modus esi workshop for legal professionals. welcome thanks great content interactive about modus...
TRANSCRIPT
MODUS ESI WORKSHOP FOR LEGAL PROFESSIONALS
WELCOME
Thanks Great content Interactive About Modus – 1 slide, promise Fun quiz contests Continuing education / opportunities Feedback
ABOUT MODUS
Who we are Modus is a data management company that helps
organizations assess, strategize and leverage critical business intelligence obtained from people, processes and data to optimize legal and enterprise-wide business results
What we do We provide law firms and corporations with the discover
intelligence (i.e. business intelligence) they need to optimize individual matters and their legal enterprises
AGENDA
Morning – Intro
o 9:00-9:15
– Elements of the IT Infrastructure o 9:15-10:15
– Break o 10:15-10:45
– Cloud Computing o 10:45-11:15
– Microsoft Exchange, Part 1 o 11:15 – 12:00
– Lunch o 12:00-1:00
Afternoon– Microsoft Exchange, Part 2
o 1:00 – 1:45
– File Servers o 1:45-2:00
– Break: o 2:00-2:15
– SharePoint o 2:15-3:00
– Office 365 o 3:00 – 3:15
– Break o 3:15 -3:30
– Google Apps o 3:30 – 4:00
– ERP / SAP o 4:00 – 4:15
– Group exercise o 4:15 – 5:00
INSTRUCTORS
John Collins – Director of eDiscovery Services– Extensive expertise (15 years)
o ESI data mapping o Information Governanceo Litigation preparedness
– 3 disciplinary “pillars” underlying Information Governance and ESI o Lawo Records and Information Management (RIM)o Information Technology (IT)
– Extensive experienceo International corporationso Large non-profitso AMLAW 200 firms
INSTRUCTORS
Andreas Mueller - Director of eDiscovery – Extensive eDiscovery experience / knowledge (14 years)
o Technologyo Processeso Communication o Consulting o Forensics
– Dual knowledge in paper and eDiscovery– Multiple major law firms, vendors and corporations
CLASSMATES
Bob to insert list of names and companies Hand off to John to go around the room to have
classmates introduce themselves
ELEMENTS OF THE IT STRUCTURE
9:15-10:00
PROGRAM GOALS
Demystify the corporate IT infrastructure Enable and empower attendees to have more
productive interaction with IT Provide a foundation for understanding the IT
infrastructure as the framework for housing data/ESI
Provide useful details about key IT systems from a discovery and RIM perspective
WHY ARE WE TEACHING THIS CLASS?
“As an attorney you must know how to communicate effectively with clients to implement preservation plans; when and how to retain consultants and how to speak “consultant-talk” with them; how to depose experts using their specialized language; how to go “information shopping” in a Rule 26(f) conference for the parties; and how to produce, receive, review, and use electronically stored information (ESI) in connection with litigation.” Managing E-Discovery and ESI, Berman, Barton, Grimm
WHY ARE WE TEACHING THIS CLASS?
Where is the documentary evidence?– Its no longer (or at all) in file cabinets, desktop drawers, or storage
boxes– Its in the computers, tablets, servers, backup systems, and cloud
services that are as ubiquitous as cars on the road Lawyers and paralegals responsible for doing discovery, or
supervising discovery, and ultimately certifying discovery by and large don’t have the technical knowledge needed to meet their ethical and professional obligations
Effective electronic discovery requires lawyers who can apply their legal knowledge, reasoning, and judgment to the technical questions and issues that will arise in virtually every case
OUR FOCUS TODAY: IT SYSTEMS LANDSCAPE OF THE FORTUNE 500
The program is designed around the applications, platforms, and systems for which we have been identifying, mapping, collecting, and preserving ESI for the past eight years
The policies, procedures, and practices observed and documented via dozens of ESI data mapping projects and hundreds of electronic discovery engagements
ESI FROM THE IT PERSPECTIVE
Support the business in its primary activity to return a profit
Provide users high availability: minimize downtime Security Performance New systems testing and deployment Backup and disaster recovery Day to day administration NOT thinking of data as evidence?
TRADITIONAL IT OPERATIONS
Service OperationService Desk
Operations Management
Facilities Management
Technical Management
Application Lifecycle Management
Event Management
Incident Management
Request Management
Problem Management
Access Management
Service StrategyBusiness Service Requirements
Market, IT Policies & Strategies
Service Portfolio
Demand Management
Financial Management
Service TransitionChange Management
Asset Management
Configuration Management
Knowledge Management
Release Management
Deployment Management
Continual Service ImprovementImprovement Process
Deming Cycle
Service DesignService Level Management
Supplier Management
Availability Management
Service Continuity Management
Capacity Management
Information Security Management
Service Catalog Management
Grow & Transform
Run
ESI FROM THE LEGAL PERSPECTIVE
Right off the bat: we have a term (ESI) with certain connotations and meaning
It’s potential evidence! The sources of ESI are largely a black box! It’s overwhelming: we have 10,000 employees and 20,000
computers and 700 applications Our (their) IT team is awesome! They know where everything
is and how it’s being managed so I will just rely on them Myopia: just not interested in IT and technical stuff
– Losey quote: do you have to know how to change a carburetor to drive a car? No—but you have to know how to fill up the gas tank
– Young kids know all this stuff (they DON’T)
IT INFRASTRUCTURE
WHAT IS A COMPUTER NETWORK
“A group of computers and associated devices that are connected by communications facilities. A network can involve permanent connections, such as cables, or temporary connections made through telephone or other communication links. A network can be as small as a LAN (local area network) consisting of a few computers, printers, and other devices, or it can consist of many small and large computers distributed over a vast geographic area (WAN, or wide area network).” Microsoft Computer Dictionary, Fifth Edition
PURPOSE OF COMPUTER NETWORKS
To access resources, share data, communicate– File servers– Printers– “Enterprise” systems
o Enterprise Resource Planning (ERP)o Business systems
– Applications o E-mail, Instant Messaging
– Internet Conduct business
ELEMENTS OF COMPUTER NETWORKSHardware
– “Servers” – “Clients” (sometimes called
“workstations”)– Network Interface Card (NIC):
serves as the interface between the PC and the network
– Communications medium– Networking devices
Software– Operating System (“OS”)
(Windows XP, 7, Mac, etc. Windows Server 2008, etc.)
– Network operating system (built into the OS)
– Application software• Microsoft Exchange, SAP,
Microsoft Office, etc.Protocols
– TCP/IP– Packets & Frames
UsersIT Staff
COMPUTERS
microsoft office
internet explorerfirefox norton
anti-virus
operating system
hard drive RAM NIC other stuffhardware
software
application software autocad SAP itunes ? ?
userslaptops
serverstowers
serversblade
serversrack servers
usersdesktops
ELEMENTS OF COMPUTER NETWORKS: “SERVERS”
More powerful PC Typically special purpose
built such as “blade” or “rack” servers
More powerful and resilient– Larger RAM than desktop or
laptop PC– More durable electrical
components to guard against failure
– More sophisticated storage/hard drive
Server operating system (OS) such as Windows Server 2008
ELEMENTS OF COMPUTER NETWORKS: “CLIENTS”
On a local area network (LAN) or the Internet, a computer that accesses shared network resources provided by another computer (called a server)
Client computers are sometimes referred to as “workstations”
NOTE! Client can also refer to software applications that are installed on a user’s desktop or laptop PC or mobile device– For example, Microsoft
Outlook or Lotus Notes are “clients” for e-mail
ELEMENTS OF COMPUTER NETWORKS: NETWORK INTERFACE CARD (NIC)
A device used to provide network access to a computer or other device, such as a printer. Network interface cards mediate between the computer and the physical media, such as cabling, over which transmissions travel. Acronym: NIC. Also called: network adapter, network card.
– EVERY NIC has its own, unique “Media Access Control” (MAC) address.
ELEMENTS OF COMPUTER NETWORKS: NETWORKING DEVICES
Routers, switches, repeaters, bridges, hubs– Network plumbing that facilitates
data moving from Point A to Point B
ELEMENTS OF COMPUTER NETWORKS: COMMUNICATIONS MEDIUM
Wired– Network cable types
o Twisted pairo Coaxial (coax):o Fiber-optic
Wireless
COMMUNICATION METHODS
Telephone lines (POTS) Internet Wireless DSL Cable High speed Digital
Networks– T1, T3
Satellite Cellular Copper carriers Fiber carriers
ELEMENTS OF COMPUTER NETWORKS: PROTOCOLS
Protocol– An agreement that
governs the procedures used to exchange information between cooperating entitieso How much information is
to be sent?o How often is it sent?o How to recover from
transmission errors?o Who is to receive the
information TCP/IP: protocol which
“powers” the internet and most corporate networks
ENTERPRISE STORAGE: DIRECT ATTACHED STORAGE (DAS)
The traditional method of providing storage for servers, where the disks used by the server are directly attached to the server.
The disks are either built into the server chassis, or are housed in external expansion bays that are plugged in to the server using a RAID controller.
ENTERPRISE STORAGE: STORAGE AREA NETWORK (SAN)
A specialized network used to connect servers (such as application and file servers) with high capacity, high speed, and high volume storage devices (such as hard drives)
SANs are built using sophisticated “Fibre” Channel equipment
SANs in a backup environment enable shorter backup windows
Backup hardware such as tape drives are shared more efficiently
Data is kept off the production LAN- Data can be backed up directly to
tape, bypassing application servers and further reducing impact on production systems performance
- Can reduce backup windows dramatically (for example, from 19 hours to 8 hours)
More expensive and complex than “DAS” storage
ENTERPRISE STORAGE: NETWORK ATTACHED STORAGE (NAS)
“A data storage mechanism that uses special devices connected directly to the network media. These devices are assigned an IP address and can then be accessed by clients via a server that acts as a gateway to the data, or in some cases, allows the device to be accessed directly by the clients without an intermediary.” Network Dictionary, Javvin Technologies
Sole purpose is to provide file sharing
Frequently sold as a “pre-built” system running Linux with SAMBA and/or NFS
Operates via a regular NIC card and TCP/IP (UNLIKE a SAN which requires different hardware and protocols
SAN VERSUS NAS
ENTERPRISE STORAGE: RAID “…A type of disk drive with
two or more drives in combination for increasing data integrity, fault tolerance, throughput or capacity and performance. RAID provides several methods of writing data across/to multiple disks at once.
RAID is one of many ways to combine multiple hard drives into one single logical unit. Thus, instead of seeing several different hard drives, the operating system sees only one. RAID is typically used on server computers, and is usually implemented with identically-sized disk drives.
With decreases in hard drive prices and wider availability of RAID options built into motherboard chipsets, RAID is also being found and offered as an option in higher-end end user computers, especially computers dedicated to storage-intensive tasks, such as video and audio editing.”
Network Dictionary, Javvin Technologies
HOW DOES ESI MOVE FROM ONE COMPUTER TO ANOTHER?
Packet switching: now-dominant communications paradigm in which packets (units of information carriage) are routed between nodes over data links shared with other traffic.
– Packet switching optimizes bandwidth utilization
– Minimizes transmission latency (i.e. the time it takes for data to pass across the network)
Contrast with the other principal paradigm, circuit switching
– Circuit switching sets up a dedicated connection between the two nodes for their exclusive use for the duration of the communication.
IT STAFF
Rarely is there a single IT professional who has detailed knowledge of everything
Except in smaller organizations, IT is broken down into disciplines and specialization– Network Engineers– Systems Engineers
o Windowso Linuxo Mainframeo SAP Basis
– Database Administrators– Programmers– Architects
BACKUP
PURPOSE OF BACKUP SYSTEMS
The purpose of backup systems: to restore data if something happens to an organization’s systems which process and house data.– Disaster recovery (DR): natural disasters – Hardware failure protection: a disk or server fails– Protection from application failure: corruption in database– Protection from user error: accidental deletion
WHAT ARE SOME THINGS BACKUP SYSTEMS ARE NOT DESIGNED TO DO?
Records Management Archiving Discovery Address data/ESI retention requirements: while
backup systems are NOT designed to address legal retention requirements, many organizations nevertheless use backups for archiving and compliance
o Many organizations are “trapped” in the backup tape as archive method
Tivoli Storage Manager vs. rudimentary backup programs and processes
TRADITIONAL BACKUPS
ELEMENTS OF BACKUP SYSTEMS
Data/ESI requiring backup Backup system software
(NetBackup, CommVault, Legato, ArcServe)
Backup system hardware Organization’s backup
objectives: results of a Business Impact Analysis
Backup objectives translated into policies implemented via the backup system software
Infrastructure that supports backup system (LAN/WAN)
ELEMENTS OF THE BACKUP SYSTEM SOFTWARE—MASTER SERVER
This is the NetBackup server that provides:
– Administration and control for backups AND restores for all clients and servers
– Contains all the catalog information for the backup domain
Responsible for:– What databases, applications,
systems are backed up– Backup type (full, incremental,
differential)– Schedule: when do the backups
run?– Where backups are stored– Keeping track of the status and
use of the tape devices– Tracking all active and available
media– Other backup policy specifics
ELEMENTS OF THE BACKUP SYSTEM SOFTWARE - MEDIA SERVER
Any system that has physically connected storage devices to be used for backups
– Could be a “stand-alone” server/computer– Could be a server running other applications (such as an Exchange server)
Storage devices include:– Tape libraries:
o Robotic deviceso Stand-alone tape driveso Auto-loaders
– Optical storage devices– Disk (hard drives)
Responsible for:– Managing all the physical media and all the devices– Configuration of the physical tape libraries and drives is done via Media
Manager– Volume database population– Inventory of all the volumes (tapes)
TAPE MEDIA PRIMER
Tape is a “sequential access” medium (versus disk/hard drive which is a random access medium)
Durable: lasts up to 30 years High capacity tapes are
usually ½ “ in width Two primary recording
methods:– Linear: Writes each data track
the entire length of the tape, back and forth, until tape is filled up
– Helical scan: Tape wraps around a rotating drum containing read/write heads
TAPE MEDIA PRIMER CONSIDERATIONS REGARDING TAPE MEDIA
Capacity– Early tapes held megabytes of data (1985, DLT=94 meg; 1989=2.6 gig;
1994=20 gig; SDLT, 2002=160 gig)– Succeeding generations of tapes hold larger volumes of data– Current tape capacity: TERABYTES! 2.5 uncompressed and up to 6.25
with compression
Durability– Tapes typically recycled, or re-used, hundreds of times– Lifespan ranges up to 30 years (material)
Compatibility– Backwards compatibility ensures newer, higher capacity tapes
work in existing tape drives– Forward compatibility ensures older tapes work in newer drives
BACKUP TYPES
IncrementalDifferential
Full
FULL BACKUP
A full backup backs up all files specified in the backup selections list for the policy
Backs up all files regardless of when the files were last modified or backed up
Full backups occur automatically according to schedule
To perform a complete restore, full backup is required if organization performs incremental backups
Full backup takes the longest amount of time to complete and requires the most media
Many organizations run full backups during off-hours, such as evenings and weekends
Full backups are generally easier to manage and make restoration simple
– Last full backup is all that is required for restore
– With other backup methods, multiple tapes required (full backups can span multiple tapes as well if too large for single tape)
CUMULATIVE INCREMENTAL BACKUP
Backs up all files in the backup selections list that have changed since the last successful full backup
Occur automatically according to schedule criteria
Complete restore requires the last full backup AND the last cumulative incremental backup
DIFFERENTIAL INCREMENTAL BACKUP
Backs up all files in the backup selections list for the policy that have changed since the last successful incremental (differential or cumulative) or full backup
Occur automatically according to schedule criteria
Complete restore requires the last full backup, the last cumulative incremental, and all differential incrementals that have occurred since the last full backup
BACKUP TAPE ROTATION
Once a backup is completed it is typically retained for a set period of time AND in a particular location:– Daily backups are retained for 3 weeks on-site THEN sent
offsite for 3 weekso After retrieval from offsite storage tape is place backed in storage pool
and data is eventually overwritten
– Monthly backups are retained for 1 year offsite– Annual backups are retained 7 years off-site
Rotation period applies to tape and disk media– If disk backups are used, data is retained for same period of
time then overwritten Policies and procedures vary widely from one company
to another
BACKUP SYSTEM TECHNICAL DETAILS
BACKUP SYSTEM TECHNOLOGIES: MULTIPLEXING
Multiplexing means data from multiple data sources (Exchange, SQL, file server, etc.) is sent to a single tape
VERITAS NetBackup software can run multiple backups simultaneously and stream the data to one or more devices.
Backing up multiple data streams to a single tape drive is defined as “multiplexing,” or “data interleaving.”
Sites can tune the configuration to the level of multiplexing desired on each device and for each schedule.
Multiplexing can dramatically increase performance and allow implementation of a few fast devices, instead of many slow devices.
This optimizes the use of high-speed tape devices and improves overall performance and data availability.
In conjunction with multiplexed backups, NetBackup software also restores multiplexed tape images in parallel.
Acme CorpFile Server
Acme Corp’sSQL Server
Acme Corp’s Exchange Server
BACKUP SYSTEM TECHNOLOGIES: MULTI-STREAMING
Backing up data to more than one tape device
Backup streams can be from locally attached disks or from multiple clients over the network
BACKUP SYSTEM TECHNOLOGIES: “SPANNING”
When a backup image is too large to fit on a single tape– Each tape is filled to
capacity– Automatically spans the
image to another volume Makes the most efficient use of
media Especially useful when backing
up large images that are commonly encountered with databases
If spanning not desired, the administrator can disable this feature if necessary
Discovery complexity: the file sought may only be recoverable by restoring from multiple tapes
Acme Corp’s Exchange Server
BACKUP SYSTEM TECHNOLOGIES: “SNAPSHOTS”
Snapshot: A read-only, point-in-time copy of the entire volume. A snapshot captures file modifications without duplicating file contents.
May also hear referred to as “Frozen Image Backup”
The first step in the frozen image or snapshot creation process is to pause the application or database briefly by placing the client machine into backup mode.
Snapshots are a point-in-time view of a source volume. NetBackup uses snapshots to access busy or active files during a backup job. Without a snapshot provider, active files are not accessible for backup.
Copy-on-Write Snapshot: a copy-on-write snapshot is a detailed account of data as it existed at a certain moment. Unlike a mirror, which we discuss next, it is not really a copy of the data, but a particular “record” of it.
Mirror is a complete data copy on a separate disk, physically independent of the source
– Every change or write to the source data on the primary disk is also made to the copy on the secondary disk, thus creating a “mirror image” of the original data
BACKUP SYSTEM TECHNOLOGIES: DISK-TO-DISK-TO-TAPE BACKUP
Data moves from the application servers to “secondary” disks
Data then flows from the secondary disks to tape
Information on disks is erased after data is copied to tapes; process repeats
BACKUP POLICIES AND PROCEDURES CASE STUDY
Health care company– 25k employees– Outsourced IT
BACKUP POLICIES AND PROCEDURES CASE STUDY
“Legacy” backup (e-mail)– 2001 to July 2011 (Legacy Backups)
o 100% tape basedo Keep EVERY tape written for 7 years
– EXCEPT for a 53 week period where tapes are not recoverable due to a catalog error
o Multiplexing (Exchange and non-Exchange data on same tapes)
BACKUP POLICIES AND PROCEDURES CASE STUDY
Current backup (e-mail)– August 2011 to present– Weekly
o 3 differentials and 3 full
– Retain 60 days then overwrite (Exagrid-not tape)– Monthly
o Copy from Exagrid to tape once per month a full backupo Retain for three years offsite at Iron Mountain
– Annualo Retain the December monthly tape backup for seven years offsite at
Iron Mountain
BACKUP POLICIES AND PROCEDURES CASE STUDY
CLOUD BASED BACKUP
Many products on the market, enterprise (business) and consumer oriented
Enterprise services may offer – Local cache: on-premise storage
Versioning and/or time-based retention– Keep ____versions of files– Keep date for ______ period of
time Encryption Compression Scalable
WHY ARE BACKUP TAPES RELEVANT TO ELECTRONIC DISCOVERY?
Often the only “complete” set of data Often only repository with historical data Captures a “moment in time”/snapshot of data…
can be compared with data from active systems to identify deleted/missing data– Find e-mail no longer resident in e-mail repository
Lack of ECM solutions fully deployed Limitations of deployed ECM solutions
BACKUP TAPE PROCESSING
Native Restoration– Requires “precision” in environment in order to restore data
o Not generally a problem in DR/Backup scenarios because of time proximity
o Problematic the older the data on tapes
Non-native restoration– Does NOT require precision to restore data– Typically done where native restoration is not successful or practical– Increases cost of restoration because of necessity of third party
QUESTIONS TO ASK
What type of tapes? How many tapes? What is the capacity of the tapes? Are the tapes compressed? (usually yes) Are the tapes encrypted?
– If yes, using what method and software?
What type of data (ESI) is on the tapes?– E-mail– Database (SQL, Oracle, DB2, etc.)– Files (Word, Excel, PowerPoint, PDF, etc.)– Operating System– Application– Other
QUESTIONS TO ASK
What is the frequency of backups?– Daily, weekly, monthly, annual
What types of backups are represented?– Full, incremental, differential
What time period do the backup tapes represent?– Specific dates, such as November 2003 through November 2006
What type of backup software is used to create the backups?– What version(s)?– What options for the software
o Vaultingo Advanced Cliento Agents: Exchange, Oracle, SQL, etc.
Is multiplexing enabled in the backup system? Is multi-streaming enabled in the backup system? Is spanning enabled in the backup system? Are catalogs or some type of inventory created which details the data stored
on the backups?
QUESTIONS TO ASK
Is the backup procedure and policy documented? Who was responsible for drafting the policy? Who is responsible for updating the policy? Who is responsible for enforcement of the policy How is the policy enforced? How often is the policy audited? Identify policies and procedures for retention, rotation, and destruction
of backup and archival data and storage media Are backup tapes recycled or rotated?
– If yes, what is the company’s recycling or rotation policy? Where are backup tapes stored?
– On-site?– Offsite?– Random locations (desk drawer, file cabinet, storage closet, etc.)
Are there paper or computerized logs of tapes?– Where are the logs located? – What kind of information to they contain?
QUESTIONS TO ASK
Who is the operator/system administrator of the backup system software?
Is there a policy or procedure or habit of conducting “one-off” or special backups prior to upgrades, patch installation, system maintenance, or any unique or infrequent situations?
If no such special backups occur, how does the organization ensure such backups do not occur?
May users backup their own data and programs?– If yes, how?
Are “snapshot, “ “frozen image,” and/or any intermediate storage technologies employed in your backup system, prior to putting data onto tape?
Identify all media used for backup and archival storage, including types of media, manufacturer, brand, capacity, physical size, and other specifications
BACKUP SYSTEMS AND EDISCOVERY CONSIDERATIONS
Off-site storage (vaulting) Multiplexing Multistreaming Compression Type of backup performed
– Full– Differential– Cumulative Incremental
Tape catalogs Tape labeling
NEXT TOPICBREAK, THEN CLOUD COMPUTING