For many schools, a few errant keystrokes may be all that stands between them and digital doom.
James O'Hagan, director of technology for The Cove School in Northbrook, Ill., narrowly escaped such a fate last June after a well-meaning employee accidentally deleted the school's library database. Worse, because the mistake happened after the end of the academic year, it wasn't discovered until the fall – rendering useless all of the daily backups that had been done in the interim.
"Our media center director, who would have had to recatalog the entire database manually, was discouraged over the idea of closing the library for weeks while school was in session," O'Hagan says. "Luckily, we were able to find a copy of the file that was two years old and rebuild it. But this made us realize how porous our backups really were."
At the time, the school had three different servers running Windows, Novell and Mac OS software, which were backed up daily to tape or to an external storage device. But it lacked offsite storage of backup sets, a disaster recovery plan and an easy way to access data remotely if the primary site went down. "It was a very simplistic system with the potential for disaster," O'Hagan says.
That's when the IT team at Cove, a private school for 140 students with special needs, decided to upgrade to Barracuda Backup Server. Now, O'Hagan and his staff oversee a single system that can handle data from all three servers. What's more, the amount of data they're able to retain is no longer limited by the capacity of their tapes or external devices, which means they can go back a year in time to grab a file, if needed. By storing mission-critical data in secure, redundant, cloud-based data centers, they've also greatly enhanced the school's disaster recovery capabilities.
O'Hagan appreciates Barracuda's simplicity, noting that the system took about 90 minutes to install and configure. After setting up the appliance in a closet and plugging it in, he simply used the device's web-based interface to identify which data to back up locally and which data to store in the cloud. He then established a backup schedule.
Although nearly losing the entire school's card catalog was bad, O'Hagan says, it could have been far worse. "We're a private, not-for-profit operation that relies heavily on donations," he explains. "If we had lost our donor database, that would have been a major disaster. Investments in backup systems can save you huge amounts [of money and trouble] down the road."
Similar practices protect Midway Independent School District's valuable data, says Adam Feind, executive director of technology for the 10-school district based in Woodway, Texas. "Data loss prevention is a multipronged fork that means different things to different people," he explains. "For us, it means disaster recovery and protecting our student and financial data – the most important data we have. But our first priority is ensuring business continuity."
Midway ISD is in a unique position, however, because it owns a light-speed fiber network that connects its two data centers in Hewitt and Waco. This configuration allows Feind and his team to fully replicate data from the primary site to the backup facility four to six times a day. It also allows the district, which serves roughly 7,200 students, to roll back the calendar up to 21 days to restore corrupted or missing data. Furthermore, Midway ISD captures an annual snapshot of all financial and student records, which it then exports to DVDs and stores in a fireproof vault.
According to Feind, the district used to perform regular tape backups. But when it looked at the long-term cost of replacing tapes and storing backup sets offline, replicating data between the centers turned out to be more cost-effective and a more reliable way to recover from system failures. "For us," Feind says, "owning fiber between the two sites was a no-brainer. It's very easy to make sure we get our data replicated to a secure location."
Protecting student and financial records is a top priority for Greg Taylor as well. As shared services technology coordinator for the Delsea Regional School District in Franklinville, N.J., Taylor oversees a department that provides technical services to Delsea's two schools and to those in the nearby Franklin Township Public Schools and Elk Township School District systems. "Student records and business data are mission-critical and need to be protected at all costs," he says. "If that's lost, we could be sued, fined by our governing agencies or shut down."
Taylor's team uses Symantec Backup Exec to back up data locally to tape every night. The district also takes a snapshot of its data every three hours, which it stores on a local server, and backs up data online each night to a third-party service provider.
Taylor believes a comprehensive disaster recovery plan is key to helping school districts avoid worst-case scenarios that could cripple operations. "I wrote our disaster recovery plan," he says. "It's a 100-page document that details what to do in different scenarios and outlines teams, contacts, where items are and so on for 10 possible disasters."
The Full DLP
For most organizations, data loss prevention encompasses a lot more than data backup and disaster recovery, says Paul Proctor, vice president and distinguished analyst at Gartner Research. DLP typically involves a full suite of solutions, ranging from data encryption on mobile devices to the filtering of incoming and outgoing communications to ensure that sensitive or confidential data doesn't leak. There's no simple, one-size-fits-all solution, he adds.
"We see organizations all the time that tell us, 'We need DLP,' and then ask us what product they should buy," Proctor says. "That's the wrong way to go about it. The right way is to ask, 'What sensitive data are we trying to protect, and under what circumstances?' Once you know the use cases, you can write requirements to match them to the right tools."
More important, a successful data loss prevention program requires cultural and behavioral change at the highest levels. "It's not like a firewall – you can't just drop it in," Proctor explains. "It's a nontransparent control that's specifically designed to give you visibility about how people within your school or district treat sensitive data, and then go change that. If you give a DLP solution to your traditional security people and they try to implement it like a firewall, you're wasting your investment."
If you want to ensure your data is safe, incorporate the following tools and techniques into your IT strategy:
Hard drives die, systems crash and people accidentally delete files. You can't prevent any of these events. But a reliable backup system can minimize the amount of data that's lost when they do happen.
Consider nightly backups the bare minimum. Real-time data replication using offsite or cloud-based services is a more effective solution.
Sensitive data frequently is spilled when district-owned notebook computers, smartphones and storage devices are lost or stolen. The IT department can minimize this threat by requiring that data on any device be fully encrypted before it's allowed to leave the premises. Backup sets on tape or disk also should be encrypted.
Content-aware data loss prevention
Many large districts deploy systems to monitor all incoming and outgoing communications (including e-mail, chat and instant messaging). Look for certain keywords and other types of sensitive information within these messages and then block potentially damaging content from going out.
Some DLP systems also monitor internal access to data, allowing, for example, only authorized human resources employees to access certain personnel records.
Every district needs to establish and enforce policies that define what constitutes sensitive data, who has access to it and how it will be protected. In many cases, this isn't a best practice, but rather a mandatory component of complying with state and federal regulations.
Even a minor setback, such as a flood or power outage, can turn into a major disaster if you don't have a comprehensive contingency plan in place. Assemble a crisis management team and designate someone to take the lead when disaster strikes; establish how to reach every stakeholder – from staff and faculty to students and parents; determine your mission-critical data and applications; and ensure that your backup data is accessible and that there are systems you can use if the data center is down.
It's also a good idea to identify and secure a location that could serve as an alternate workspace for school stakeholders (possibly for weeks) until your primary site is accessible again.