How to Create and Implement a Data Recovery Plan
I was 13 years old when I learned why it was important to have good backups. It was 2008 and the new World of Warcraft expansion, Wrath of the Lich King, had just launched and the rest of my friends were already waiting in the game for me. I was playing on the family computer so my installation took a bit longer than everyone else’s. We also used some modifications in the game to track spells and damage, which needed to be updated to work with the new expansion. Without paying attention to what I was doing, I clicked what I thought was the update button. This prompted a download of something rather quickly, which I thought was odd, but I didn’t overthink it as I just wanted to get in the game. As soon as I launched the game and before I could even hop into the TeamSpeak channel, the computer crashed. I was left staring at a bright blue screen. Flash forward 2 days and $750 later, we had a new family computer that I had to buy with my own money and was grounded from using it for 3 months. Considering the pictures, tax forms, business expense reports, and other important documents that I had lost, that seemed like a more than fair punishment.
While my childhood family computer was easy enough to replace, your district’s data is not. Every district should have good backups as well as a data recovery plan or process. Data Recovery is the process of restoring lost, corrupted, accidentally deleted, or otherwise inaccessible data to its server, computer, mobile device, or storage device. This may be needed in the aftermath of a natural disaster, like a tornado or hurricane or the case of a cybersecurity incident, like ransomware or a user deleting the wrong folder. While these may seem like extreme examples, we must be prepared for the worst at all times. In fact, over the last couple of years, there has been a rising trend of worst-case scenarios occurring and school districts all over the country have been the target of ransomware operations. Along with this increase in targeted attacks, we have also seen an equally steady rise in school districts being caught unprepared and left scrambling when faced with disaster. Some of these schools have closed for days or weeks while they get everything sorted out, with one college completely shutting down and closing its doors for good after being hit with ransomware in May of 2022. With all this in mind, we must be as prepared as we can be for any worst-case scenario.
The best place to start is with a Disaster Recovery Plan that spells out exactly who is in charge and what needs to be done to return services to pre-disaster levels. This can be used for all areas of the district, not just technology. For technology-specific items, a data recovery plan should be included in the disaster recovery plan or a separate document altogether. A data recovery plan should be a formalized process that is documented, reviewed and updated annually, or when significant enterprise changes occur. This document should cover the scope of the data recovery activities, recovery prioritization, and the security of backup data. The goal of this document is to specifically map out what data can and will be recovered, the order the data should be recovered in to allow for the most secure and complete recovery, and what security controls are implemented to secure all backup data to ensure recovery data will be available and accessible if needed. By quickly and correctly restoring data we can minimize the recovery time and any potentially lost data.
Having good and Reliable Backups is a critical part of any data recovery plan. To ensure the most reliable and up-to-date backups are created, an automated process should be in place to backup data over a specified timeframe. This timeframe can be whatever works best for your environment but should be no more than a maximum of one week. These backups should include:
- Active Directory or Microsoft Azure configurations and data
- Switch and routing configurations
- Secure firewall configurations
- Additional server backups like file servers and print server
- Access control configurations and data
- Any stored student or employee data
- Any other business-critical data or infrastructure configurations
Once the data is backed up, it is critically important to Test those backups to ensure that the backups are working as intended and that no data is missing or corrupted. While you don’t have to test every backup made, testing each backup once a quarter is recommended.
After all backups are made and tested they need to be stored safely and securely. To do this, all backups should follow the 3-2-1 Rule. The 3-2-1 rule states that there should be a minimum of 3 copies of data, 2 of those copies should be on different media, and 1 of those copies should be located off-site and air gapped. A basic implementation of the 3-2-1 backup solution would be production data (Copy 1, Media 1), Backup data on an onsite repository (Copy 2, Media 2), and an off-site disaster recovery backup (Copy 3, Media 3). While this particular implementation may not be the best for your district, there are many different configurations for the 3-2-1 rule implementation making it flexible enough to accommodate most situations. One popular misconception with the 3-2-1 rule is that the off-site copy has to be a hard drive with all your information, stored in a hollowed-out mountain for safekeeping. While this can be helpful for top-secret sensitive data, it is incredibly impractical for most organizations. Thankfully with the advent of cloud computing and storage, we can now safely store an off-site copy of our data securely in a cloud environment, that can be easily accessible in case of an emergency. Storing backups in the cloud also allows for an air gap, isolating a device or private local area network (LAN) from other devices and networks, including the public internet, to be created. Air gaps can help protect backups from being compromised or encrypted by attackers that may be already on your network.
Additionally, all backup and recovery data should have all the same protections as your production data in your environment. This means backups should be encrypted at all three states (At rest, in transit, and use) and they should be subject to access control lists and restricted permissions. Just because the data is a “backup” or “recovery data” doesn’t mean that this data is any less important than production data and should be treated as such. Taking this approach allows for the integrity of the recovery data to remain high and have an overall smaller attack surface.
Having a data recovery plan and good backups, while not flashy or new, is critically important to the success of any data recovery operation. If your district does not have one or both of these controls formalized and implemented, now is the time to do so. Remember, attackers aren’t waiting for when your district is completely protected to attack. As soon as they find an easy target, they strike. When they attack, don’t be caught unprepared.