You have probably heard the term "defense in-depth" used to refer to various IT security best practices. The basic principle behind defense in-depth is that no security mechanism is perfect, and you should employ many different mechanisms. That way, if a hacker manages to circumvent one of your security mechanisms, there may be 10 or 15 more standing in the would-be intruder's way. One area that can really benefit from this approach...
is data backup and recovery. In fact, I am immediately reminded of a situation that happened a couple of years ago.
There are a lot of different ways that the concept of defense in-depth can be applied to backup and recovery planning. One of the most effective methods that you can use is to take advantage of file virtualization.
What is file virtualization?
At its simplest, file virtualization involves displaying the aggregate contents of multiple file servers in a single location (usually a file share or a volume mount point).
There are a lot of file virtualization products on the market, each with varying capabilities. Probably the best known example is Microsoft's Distributed File System, which is built into Windows Server. Another example is IBM Corp.'s TotalStorage. One feature that is commonly found in file virtualization products is the ability to create replicas of your data. Herein lies the key to using file virtualization as a means for achieving another level of protection for your data. The primary advantage is that you don't have to perform 1:1 replication. You can replicate the contents of multiple file servers to a single replica server. You can also replicate some file servers, but not others.
Using remote replicas in file virtualization
We have all been told it is important to store backup tapes offsite. That way the tapes are protected against possible destruction in the event of fire, flood, hurricane, etc. While I wholeheartedly agree with the importance of protecting your backup tapes, offsite tape storage isn't a perfect solution.
File virtualization allows you to store data offsite without actually having to ship your backup tapes offsite (although it is still a good idea to store tapes that are unlikely to be needed offsite). The basic idea behind this technique is that many file virtualization products (including the DFS feature that is built into Windows) allow you to create replica file servers. These replica servers have traditionally been used for load balancing or for site resilience, but they can be used as a way of protecting your data as well. Placing a replica server in an offsite data center essentially provides you with an offsite backup that is always up to date.
Keep in mind that a remote replica is not a replacement for a traditional tape backup (or other forms of backup). Instead, remote replicas tend to be a defense in-depth solution that is used as a means of augmenting the existing backup strategy. In fact, I have seen organizations make tape backups of both their primary file servers and their remote replica servers. That way, there are two copies of every backup tape; one copy that is stored locally, and another copy that is stored in another data center.
While the idea of having duplicate backup tapes may sound appealing, you may be wondering why you even need to continue to make tape backups if you have replica file servers. Replica servers are more of a resiliency solution than a true backup solution. In other words, if a file server experienced a hardware failure then the workload could be shifted to replica servers so as to prevent the users from experiencing an outage. Once the failed server is brought back online the replica servers update the failed server with any changes that have occurred. This is why so many organizations use create local replicas as well as file server replicas in remote data centers.
What file server replicas can't completely protect against is data corruption. Suppose, for example, that a file on an organization's primary file server became corrupted. In all likelihood, the corrupted file would be replicated to the replica file servers, meaning that eventually none of the replica servers would contain a valid copy of the file.
Some file virtualization products offer a feature that allows you to either delay or rollback the replication process as a way of protecting against this sort of issue. But without this sort of feature, a tape backup may be your only safeguard against file corruption.
Although file virtualization is not a substitute for a tape backup, having replica servers can help you to quickly recover from a disaster, while still allowing you to store a copy of your data offsite. Many organizations also use file server replicas as a way of preventing outages in the event of a file server failure.