Procedures for Data Back-up
The UIA Team will utilize a multi-tiered structure for protecting
critical data. This structure is depicted in Figure C17.7-1 and is
specifically designed to provide:
- Maximum protection against the corruption of critical data
- Maximum confidence in the ability never to drop or lose a single
real-time transaction (especially important in an environment that is
processing a hundred thousand real-time transactions every minute)
- Ability to quickly restore data in the event of a major disaster
Figure C17.7-1: Five-Tiered Data Protection Model
The five-tiered structure starts with maximum protection of the primary
On-Line Transaction Processing (OLTP) database. As already noted, this is
certainly the most important element of any registry provisioning
function. At Tier-1, EMC Symmetrix technology will be used to ensure the
performance and integrity of the .org registry database. Each disk drive
in the EMC Symmetrix frame will be fully mirrored, with significant automated
checking for physical corruption and failover. Additionally, periodic
Business Continuation Volumes (BCVs) will be created from the primary database
that provide the ability to quickly restore the primary database in the
event of an emergency, as well as the ability to perform various
administrative batch activities (e.g., reports and back-ups) without
impacting the performance of the primary OLTP database. This architecture
is critically important to maintaining SLAs in an environment with high
transaction volumes and significant transaction peaks. In addition to BCVs,
a Critical Data Archive (CDA) is employed within Tier-1. The purpose of
the CDA will be to get older data out of the primary OLTP database in order to
maintain the performance of the primary OLTP database as well as making
recovery of critical registration functions faster and easier.
From the BCVs created in Tier-1, tape back-ups will be generated from both
the OLTP and CDA databases, and stored in a tape library located at the
primary data center facility. Each day, copies of these tapes will be created
and stored at a short-term offsite tape storage facility. These tapes will
be accessible within 10 minutes to operations personnel. The data on these
tapes includes database transaction logs.
At Tier-3, each real-time operation against the primary OLTP database
will be synchronized to another EMC Symmetrix frame located at the secondary
data center facility. This occurs in real time and facilitates the quick
recovery of the latest database transaction in the event of a major
disaster at the primary data center facility.
At Tier-4, daily full backup tapes are transported each week from the
short-term offsite tape storage facility to a secure long-term offsite
tape storage facility operated by Iron Mountain. These tapes are
retrievable in hours at the request of specifically named and authorized
individuals.
In addition to these extensive data storage and protection procedures,
at the fifth and final tier, a third-party data escrow company, DSI
Technology Escrow Service (DSI), has been contracted for data escrow
services. Under this arrangement, .org database transaction logs were
electronically and securely delivered in their entirety on a weekly basis,
as well as incremental updates on a daily basis. DSI will receive the data,
conducts verification testing for completeness and integrity, and finally,
stores the data onto DVD. This process ensures that current registration
data is always available to ICANN. The terms of the Escrow Agreement,
already approved by ICANN, specify the conditions under which the data
would be released to ICANN. A positive working relationship currently
exists with DSI and is envisioned to continue in the future.
Should a situation occur that requires data recovery, the severity of
the event determines the specific procedures to be employed. In the event
of a failure of the primary EMC Symmetrix data storage device, the
database would be recovered on a secondary EMC Symmetrix data storage
device within the primary data center. Since this second device is being
kept up-to-date with real data mirroring from the primary OLTP database,
the recovery time is minimal and the confidence in data integrity high.
Should the primary data center be rendered completely offline,
registration functions would be recovered at the secondary data center.
There again, a dedicated EMC Symmetrix data storage device has been kept
up-to-date in real time, ensuring a speedy and reliable recovery.
With all of this data protection, redundancy, and reliability in place,
it is difficult to envision a scenario in which data recovery from tape
would be necessary. However, this contingency has been planned for as
well. There are five EMC Symmetrix frames located in various data center
facilities that could be used to restore data in the event of an
emergency. In a worst-case scenario where all online copies of the .org
registration database are completely destroyed, and the primary data
center facility is offline, full recovery of .org registration functions
could be accomplished in less than 48 hours. DNS functions, the most
critical functions for the stability of the Internet, would not be
impacted.