Categorisation to protect: Tiered data protection

With malicious cyber attacks on the rise, every organisation needs to act and protect its data. To optimise resources, only critical and vital data must be protected with the highest levels of security and redundancy, while less important data can just be given standard protection. The key is to understand which data is vital and which is merely important. ETH has developed a protection strategy based on four data tiers, with Tier 1 at the top and Tier 4 at the bottom of the «importance pyramid».

Today’s threats to institutional data (both academic and administrative data) are increasing in severity and frequency. Research shows that ransomware attacks and other malicious cyber attacks are affecting many educational institutions around the world. ETH, as a top university, is an obvious potential target, and the risk of reputational damage and functional impairment from such attacks is real and significant.

Protection of the most important ETH data

To mitigate the consequences of such scenarios, we must take action and protect our most important data as best we can. ETH Zurich’s IT Services are running projects aimed at preventing such events and improving resilience if they do occur.

As financial and human resources are limited for all organisations, the focus must be on protecting only the most valuable and critical data with the highest level of security and redundancy, while less important data can get by with fewer resources. In this way, the allocation of resources is optimised.

Improved resilience of data through categorisation in tiers

Improved resilience of data through categorisation in tiers

In IT Services, we have developed a graduated data resilience strategy consisting of four data layers: Level 1 comprises the most critical and valuable data, whereas as level 4 at the bottom contains the least important data. All tiers are protected by geographically separate tape backups. In addition, Tiers 1, 2 and 3 have a special offline tape copy that is logically inaccessible, the so-called «logical air gap». The data in Tiers 1 and 2 is also protected by a redundant storage system that can recognise ongoing malicious attacks in real time. Finally, Tier 1 data naturally receives the highest level of protection, including a physical air-gap system.

How do you correctly categorise data into the four available tiers?

This is the real challenge, because everyone thinks that their data deserves the best possible protection. There are obvious candidates for the upper tiers: all services that form the basis of the university infrastructure and on which all other systems and services depend, personnel and student data, as well as data that can never be recovered (such as seismic, historical data). For other types of data however, categorisation into tiers is much more difficult and requires input from senior management in collaboration and consultation with employees and researchers.

If you have any questions about the categorisation of data into the four tiers, please contact IT Service Continuity Management.

Contact

Group, Storage, ITS INFRA, IT Services

erstellt am
in IT-SEC,News Schlagwörter: ,,,,,

Hinterlassen Sie eine Antwort

Ihre E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahren Sie mehr darüber, wie Ihre Kommentardaten verarbeitet werden .