isalazyadmin.net

As most system and network administrators know data separation is one of many ways to make your network more manageable, reliable and secure. But coming up with a good strategy for data separation can be a time consuming task and configuring servers and networks in compliance with your strategy can consume time as well. We all know time is money so how do we convince upper management that time spent on data separation strategies is really worth it, and what is data separation really?

What is data separation.

Data separation is the process of splitting up data in different categories and storing these data categories on different disks, partitions or RAID volumes. A common strategy is the separation of the Operating System, server applications and day to day user data such as user home directories. You can also separate data according to its sensitivity or use both these strategies at the same time. Many more strategies exist and it is up to you to come up with a suitable solution that best fits your organization.

So now we know what data separation is, but why should we care about it and how can we convince upper management to give us time to implement this practice in our network environment? Below are some common reasons you can come up with to justify time spent on data separation strategies and its implementation.

System stability.

The separation of data can improve system stability and performance. If you for example separate the Operating System from other installed applications an application filling up a whole disk, partition or volume will not crash the Operating System and other services will usually continue to operate resulting in less network downtime. Good examples of applications that can fill up all available space quickly are mail servers or a server running Windows Server Update Services (WSUS).

If you use a RAID solution as your primary means of storage you can configure different RAID arrays for different data categories where the most important data resides on more fault tolerant volumes such as RAID 5 or RAID 10 to increase availability and/or throughput resulting in less downtime in the event of disk failure.

Easier network manageability.

If you implement a good procedure for data separation in your organization your systems and network as a whole become more manageable as users and system administrators will know where different categories of data are most likely to reside on the network. This can reduce network complexity and creates some kind of peace of mind resulting less configuration errors.

Easier backups and system recovery.

Backups will be easier on a well designed network and because the primary function of backups is to prevent data loss you might see the benefit of a good data separation strategy. If you for example store all user data on a separate volume you can just backup the whole volume without worrying if you selected the right folders in your backup schedule.

System recovery will be easier as well, imagine the Operating System crashes, when you use one drive to store all your applications and user data you have to not only reinstall your Operating System but all applications and the data that was on the Operating System volume as well. If you separate data you can drastically reduce the time it costs to recover a crashed system because you only have to reinstall or reconfigure a certain part of it in the case of a crash keeping downtime and stress levels to a minimum and caffeine poisoning a less likely event during your IT career.

Increased system security.

Separating data on different disks, partitions or volumes can have security benefits. It will be easier to set ACL’s on fresh disks instead of modifying permissions on the Operating System volume. You will also mitigate some forms of directory traversal attacks and worms such as Nimda or CodeRed could have been stopped if for example the document root of the web server resided on another partition than the Operating System, yes I know that patches where out long before those hit and I do agree that patching the system is an even better security practice.

In Unix like operating systems you can set special flags on mount points in ‘/etc/fstab’ such as ‘nosuid’, ‘noexec’ or ‘ro’ increasing the security of a system even more. If you want to implement this kind of security however you have to think about where certain files will be located on a system first.

I am sure you can think of many more benefits but this are roughly some of the more common ones I come up with when the subject comes up during a meeting or discussion.

Tags: security and management