Adaptive backup as a security enhancer

Computer Technology Review, June, 2004 by Daniel Hardman

Electronic parasites are spreading through the computing fabric at an alarming rate; new vulnerabilities are constantly unearthed, and they morph into threats with ever-shrinking lag time. Yet security-related issues are not the only worries for IT. Systems management and integration tasks are a continuing challenge--and what technician doesn't get a little queasy when the CEO calls in a panic needing a backup restored before the board meeting in fifteen minutes?

Diverging Disciplines

What's interesting is that all these issues are handled by a single team in most organizations, but they're mapped to separate disciplines: a network/security administrator configures firewalls, network intrusion detection systems, and antivirus software; a deploy and configuration guru runs the systems management framework; and the storage and backup technician thinks about disaster recovery so everyone else can sleep at night. Sometimes one person wears several hats--but that's an artifact of compressed IT budgets more than philosophy or inclination.

The full potential of network, systems, and storage management depends on powerful synergies that each discipline brings to the others.

In Search of Synergy

Backup is a case in point. Today's carefully implemented backup systems chug away, continually adding layers of protection as old backups become obsolete or join the federally-mandated compliance archive in a vault somewhere. For example, if you're taking daily backups of your Exchange server when a vulnerability in Exchange is announced, the pattern continues through threat, attack, infection, patch remediation, or whatever else occurs. This is what we expect, given the separation of disciplines within IT and the software industry. Is this what we want?

[GRAPHIC OMITTED]

Backups exist to enable recovery, of course, and security events are one cause of recovery; that alone should tell us that the disciplines are synergistic. But like human health care workers, backups don't just help the sick recover--they're vital to preventing further spread and secondary infection. No battle is complete without them. Wouldn't it be nice to give our backup systems an early warning of relevant threats, and trigger by configurable policy a corresponding adjustment to the rate or retention of backups? Wouldn't it help to certify the health of backups before a restore, so we don't re-release the same virus we just finished purging? Wouldn't we be better off if backup systems could cooperate with systems management and patch remediation frameworks to decide which machines are most at risk and therefore get highest priority in our backup storage pool until a threat subsides? What if, upon restore, our backup software automatically reapplied patches that occurred after the backup date?

From Wishes to Reality

If such notions sound like a utopian daydream, you are half right. Until recently, a number of factors prevented the kind of adaptive, intelligent integration that such a system would require. The good news is that the technological landscape now includes some key enablers that could make adaptive backup a reality. Of course, what is possible and what is available today are two different things--but perhaps not for long!

The advent of cheap disk-to-disk backup is one enabler. While tape continues to have an important place in an overall strategy, it is now possible to use disk snapshot and imaging products such as Symantec's V2i Protector to capture backup data (both full and incremental) without interrupting the system, and to stream it quickly to a secondary location. It's also possible to access individual files and folders within a backup in a straightforward manner (e.g., by mounting an image as a volume), which dramatically alters the supportable scenarios during recovery. You can restore an uninfected PowerPoint out of an infected operating system image, for example. You can also scan the contents of a backup with traditional antivirus technology.

Another enabler--detailed and automated warning of security threats--is available through systems like Symantec's DeepSight, which monitors data from thousands of sensors on the Internet and publishes sophisticated threat descriptions to subscribers. Of course, warnings can be collected in simpler ways as well. The press releases of vendors and industry watchers and the BugTraq mailing list at www.securityfocus.net/ are good places to start.

Couple these tools with a sophisticated patch remediation technology that works hand-in-hand with systems management frameworks, and you could create a true boon for harried IT staff. Here's how such a system might work.

Adaptive Backup in Practice

First, network and backup administrators collaborate to create a definition of low- and high-exposure states for a machine. The low-exposure state is hopefully the default; high exposure is tied to various conditions such as a known vulnerability that applies to the specific software on a machine, a virus or worm that exploits that vulnerability circulating in the proximate environment, ongoing deployment of new software by systems management tools, hardware aging, or other factors. Of course, the definitions of state are not necessarily binary; perhaps a particular organization wants to evaluate exposure on a scale of one to ten. It is also important to recognize states that are "beyond" potential problems--"known to be infected" is an obvious one.