are very different to structured file storage solutions on disk. At the basic level, disk structures can have three or four main formats – Windows based formats such as FAT32 and NTFS, Unix based formats such as UFS and EXT3, Apple HFS, (overall the list is relatively short) and with the fairly standard equipment the access to the data is relatively straightforward. Tapes on the other hand are far more varied. For example, over a period of the last seven years tape technology has continued to change, particularly in relation to capacity and the latest LTO6 can contain a massive 6.25 terabytes of data. There are at least 20 physical formats of tape still in use, all of which require the appropriate hardware and given the frequency of technology refreshes, it is highly unlikely that tapes from seven years ago can be read in your current solution. To add to this complication there are probably 20 software solutions used to write to the tapes, each with its own format. So whereas you may need six or seven options to recover data from disk, when it comes to tape you may be looking at choosing between 400 combinations. Having the correct equipment and knowledge of the software used is essential (and the latter is often missing due to a fragmented or incomplete approach to retention). Of course, once you have the tapes and before selecting a recovery option, you need to identify which tapes go together as spanned sets.
At Kroll Ontrack, we have seen many variations on archiving over the years and some of the techniques which have been employed, whilst they may have sounded good at the time are no longer practical. Hindsight is a wonderful thing but what would you consider now about the strategy of replacing the contents of a 40 tape library every month and storing those tapes as an archive – a simple solution- until you replace the server and lose all the backup catalogues. In fact this is more common than one would expect. The strategy of preserving the tapes as snapshots at a particular time is commendable, but in 99% of those cases nobody preserves the infrastructure or catalogues, so the task of recovering that data is challenging.
Of course the need to secure personal and financial data is a key consideration and various encryption techniques have been developed for tape technology. The thought of losing a LTO6 tape containing 6.25TB of company and personal data is frankly terrifying so encryption is the solution. Unfortunately along with catalogues and other tape lists, encryption keys and passwords are the other critical components that get mislaid. So you may have a set of tapes which are now completely useless as they cannot be decrypted.
Reviewing the need to keep data
In an ideal situation where you have been archiving and documenting everything and can identify the tapes required and they are in working order, the question is when did you last review the data that you are keeping. The oldest set of data I have ever seen was 32 years old, and it contained microfilm reels as well (they look like tapes). Many companies place their tapes in storage and then fail to review the need to keep them due to the absence of a cogent data retention and destruction policy. Not only can this incur unnecessary storage costs but in the event of a request for ediscovery, this significantly increases the timescales and costs associated with accessing, processing and reviewing the data
Legal demands on stored data
Requests in litigation cases and from regulatory bodies and other investigators can be demanding and have stringent deadlines. So when the request arrives and you have 15 years of tapes to consider, what are you going to do? Hopefully the request will relate to a specific time period, but if you cannot identify the relevant tapes you may have to investigate all of them, causing delay in the response to the regulator and even the impression of non-cooperation.
Let us take a request for email for six data custodians in say 2007 and 2008 for a specific project. There are 24 monthly backups comprising five tapes each month; a potential restore and extraction of 120 tapes. In the case of Exchange server backups you need to know which server each individual was on and what the retention period was for deleted email at that time. Many organisations do not implement email retention policies so the need for mailbox management by the individual is limited, thus there can be a very large amount of duplication of email across the time periods. It may be possible to examine one month’s tapes and from there determine a strategy for restoring others. Certainly when faced with these issues we have in some instances been able to mitigate the restores to three-monthly periods, which is 15 tapes instead of 120.
Questions to ask about your stored data
What does this all boil down to? In simple terms, it has become essential for companies to have an effective and fully documented information retention policy and practice that involves all of the relevant parts of a business. Some key questions need to be addressed. From a legal aspect; how long do records need to be kept? From a security aspect; where should the records be kept? From an IT aspect; how are these records going to be kept and what needs to be done when there is a technology refresh? And finally from an overall business perspective, who is going to maintain all the necessary records and own the review process?
About the writer
Tony Dearsley is a Computer Forensics Manager at KrollOntrack UK; visit – http://www.krollontrack.co.uk/
