Although enterprise data and applications may be backed up, users and IT administrators should understand the need
for desktop backups. There are a few steps you can take to ensure that the right data is backed up as needed.
It has been said that experience is something you get just after you need it. While this saying holds true for many aspects of IT, it applies especially well to data backups. At one point or another, we've all assumed that we have a good backup of critical files and then found out that we didn't. Losing the past year's (or decade's) worth of work can be a real bummer. Interestingly, I've noticed that enterprises often make a conscious decision to not require desktop backups. I'm not convinced that's the best approach.
Here's what happens: IT tells users to store everything on the network so it can get backed up that way. Or, users are told to back up their own systems to the network or the cloud. All's well until a hard drive fails, data gets corrupted during an unexpected shutdown or a system is lost or stolen, and now a developer, sales rep or, worse, an executive has lost everything that was stored locally.
More about desktop backups:
Balancing desktop and workload management virtually or physically
One Windows management console to rule them all: Will it ever happen?
Reasons for Windows 7 backup adding non-system drives to a system image
The elephant in the room is that data is really being stored locally. Users could be intentionally saving files only on their desktops or unintentionally saving files locally, not realizing where files should be kept safely. Unless you're running a total virtual desktop infrastructure, data is being stored locally and is thus harder to restore.
It isn't enough to tell users not to store data locally or to run their own desktop backups. Relying on users to do anything regarding data confidentiality, integrity or availability is a slippery slope. Sure, there's always a group of responsible users who get it. But what about all the others who forget, don't have the technical skills, are never in the office or are just downright careless? Desktop backups go out the window.
You've got to set your users -- and your enterprise -- up for success in this area. Here's what you can do to ensure that desktop backups include all the right data in all the right areas:
- See what's being stored locally. Take a sampling of your desktop systems, and manually peruse local files to see what's stored. A tool such as Identity Finder is great for not only automating the search for important business data, but also for realizing that personally identifiable information (PII) is being stored unprotected on systems that are not running full disk encryption.
- Come up with a plan to back up critical data. I've found that an initial full backup combined with ongoing incremental or differential backups works best. If you back up only the Windows Documents and Settings folder, you run the risk of not backing up everything when users (or programs) save files outside the protected area. For mobile workers who rarely report in to the office, consider standardizing your organization on a cloud backup setup. If you don't, certain users may select their own cloud backups beyond your control, which can create bigger problems.
- Update your desktop backup policies and standards. Underlying causes of data backup problems include a lack of security policies and standards as well as miscommunication of those documents among IT staffers and users. Policies and standards can't exist in a vacuum to merely please the auditors.
- Check in periodically to make sure everything is in check. Perform random tests to ensure that data is actually being backed up. You might have a technical issue or a user who has done something to their system to prevent backups from taking place. Also, perform periodic tests to ensure that the backups are readable and intact.
These points may seem old-school and trite -- even oversimplified for the enterprise. But you need to do these basic tasks to avoid desktop backup problems. Many regulations require enterprises to properly back up PII, so that should give you some good ammunition to get rolling. The important thing is to acknowledge that this is an area of risk and start thinking about ways you can get around this challenge.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, and professional speaker at Atlanta-based Principle Logic LLC. With over 23 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go.