Author: Kushal Patel, Senior Consultant
For the last 15 years port-blocking (stateful inspection) firewalls have been the cornerstone of network security. It’s no secret, however, that modern applications and threats easily circumvent the traditional network firewall. Attempts by security teams to bolt application awareness and control onto existing firewall products, or to consolidate “firewall helpers” with a Unified Threat Management (UTM) device have fallen short of the mark, or failed all together. Applications and threats are still making their way around these fragmented solutions, frustrating IT groups that have only managed to incur additional cost and complexity without fixing the problem.
The old model for network security was simple because everything was black and white. Business applications constituted good, low-risk traffic that should be allowed, while threats – and pretty much everything else – constituted bad traffic that should be stopped. The problems with this approach today are basically threefold:
- Applications have become increasingly gray – classifying types of applications as good or bad is not a straightforward exercise (i.e. Facebook, Gmail, Skype).
- Applications have become increasingly evasive (i.e. Instant Messengers, Proxy Avoidance).
- Applications have become the predominate target of today’s threat developers (i.e. SQL Injection, Cross Site Scripting).
To help mitigate these evolving risks, enterprises and vendors have tried to compensate for their firewall’s deficiencies by implementing a range of supplementary security solutions, often in the form of standalone appliances. A few common examples are intrusion prevention systems, antivirus gateways, web filtering products, and application-specific solutions – such as a dedicated platform for instant messaging security. The bottom line is that network security in most enterprises is fragmented and broken, exposing them to unwanted business risks and ever-rising costs. Traditional network security solutions have simply failed to keep pace with changes to applications, threats, users, and the network security landscape in general.
Enter Palo Alto Networks and Next Generation Firewalls
Next-generation firewalls are re-inventing network security. By focusing on Applications (App-ID®), Active Directory Users (User-ID®), and Content (Content-ID®) – not just ports and protocols – as the key elements to deliver visibility and control. Next-generation firewalls allow enterprises to safely enable modern applications, without taking on the unnecessary risks that accompany them, all the while delivering a substantial reduction in cost and complexity by eliminating the need for enterprises to deploy a wide variety of additional network security products.
Palo Alto Networks set out to restore the firewall as the cornerstone of enterprise network security infrastructure by “fixing the problem at its core.” Starting with a blank slate, its world-class engineering team took an application-centric approach to traffic classification in order to enable full visibility and control of all types of applications running on enterprise networks – new-age and legacy ones alike. The result of this effort is the Palo Alto Networks family of next-generation firewalls – the only solution that fully delivers on the essential functional requirements for a truly effective, modern firewall:
- The ability to identify applications regardless of port, protocol, evasive tactics or SSL encryption.
- The ability to provide extensive visibility of and granular, policy-based control over applications, including individual functions.
- The ability to accurately identify users and subsequently use identity information as an attribute for policy control.
- The ability to provide real-time protection against a wide array of threats, including those operating at the application layer.
- The ability to support multi-gigabit, in-line deployments with negligible performance degradation.
With the introduction of its family of next-generation firewalls, Palo Alto Networks began the process of re-inventing network security, of restoring effectiveness and simplifying security infrastructure. The result is a market-leading solution that allows CIOs to tackle a broad range of increasingly substantial challenges by:
- Enabling user-based visibility and control for all applications across all ports.
- Stopping malware and application vulnerability exploits in real time.
- Reducing the complexity of security infrastructure and its administration.
- Providing a high-speed solution capable of protecting modern applications without impacting their performance.
- Helping to prevent data leaks.
Considering matters from a business perspective, the Palo Alto Networks next-generation firewall also helps organizations:
- Better and more thoroughly manage risks and achieve compliance – by providing unmatched awareness and control over network traffic.
- Enable growth – by providing a means to securely take advantage of the latest generation of applications and new-age technologies.
- Reduce costs – by facilitating device consolidation, infrastructure simplification, and greater operational efficiency.
The net result is that Palo Alto Networks is providing today’s enterprises with precisely what they need to take back control of their networks, to stop making compromises when it comes to information security, to put an end to costly appliance sprawl, and to get back to the business of making money. By delivering unmatched visibility and control over applications and the threats that seek to exploit them, network security solutions from Palo Alto Networks are substantially raising the bar for effectiveness and efficiency while establishing a new foundation for enterprise security.
Author: Matt Trottier, Principal Consultant
EMC World 2010 stormed through Boston this year, where EMC made its case on why it should be the storage architecture driving your private cloud initiative. EMC released many new products and new feature sets to their existing product lines to further prove its case. During my time at EMC World, I had the chance to attend many of the technical breakout sessions. One I found particularly interesting was on the enhancements coming to the CX4 line in the upcoming months.
Thanks to the new 64 bit architecture of the CX4 line, EMC is able to bring some well needed feature updates to the Clariion via upcoming release of FLARE 30. FLARE 30 will expand on its storage pool technology, virtual provisioning, reintroduce it's FAST technology, give us our first common interface for CX, NAS and RecoverPoint SE, and find more useful ways to improve performance with Solid State Drives (SSDs).
Virtual Provisioning came out in FLARE 28 with EMC's initial attempt bring thin provisioning into the CX4 product line. In a nut shell, they allowed you to build storage pools from either FC or SATA disks to present Thin LUNs and overprovision storage. Under the covers, it was making a bunch of meta-luns spread across hidden RAID groups that made up the storage pool. What it did well was break the "brick and mortar" approach that had dominated EMC's way of thinking in terms of allocating and provisioning storage for years, and bring some sense of virtualization to the CLARiiON line. But it was severely limited since it could only support RAID 5 or RAID 6 and EMC did not recommend it for mixing high workloads across different host machines.
In FLARE 30, EMC has revamped virtual provisioning feature to become the new way to provision storage on the Clariion going forward. Here are some of the highlights:
- Pool size and drive count restrictions have been updated to support all drives in the CX4 minus the 5 FLARE drives. Essentially, this means you can build a 955 drive storage pool on a CX4-960 if you want.
- All drive types are now supported in the same storage pool including solid state disks (needed for FAST as explained below).
- RAID 10 can now be used for storage pools to allow for pools to accommodate higher write workloads.
- Thin provisioned LUNs will now be able to expanded or shrunk in a single step without having to build a meta-lun.
- When provisioning LUNs from a storage pool, LUNs can be created as "thick," meaning all space is reserved for the size of the LUN in a contiguous address space.
You will still be able to use traditional RAID groups if you want for specific use cases, but in order to get the most out of your CX4, virtual provisioning storage pools are the way to go. Why? Because it is a great way of spreading I/O workloads across as many spindles as possible to get the most bang for your storage buck. Other storage vendors have been doing this for years in one form or another (NetApp, HP EVA, 3PAR to name a few). It only seems natural for EMC to finally start moving to virtual storage pools as that is what the market is asking for.
The other good reason for using storage pools is EMC engineering is going to start building new features that take advantage of their storage pool technology.
One such feature is Fully Automated Storage Tiering, or FAST. This will build upon virtual storage pools and allow data to be automatically placed into the proper storage tier (or disk type) at the sub-LUN level. The CLARiiON will move the 1 GB chunks of the thin LUNs to the proper storage type in the pool as those chunks "heat up" or "cool down."
To show how this works, consider the following scenario: Say I have a CX4-240 with a storage pool consisting of (5) 72GB SSDs, (30) 450 GB FC drives and (20) 1 TB SATA drives. I then provision a 500 GB Thin LUN to a host for a SQL database from that pool. As the SQL servers uses that LUN, the hot chunks of the most used SQL tables will be moved to the SSDs for high performance while untouched portions of the database will be moved to slower disk in the pool, either the FC or SATA drives. Over the life of the LUN FAST will continually tune the LUN and move 1 GB chunks to the appropriate disk type based on its "temperature."
FLARE 30 is also introducing compression for Thin LUNs in a storage pool. Traditional RAID group LUNs will be migrated into storage pools in order to support compression. Data compression will be a background process. EMC did state that this is intended to be used "relatively inactive LUNs," such as archive volumes, backup copies or static data repositories.
The last real interesting feature coming out in FLARE 30 is FAST cache. In simple terms, EMC will SSD drives as an extension to SP cache to help with overall storage performance. This will provide a much larger, scalable cache that can be turned on/off on a per LUN basis. Unlike the PAM card that NetApp uses in its filers to speed up read cache, FAST Cache can be used as either read/write cache, via RAID 1 or 10, or read cache via RAID 0. Depending on the CX4 model, FAST Cache will scale up to 2 TB of extended cache on the CX4-960. FAST Cache will support both traditional RAID group LUNs and storage pool LUNs.
FAST Cache is going give EMC an excellent way of making the high price of SSDs more palatable for the mid-tier market. Rather than trying to find that small table of an Oracle database that requires 6000+ IOPS to move specifically to SSDs, FAST cache has the potential to have an immediate impact on any customer's environment that needs a performance boost to extend the life of their current CX4.
Last, but certainly not least, EMC will be introducing a new unified management framework called Unisphere. Unisphere will be able to manage CLARiiONs, Celerras, and RecoverPoint/SE from the same management interface. Unfortunately, only Celerras with the new DART 6.0 will be supported for management in Unisphere. On the other hand, CLARiiONs with FLARE 19 and above will be supported. From what I have seen, EMC has taken great steps to make Unisphere more intuitive and easier to use than Navisphere or Celerra Manager. Going forward, as the product matures EMC will introduce additional management capabilities into Unisphere to manage additional EMC products.
Author: Tim Donovan, President
On April 30, we received some great news: Daymark has been honored by the Boston Business Journal as one of the "Best Places to Work" for 2010! We are delighted, because this speaks volumes about who we are as a team, and as a company.
In order to be considered, the company needed to be nominated by an employee or an "outside supporter." Then, an independent company (Quantum Workplace) conducted and tabulated surveys of employees. In order to be considered, 85% of full-time employees needed to participate. No individual information from the survey was shared with Daymark, so employees were able to be completely candid, and no input from Daymark's management team was considered.
When the results were tabulated, Daymark was one of 20 companies to be named in the Small Company category. This really is validation that what we do here works, for our customers and our employees. Our team is comprised of local consultants and experts who will do what it takes for our customers. Our "whiteboard to keyboard" approach means that the person who designs the solution will continue to be actively involved with its implementation. This boosts customer satisfaction and allows our employees to take ownership of their projects. We trust them to deliver their best, and they do.
We'll continue to do all that we can ensure that Daymark meets the needs of its customers and its employees. We are far from perfect, but completely committed to getting it right - for our customers and employees....Nice job Team Daymark!
PS. If you are looking for a great place to work, drop us a note! we are always on the lookout for talented experts to add to our growing team.
Author: Sean Gilbride, Director of Professional Services Operations
As promised in my last post, here are a couple of additional articles related to cloud computing that contain some great food for thought. I'd also like to hear what your thoughts are on this subject.
Cyberattack on Google Said to Hit Password System
Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google's crown jewels, a password system that controls access by millions of users worldwide to almost all of the company's Web services, including e-mail and business applications.
The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.
These new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google's that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as "cloud" computing, a single breach can lead to disastrous losses.
Spam Suspect Uses Google Docs; FBI Happy
FBI agents targeting alleged criminal spammers last year obtained a trove of incriminating documents from a suspect's Google Docs account, in what appears to be the first publicly acknowledged search warrant benefiting from a suspect's reliance on cloud computing.
The warrant, issued August 21 in the Western District of New York, targeted Levi Beers and Chris de Diego, the alleged operators of a firm called Pulse Marketing, which was suspected of launching a deceptive e-mail campaign touting a diet supplement called Acai Pure. The warrant demanded the e-mail and "all Google Apps content" belonging to the men, according to a summary in court records.
Google provided the files 10 days later. From Beers' account, the FBI got a spreadsheet titled "Pulse_weekly_Report Q-3 2008" that showed the firm spammed 3,082,097 e-mail addresses in a single five-hour spree. Another spreadsheet, "Yahoo_Hotmail_Gmail - IDs," listed 8,000 Yahoo webmail accounts the suspects allegedly created to push out their spam. The Yahoo accounts were established using false information, allegedly in violation of the CAN SPAM Act.
Privacy advocates have long warned that law enforcement agencies can access sensitive files stored on services like Google Docs with greater ease than files stored on a target's hard drive. In particular, the 1986 Stored Communications Act allows the government to access a customer's data whenever there are "reasonable grounds" to believe the information would be relevant in a criminal investigation - a much lower legal standard than the "probable cause" required for a search warrant.
Is your company moving toward, or considering, implementing a public cloud solution? I'd like to hear from you.
Author: Sean Gilbride, Director of Professional Services Operations
Cloud computing is one of the hottest topics in the IT industry today and for good reason; it is fundamentally changing the way that many companies think about delivering information technology to their client base. Two of the main promises behind the adoption of cloud computing are the ability to increase responsiveness and reduce costs. This is an attractive proposition because, let's face it, these two things are tough to achieve simultaneously in IT. Couple these benefits with the desire to provide a more flexible and scalable infrastructure and it is easy to see why cloud computing is making an impact.
While there are many strategic advantages, there are also risks associated with embracing the cloud. There have been a number of recent articles which discuss some of these risks, ranging from management of data in the public cloud to locality and security of data. While many of us are embracing the cloud on one level or another (e.g. Salesforce.com), it is more important than ever to exercise caution when moving business applications outside of the datacenter and into the cloud.
I've been doing a lot of reading about this topic, and thought I'd share some of the more interesting items I've come across. Below is an excerpt from a recent article and link to a recent study targeted at IT professionals which provides insights into the impact these issues have had on the perception of the cloud. As with any disruptive technology there will always be growing pains and they are certain to continue while the vision of the cloud and how it can impact your business evolves. I'll post more articles in an upcoming post.
Survey: Cloud computing risks outweigh reward
Though cloud computing is often touted as a cost-saver for companies, IT pros still have lingering doubts about the safety and security of working in the cloud.
Around 45 percent of 1,800 IT professionals recently surveyed by the ISACA (formerly known as the Information Systems Audit and Control Association) said the risks involved in cloud computing outshine any benefits. Only 10 percent plan to use cloud computing for mission-critical IT services, 15 percent will use it only for low-risk services, and 26 percent don't expect to tap into the cloud at all.
Yale ITS delays switch to Gmail
Information Technology Services at Yale recently decided to postpone the University's move from the Horde Webmail service to Google Apps for Education, a suite of communication and collaboration tools for universities, pending a University-wide review process to seek input from faculty and students.
Concerns about the switch to Gmail fell into three main categories: problems with cloud computing, technological risks and downsides, and ideological issues.
Google stores every piece of data in three centers randomly chosen from the many it operates worldwide in order to guard the company's ability to recover lost information - but that also makes the data subject to the vagaries of foreign laws and governments, according to a Yale computer science professor. He added that Google was not willing to provide ITS with a list of countries to which the University's data could be sent, but only a list of about 15 countries to which the data would not be sent.
What's your position on cloud computer? Join the discussion by sharing your comments.
Author: Joseph Correia, Principal Consultant
In early 2009 it was announced that Exchange 2010 now had "built-in" archiving. This generated a lot of interest and excitement. Based on the information from Microsoft, it would appear that your archiving needs will be addressed by Exchange 2010, so why not put your plans on hold until you can upgrade or migrate to 2010?
Some of the benefits expected to be provided by Exchange 2010 archiving are elimination of PSTs across the organization, integrated user search of both active mailbox and archive mailbox, simple archival and deletion policies from Microsoft Records Management, multi-mailbox search for e-discovery, roles-based access control, and drag & drop access to your personal archive.
At first pass, it appears that most of the basic features you need in an archiving solution have been covered in Microsoft's first attempt with 2010, and I expect that they will improve the offering going forward. However, with only these features available, Exchange 2010 is probably only a good fit for small to mid-size businesses - those primarily concerned with archiving to eliminate PSTs and enable some form of search without implementing any additional software.
A deeper look at the native Exchange 2010 archiving functionality shows some significant issues that you should think about before proceeding. With Exchange 2010 archiving, mailbox database sizes are dramatically increased due to archived data being stored in the same database as the mailbox itself and the elimination of single instance storage (SIS). Other shortcomings include:
- Outlook 2010 is required to enable archiving
- eDiscovery searches are limited to the Exchange Organization
- There is no legal hold for Public Folders
- Archive access is not extended to cache mode
- There is no stubbing of messages.
Expanding on these points a little more, storing archive data in the same mailbox database as the user's mailbox means that your Exchange Server storage is not being reduced. The elimination of SIS further increases the likelihood that database sizes will increase going forward.
In addition, moving to Outlook 2010 is no simple task, as anyone who has been through an application rollout realizes. Furthermore, eDiscovery searches are limited to the Exchange organization and cannot be performed across multiple organizations thus rendering the search incomplete and somewhat indefensible in a courtroom.
So IMHO, Exchange 2010 archiving in its current iteration will likely not fit the needs and requirements of many companies that have even moderate amounts of messaging data. Mid-size to large customers will want to archive other data types (file system, Instant Messages, SharePoint) along with e-mail and require strong eDiscovery capabilities across those realms, let alone require a reduction of storage use at the archive.
Some questions you should be asking yourself before implementing archiving:
1. Why are you going to implement archiving? Is it for storage management, eDiscovery, compliance, all of the above?
2. How long will you be required to retain data within the archive?
3. How does the archiving solution scale?
4. If you currently have a 3rd party archiving solution how will it integrate or coexist?
5. What does the proposed solution give me? (For instance, storage reduction, eDiscovery capabilities, enhanced mobility, improved backups, improved DR, etc.)
Author: Brenden Doyle, Senior Consultant
As of March 1st 2010 all companies that have electronic information that is classified as personal information for a Massachusetts resident must protect that information from a possible data loss situation per 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH. What does this mean for corporations?
Unlike Sarbanes Oxley, which forces corporate entities to take specific actions to ensure compliance with stated regulations, the Massachusetts Data Protection Regulation (MA 201 CMR 17) requires a corporation's "best effort" to ensure certain types of data are protected to the best of your ability.
This subtle change in wording places the burden squarely on the corporate entity for protecting personal information, but leaves much up to interpretation. While non-compliance with Sarbanes Oxley is potentially defensible in court by corporations who say the requirements are financially burdensome, the new 201 CMR-17 law centers on the answer to the question "Did you do everything within your power to protect this information?" This can lead to uncomfortable questions about cost per technical feature, such as "Is $50,000 too much of a financial burden for a company that had XX amount of profits last year to protect a customer's personal information?" This is not a line of questioning any corporate attorney wants to face, and certainly not following a public data breach.
Many incidents of backup tapes being lost are well documented. The size of a data breach from the loss of a set of backups can be astronomical. With the high capacity tape media available today, an LTO 4 drive can realistically hold over a terabyte worth of data. Just one tape could contain the entire HR database or sales and customer information for a whole quarter. With so much data contained on a single piece of media, the loss of a box of tapes could mean the loss of corporate records for an entire week, month, quarter, or year, depending on the backups lost.
This is why everyone is scrambling to ensure that any backup tape stored offsite is encrypted. The burden of proof will be squarely on the holder of the personal data to ensure everything reasonably possible was done to prevent that data from being compromised.
Backup tapes are routinely shipped offsite with a third party vendor to provide a level of protection from potential disasters. But without some form of encryption, there is no way to ensure that the backups cannot be comprised once they are no longer in your custody. There are a couple of options for accomplishing this today. NetBackup, for example, has both a client-side and a media server encryption option which allows the IT administrator to choose where and when to encrypt data. If all of the personal information that would require encryption is local to a single server, then encrypting at the client may be sufficient. If there are multiple servers containing personal information, the media server encryption may be more efficient.
Another popular method of encrypting backup data is to use an appliance or an LTO4 encryption- capable tape drive. Both client-side and media server encryption methods have a direct performance impact on the server doing the encryption. The appliance model removes the performance impact from the servers and maintains the proper compression ratios, offering the best of both worlds for a premium price.
With all of the encryption solutions available today, key management is the biggest concern. The encryption keys used to encrypt the data need to be protected even more securely than the data once encrypted. Maintaining the keys is a specific challenge requiring both protection of the keys and a secure method of recovering the keys in the case of a disaster. Most of the key management software solutions available provide a method of regenerating the encryption keys through the use of a passphrase. This allows the exact same set of encryption keys to be regenerated by entering the passphrase into the utility.
Daymark recommends a dual method to protect the encryption keys. As keys are not changed very often, we recommend the actual database pieces containing the keys in the key management software be burned to a CD and stored separately from the encrypted backups. A disaster recovery container stored with the offsite host vendor is highly recommended. This container should hold operating system CDs, the DR plan, the emergency contact list and the encryption key CD as well as the passphrase in case the keys need to be regenerated. This will provide a way to protect the data in an encrypted format without storing the keys with the backup tapes. And, importantly, this allows you to successfully answer questions about Mass 201 CMR -17 compliance!
You'll find more useful information here:
201 CMR - 17
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
201 CMR - 17 Frequently asked Questions
http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf
Reminder notification
http://www.mass.gov/?pageID=ocamodulechunk&L=4&L0=Home&L1=Government&L2=Our+Agencies+and+Divisions&L3=Division+of+Insurance&sid=Eoca&b=terminalcontent&f=doi_Bulletins_bulletins_10_02&csid=Eoca
Exchange, MSSQL, File Services, SharePoint and AD...Microsoft applications play major roles in most IT environments these days. It's not accidental that the major storage vendors are making great effort to easily integrate with these applications. VSS Framework seems to be the prevailing wind.
VSS (Volume Shadow Copy Service) provides the system infrastructure for running VSS applications on Windows-based systems. VSS enables the creation of point-in-time cache-consistent snapshots of primary data volumes and provides the low-level driver functionality required for a VSS application to manage those consistent snapshots. VSS API integration is now commonplace and available with backup applications such as EMC NetWorker, Symantec NetBackup, CommVault SIMPANA and with storage manufacturers like EMC, NetApp and HDS to name a few.
It makes a lot of sense to be able to tightly integrate your mission critical applications like messaging, database and document management with your data management infrastructure. For Windows systems, VSS looks like a solid enabling solution.
VSS is a service and device level component available in the Windows kernel. Microsoft provides a set of communication APIs that create a consistent interface between the (writers) and (requesters) during snapshot creation activity. The writer is an application that coordinates its I/O operation with the VSS operation so that data on the shadow copy or snapshot is in a consistent state. The requester is an application such as backup, archive or storage array snapshot software that request a snapshot be created. The detail in this process has likely already been taken care of through a VSS agent available from your favorite storage management application provider.
If you have not already tried using this technology in your environment I suggest you pick one of your Microsoft applications and give it a run through its paces - I think you ‘ll like the results.
As with any new target device you might be incorporating into your backup environment, you are usually doing it for one of the following reasons; to increase capacity and /or throughput or to improve manageability. The basic connectivity considerations that you would apply to any backup device such as tape, disk or optical still hold true for deduplication targets. Because of some of the unique benefits deduplication solutions offer, it is very important that you don't overlook critical architectural components in the quest to best leverage this technology.
For those who still question the maturity of the technology I would remind you that its underpinnings are loosely based on journal file system concepts which I was first exposed to in the open systems world in the early 1990's through the Digital UNIX ADVFS file system. (Remember those guys?) This type of file system abstracts the address level of the file system from the data level, creating pointers from the address level to common data sets at the data level. First used for pointer-based snapshots, this concept has since been leveraged for deduplication storing only unique data blocks at the data level and using the address level as a reference.
There are two predominate deployment configuration commonly being used across the industry today: source based and target based. Source-based deduplication occurs on the client side and deduplicates data on the host before it sends the information across the TCP/IP layer. This can make it a good candidate for servers at a remote office that might not have an optimal WAN connection to the final data storage location. Most source-based deduplication products started off as standalone backup applications with proprietary agent code that makes it difficult, if not impossible, to integrate with heterogeneous backup environments. Where backup application integration exists it is usually through an acquisition of the code by one of the big storage manufacturers and only with that manufacturer's applications.
Target-based deduplication, on the other hand, is typically appliance based and designed to plug into the backend of the existing backup infrastructure similar to a classic backup device such as an automated tape library. Target-based appliances are designed to fit into the existing backup solution paradigm and can usually be presented as both a VTL (virtual tape library) of a disk backup target. Unlike source-based solutions, target deduplication occurs at the device level after normal backup data is sent to the backup server; this provides no reduction in data at the TCP/IP level, making it a better choice for data center deduplication where LAN bandwidth is not an issue.
Both source- and target-based solutions can reduce or eliminate physical tape from a backup environment by leveraging the same deduplication mechanism at the replication layer. If you can replicate data offsite to a second appliance, then you can eliminate the need to create a physical tape for offsite storage. If only the deduplication delta has to be replicated to make a complete offsite copy, you will contain your site-to-site network connectivity costs.
Remember, the amount of data you manage in a deduplicated environment is greatly affected by the retention period of the backup data. Long term retentions can have a significant cost on the overall solution. Managing daily, weekly and even monthly data on deduplicated is common, for longer retention periods hybrid tape/ de-dupe solutions may be the best answer. Always consider any additional licensing cost for integration into an existing backup infrastructure and support for your client base (e.g. unique operation systems or database agent support).
You are tasked with solving your company's latest IT challenge; you decide to set up a meeting with your favorite and not-so-favorite technology manufacturers. Oh yeah, you also remind yourself to include a meeting with your local VAR who always comes through in a pinch when you actually have to deploy something. In your meetings you hear about solutions that will move, manipulate, protect, and organize your data while getting 35/mpg, run on alternative fuel and go from 0-60 in five seconds. After many hours of technology overload and resetting your focus on the initial task at hand, you run into your boss in the hallway. Your boss asks how the project is moving along, you reply "Great. We will be able to get the entire IT staff to and from the office for a month while carrying a cord of wood, towing the company bulldozer, all on a single tank of gas. Waite a minute, do we even have a company bulldozer?"
It's not difficult to get sidetracked when selecting technology solutions to solve your data management problems. You want to make sure you do your due diligence and understand all the potential options for solving your IT challenge and would not want to accidently leave out the best solution in your investigation. This can easily create an opportunity for the manufacturers to talk about all the cool stuff their companies have been recently developing, whether or not it has anything to do with your current project. Perhaps they can even uncover another sales opportunity even though they may have been removed from the details of your environment for over a year.
This is the perfect time to engage your local VAR who has probably been at your facility supporting you 10 times over the past year, or probably even occupied a guest cube at times. They have likely had their hands in the mix at your site and deployed similar technology at other clients. They will likely know the caveats to successful interoperability with your infrastructure. At this point you have probably reviewed a ton of marketing material and made some directional choices, now it's time to talk to the folks in the field, review and admin guide or two and flip through some release notes.