White Paper on Enterprise Level Client Backup Program

 

FastBIT Backups

FastBIT Backups With a FastBIT backup, it is only necessary to backup the changed bytes after the initial backup. These changes may represent additions, deletions and/or modifications. Furthermore, the process can be used to backup any type of file, database, text and executable files. This is possible because the process utilizes an intelligent binary comparison algorithm designed to work on any type of file. By incorporating the concept of a FastBIT backup, incremental backups are reduced by 85 to 99 percent. This translates into a significant reduction in transmission time.

 

In order for the software to create a FastBIT backup, it must be able to compare a changed file to the previous version of the file. This is achieved by allocating a small amount of additional disk space (disk cache) to store current versions of files. Storing additional copies of data on the local disk may be a concern at first, but further understanding of the process should help eliminate this concern. Since the local disk cache only contains copies of "active" data files, those files that change on a regular basis, the cache will remain a reasonable size (estimated to be 3 to 5 MB.) Files in the local cache that have been inactive for a specified number of backups are removed from the cache, making room for new files. Extensive error checking is performed at the time the FastBIT backup is constructed, and also when it is applied on the server. This ensures the integrity of the transmitted backup. In certain cases, such as when a new file is created, or a modified file does not have a previous version to compare against, the file is simply compressed and backed up in a conventional incremental manner.

 

Encryption

Encryption In order to ensure that the transfer and storage of data is secure, an encryption scheme is negotiated between the client and the server. The encryption scheme is used to encrypt/decrypt the proprietary protocols that are used to facilitate communication between the client and the server, as well as the files themselves. The backup files are encrypted during the transfer and remain encrypted as they are stored on the server.

 

Encryption algorithm

There are three encryption algorithms available. All three algorithms have different key lengths and provide different levels of security. Secure Blowfish The Blowfish algorithm uses a 448-bit encryption key and is the most secure of the available algorithms because of the long key length. This strength is comparable to military-grade encryption. Triple-DES This algorithm uses a 192-bit key length and provides very strong protection. The DES algorithm was the encryption standard for the government for 20 years. This is stronger than the encryption used at banks. DES This algorithm uses a 128-bit key length and provides strong encryption. The DES algorithm was the encryption standard for the government for 20 years. This is typically the encryption strength used at banks.

 

 NOTE: The encryption algorithm can be changed on the Backup Client at any time in between backups and restores.

 

Encryption is used to provide the Backup Client with a secure means of communicating with the Backup Server. In addition, it is used to encrypt files for secure storage on the Backup Server. All files are also completely encrypted when they are restored. Once the restored files are received by the Backup Client, the files are decrypted automatically.

 

Encryption Types

User data and the protocol messages used to facilitate client/server communication are always encrypted during transmission and files are stored on the server in an encrypted manner. File and protocol encryption is based on one of three encryption algorithms: Blowfish, Triple-DES, or DES (Triple-DES not available in International version). The encryption type is configured by the user in the Backup Client software. Setting a Secret Key The user can supply a "secret key" in addition to the authentication password, which is sent to Backup Server every time the client connects and is used for encryption. The Backup Server authenticates the user and then validates the secret key before access to the account is allowed. The user can change the encryption type and/or secret key at any time and the server will record a history of the change. The secret key mechanism also allows multiple computers to backup separate volumes using separate secret keys to the same user account. This prevents users from being able to view data belonging to other users who are backing up to the same account. It should noted that if the master decryption key option is not being used or if master key access for a particular account is disabled, and the user forgets or loses their secret key, the data cannot be recovered.

 

 

 

User Authentication

User Authentication Since the Backup Server is highly integrated with the Windows security model, performs client authentication through Windows 2000/2003/XP, a Microsoft Site Server Membership Directory or a standard LDAP database (including Windows Active Directory). For Windows Authentication, users can be authenticated on the local Windows system (workstation or stand-alone server) or the Windows Primary Domain Controller for the domain specified in the Windows server installation. Windows authentication is achieved using the challenge/response method (commonly referred to as NTLM), which is the most secure method of authenticating users.

 

The user can “lock-out” the administrator, thus preventing anyone from looking at the files under a false restore. This is what makes this backup 100% HIPAA. No one can hack into the backup without the user/client say-so permissions.

 

Secret key to encrypt all files

Use my logon password as the secret key This option will cause the Backup Server logon password to be used to encrypt all files. Specify my own secret key for encryption This option will allow a private secret key to be specified for file encryption. If the secret key is forgotten or lost, the Backup Server administrator may not be able to recover the data residing on the server. The secret key options can be configured by pressing the "Set secret key" button. The encryption algorithm can be changed at any time in between backups and restores.

 

 

Guaranteed Secure Client

In order to provide a guaranteed secure client in situations where this is desirable, the Backup Client includes an option "Block the backup if the administrator can recover my data". If this option is set, when the client connects to the server, the server will inform the client whether or not master key access has been enabled for the particular account. If it is enabled, the Backup Client will not backup any data. Since these options are mutually exclusive, either the user or the server administrator needs to change the relevant setting before files can be backed up.

 

Auto Upgrade

The Backup Server can automatically upgrade a client that connects to it by sending any available upgrade for the software. When an upgrade is available for the client software, it should be placed in the specified "Upgrades" directory. Multiple upgrade files can and should be placed in this directory if they are available. The next time a client connects, the Backup Server is prepared to transmit any upgrades to the client software if they are requested. The client will notify the server of its current version and the server will determine which upgrades, if any, need to transmitted. The server will not upgrade a client to a version that is more current than its own version.

 

Backup Client Features

Run Backup Client as a Service In previous releases, it was necessary to run either the backup executable and/or the Tray Control in order to run scheduled backups. The new service feature eliminates that requirement. Scheduled backups can run as a service, which utilizes one of two methods: "Run as an actual service" or "Run as a standalone executable process". Spanish Language Support The Backup Client application (including help files) is supported in the Spanish language. When the product is installed, the user can choose Spanish, in addition to English, German, Dutch and French, as the language for the interface. All language versions of the Client can connect and backup to the same Backup Server.

 

 

 

Restorable Media Sets

The Backup Server offers the capability to create restorable media sets that can be written to CD-ROM's or other media. The Backup Server includes a "Data Restore Wizard", which allows the server administrator to prepare an account's data so it can be immediately restored by the user from local media. The wizard also divides the data into multiple pieces of a specific size if the user's data will not fit on a single piece of media. The user's data is kept encrypted on the media as well, and can only be restored if the proper secret encryption key is known. Restore-only Client In order to restore the data contained on the media, a "Restore-only" backup client program is included on the media. The media also contains an autorun.inf file to allow autorun media (CD-ROM) to automatically start the "Restore-only" client.  If the user authentication is successful, the "Get Volume List from Server" and "Get File List from Server" options in the Restore Tab can be used to display the volumes and files that are available for restoring. Files can then be selected and retrieved from the server.

 

Setting the Restore Window

The Backup Server has the capability of storing multiple versions of the same files. These older versions are available to the user as long as they are within the configured "Restorable window" for that user account. Once old versions are no longer within the restore window, they are deleted from the server. The "Restorable window" is set for a particular account in the User Properties window. The default restore window is 1 month. If it is not desirable to save previous versions of files on the server, the window should be set to the minimum of 1 day. We are set from 1 month to 12 months depending on the subscription type and drive space size. At the very least, a single version of each file will always be kept on server even if it was not backed up recently. This applies to files that have not been deleted from the users backup set. If a file is deleted from the backup set, then any old versions within the current restore window will still be available. Although this is true, once the last version is no longer with the current restore window, it will be deleted from the server.

 

Quota Limits Client Delete Feature

When a quota condition is encountered, the backup user now has the ability to remove files immediately from the server storage (See Removal of Server Files from Client). In this way, the quota condition can be remedied. The ability for users to delete files directly is configurable by the server administrator in the "Client-blocking settings".

 

General Client Features

The client has the ability to immediately remove specific files and directories from the server. This file removal capability deletes files from the server quickly and permanently. In addition, the file removal functionality can be controlled by the administrator and disabled if necessary (i.e. blocked-client settings).

 

 

 

Getting Started Wizard

 The Getting Started Wizard is used to setup the software for first time use. It will step you through the configuration of the following options: The Backup Server location. The username and password on the Backup Server. The method of connecting to the Backup Server. The backup set name. Whether a backup schedule should be created. The secret key to keep your data private. Once the Getting Started Wizard is complete, files can be selected for backup. Backup server location Server Name or IP Address This field is used to specify the IP address or the host name of the Backup Server. If this value is unknown, it can be obtained from the network administrator or backup service provider. Note: This option is kept encrypted in the Windows registry for security purposes. Backup Server Port This field is the port that is used for communication between the client and server. The default on the server is Port 308. This value should not be changed unless instructed by the backup administrator.

 

Backup Server Authentication

The method of authentication into the Backup Server is first is entering a custom username and password supplied by the Backup Server administrator. The second uses the existing logged in credentials on your local system. To use the second method successfully, the local system must already be logged into the Windows Domain where the Backup Server is authenticating users. I have a username and password This is the most common method of authentication. Choose this option if there is a special username and password for access to the Backup Server.

 

Connecting to the Backup Server Connect using my existing network connection This option should be used if no manual intervention is required to establish a connection to the Backup Server, the Backup Server is located on the LAN, or you need to setup a connection to a SOCKS compatible firewall or proxy for connection to the Backup Server.

 

Connect using my phone line

This option is used if Dial-Up Networking is configured to connect to the Backup Server. Dial-Up Networking can connect to the Backup Server over a direct phone line or over the Internet. Use the following Dial-Up Networking connection The desired Dial-Up Networking connection should be chosen from the list of configured Dial-Up Networking profiles. To find out more about how to configure Dial-Up Networking, the backup administrator should provide assistance. Close connection when operation has completed This option is used to disconnect the Dial-Up Networking connection once the backup has been completed. This is important for minimizing the connection time of unattended dial-up backups. Only close connection if originally opened by backup program This option is used to disconnect the Dial-Up Networking connection only if the connection was originally opened by the backup program. If this option is unchecked, the client will attempt to close the connection regardless of how it was originally opened. Test Connection to the Backup Server Now that connection specific options have been entered, the connection to the Backup Server can be tested. Press the Test Connection to the Backup Server button when ready.

 

Server location

This field displays the server name or IP address where the Backup Server is running. Port

This field displays the port when the backup server is listening. The default port is 308. Username

This field displays the username used for authentication on the Backup Server. Connection type

This field displays how the connection to the Backup Server will be established. It will either show the configured modem entry, or Local Area Network. If the connection failed, an error will be displayed describing why the connection failed. If the server couldn’t be found or the username and password were incorrect, use the Back button to view the previous pages of the wizard and change the options. Once the options have been changed, use the Test Connection to the Backup Server button again to try the new connection settings.

 

Backup Sets

This wizard page will either display the option to set the backup set name, or a button to configure the available backup sets . Backup set name The backup set name should describe the types of files that are being backed up. The backup set name can be anything. It should probably describe what types of files will be contained in the backup set. An example of a backup set name might be, "Accounting files", or "My Documents." Setup Backup Sets button Press this button to configure the available backup sets . Schedules allow backup sets to get backed up on a regular basis. This wizard page will either display a button to launch the Add Schedule Wizard or a button to configure the available schedules.

 

Secret Encryption Key

Use my password to encrypt my files This option will cause the Backup Server logon password to be used to encrypt all files. Set a special secret key to encrypt my files This option will allow a private secret key to be specified for file encryption. If the secret key is forgotten or lost, the Backup Server administrator may not be able to recover the data residing on the server.

 

Set Encryption Key

The secret key is a special text string used to encrypt all data that is stored on the server. The secret key can be changed at any time in between backups or restores. If the secret key is forgotten or lost, the Backup Server administrator may not be able to recover the data on the server. Secret encryption key This field is the secret key. The text can be any length and is case-sensitive. The secret key should be written down and kept it in a safe place so that it is not forgotten. Secret encryption key verification This field is where the secret key should be re-typed. It is used for verification only.

 

Optional hint for secret encryption key

This field is where a text phrase can be entered to allow the secret key to be remembered. If it is necessary to restore files to a fresh system and the secret key is forgotten or lost, the text phrase will be displayed so that the secret key can be recalled more easily. This field is optional. If security is a concern because somebody may be able to use the hint to guess the secret key, this field should probably be left empty.