Module 5

Security of an Information System

Information system security refers to the way the system is defended
against unauthorized access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction.
There are two major aspects of information system security −
 Security of the information technology used − securing the system
from malicious cyber-attacks that tend to break into the system and
to access critical private information or gain control of the internal
systems.
 Security of data − ensuring the integrity of data when critical issues,
arise such as natural disasters, computer/server malfunction,
physical theft etc. Generally an off-site backup of data is kept for
such problems.
Guaranteeing effective information security has the following key aspects
−
 Preventing the unauthorized individuals or systems from accessing
the information.
 Maintaining and assuring the accuracy and consistency of data over
its entire life-cycle.
 Ensuring that the computing systems, the security controls used to
protect it and the communication channels used to access it,
functioning correctly all the time, thus making information available
in all situations.
 Ensuring that the data, transactions, communications or documents
are genuine.
 Ensuring the integrity of a transaction by validating that both parties
involved are genuine, by incorporating authentication features such
as "digital signatures".
 Ensuring that once a transaction takes place, none of the parties can
deny it, either having received a transaction, or having sent a
transaction. This is called 'non-repudiation'.
 Safeguarding data and communications stored and shared in
network systems.
Information Systems and Ethics
Ethics refers to rules of right and wrong that people use to make choices to
guide their behaviours. Ethics in MIS seek to protect and safeguard
individuals and society by using information systems responsibly. Most
professions usually have defined a code of ethics or code of conduct
guidelines that all professionals affiliated with the profession must adhere
to.

Information Communication Technology (ICT)

policy
An ICT policy is a set of guidelines that defines how an organization should
use information technology and information systems responsibly. ICT
policies usually include guidelines on;

 Purchase and usage of hardware equipment and how to safely

dispose them
 Use of licensed software only and ensuring that all software is up to
date with latest patches for security reasons
 Rules on how to create passwords (complexity enforcement),
changing passwords, etc.
 Acceptable use of information technology and information systems
 Training of all users involved in using ICT and MIS

Information systems bring about immense social changes, threatening the

existing distributions of power, money, rights, and obligations. It also
raises new kinds of crimes, like cyber-crimes.
Following organizations promote ethical issues −
 The Association of Information Technology Professionals (AITP)
 The Association of Computing Machinery (ACM)
 The Institute of Electrical and Electronics Engineers (IEEE)
 Computer Professionals for Social Responsibility (CPSR)

The ACM Code of Ethics and Professional Conduct

 Strive to achieve the highest quality, effectiveness, and dignity in
both the process and products of professional work.
 Acquire and maintain professional competence.
 Know and respect existing laws pertaining to professional work.
  Accept and provide appropriate professional review.
 Give comprehensive and thorough evaluations of computer systems
and their impacts, including analysis and possible risks.
 Honor contracts, agreements, and assigned responsibilities.
 Improve public understanding of computing and its consequences.
 Access computing and communication resources only when
authorized to do so.

The IEEE Code of Ethics and Professional Conduct

IEEE code of ethics demands that every professional vouch to commit
themselves to the highest ethical and professional conduct and agree −
 To accept responsibility in making decisions consistent with the
safety, health and welfare of the public, and to disclose promptly
factors that might endanger the public or the environment;
 To avoid real or perceived conflicts of interest whenever possible,
and to disclose them to affected parties when they do exist;
 To be honest and realistic in stating claims or estimates based on
available data;
 To reject bribery in all its forms;
 To improve the understanding of technology, its appropriate
application, and potential consequences;
 To maintain and improve our technical competence and to
undertake technological tasks for others only if qualified by training
or experience, or after full disclosure of pertinent limitations;
 To seek, accept, and offer honest criticism of technical work, to
acknowledge and correct errors, and to credit properly the
contributions of others;
 To treat fairly all persons regardless of such factors as race, religion,
gender, disability, age, or national origin;
 To avoid injuring others, their property, reputation, or employment
by false or malicious action;
 To assist colleagues and co-workers in their professional
development and to support them in following this code of ethics.

Control Issues in Management Information

Systems.
Control is the process through which manager assures that
actual activities are according to standards leading to achieving
of common goals. The control process consists of measurement
 of progress, achieving of common goals and detects the
deviations if any in time and takes corrective action before
things go beyond control. Information systems operate in real
world situations which are always changing and there are lots
of problems. Information systems are vulnerable to various
threats and abuses. Some of the points are memory,
communications links, microwave signal, telephone lines etc.

Security Control

The resources of information systems like hardware, software,

and data, need to be protected preferably by build in control to
assure their quality and security.
Types of Security Control:
 Administrative control
 Information systems control
 Procedural control
 Physical facility control

Administrative Control
Systems analysts are actually responsible for designing and
implementing but these people need the help of the top
management in executing the control measure. Top executives
provide leadership in setting the control policy. Without their
full support, the control system cannot achieve its goal.

Information System Control

Information system control assures the accuracy, validity and
proprietary of information system activities. Control must be
there to ensure proper data entry processing techniques,
storage methods and information output. Accordingly
management information system control are designed to see or
monitor and maintain quality, security of the input process,
output and storage activities of an information system.

Input Control
As we know whatever we give to computer the computer
processes that and returns the result to us. Because of this
 very fact, there is a need to control the data entry process. The
types of input control are:
 Transaction Codes: Before any transaction can be input into
the system, a specific code should be assigned to it. This aids
in its authorization.
 Forms: a source document or screen forms should be used to
input data and such forms must adhere to certain rules.
 Verification: Source document prepared by one clerk can be
verified by another clerk to improve accuracy.
 Control–totals: Data entry and other system activities are
frequently monitored by the use of control-total. For example,
record count is a control-total that consist of counting the total
number of source documents or other input records and
compare them at other stage of data entry. If totals do not
match, then a mistake is indicated.
 Check digit: These are used for checking important codes
such as customer number to verify the correctness.
 Labels: It contains data such as file name, and date of
creation so that a check can be made that correct file is used
for processing.
 Character and field checking: Characters are checked for
proper mode – numeric, alphabetic, alphanumeric fields – to
see if they are filled in properly.

Processing Control
Input and processing data are so interrelated that we can
take them as first line of defence. Once data is fed into
the computer, controls are embedded in various computer
programs to help, detect not only input errors but also
processing errors. Processing – controls are included to
check arithmetic calculations and logical operations. They
are also used to ensure that data are not lost or do not go
unprocessed. Processing control is further divided into
hardware and software control.

Output Control
These are developed to ensure that processed information
is correct, complete and is transmitted to authorized user
in a timely manner. The output control are mostly of same
kind as input control e.g. Output documents and reports
 are thoroughly and visually verified by computer
personnel and they are properly logged and identified with
rout slips

Storage Control
Control responsibility of files of computer programs and
databases is given to librarian or database administrator.
They are responsible for maintaining and controlling
access to the information. The databases and files are
protected from unauthorized users as accidental users.
This can be achieved with the help of security monitor.
The method includes assigning the account code,
password and other identification codes. A list of
authorized users is provided to computer system with
details such as type of information they are authorized to
retrieve or receive from it.

Procedural Control
These methods provide maximum security to operation of
the information system. Standard procedures are
developed and maintained manually and built in software
help display so that everyone knows what to do. It
promotes uniformity and minimize the chance of error and
fraud. It should be kept up-to-date so that correct
processing of each activity is made possible.

Physical Facility Control

Physical facility control is methods that protect physical
facilities and their contents from loss and destruction.
Computer centres are prone to many hazards such as
accidents, thefts, fire, natural disasters, destructions etc.
Therefore physical safeguards and various control
procedures are required to protect the hardware, software
and vital data resources of computer using organizations.

Physical Protection Control

Many type of controlling techniques such as one in which
only authorized personnel are allowed to access to the
computer centre exist today. Such techniques include
identification badges of information services, electronic
 door locks, security alarm, security policy, closed circuit
TV and dust control etc., are installed to protect the
computer centre.

Telecommunication Controls
The telecommunication processor and control software
play a vital role in the control of data communication
activity. Data can be transmitted in coded from and it is
decoded in the computer centre itself. The process is
called as encryption.

Computer Failure Controls

Computers can fail for several reasons like power failures,
electronic circuitry malfunctions, mechanical malfunctions
of peripheral equipment and hidden programming errors.
To protect from these failure precaution, any measure
with automatic and remote maintenance capabilities may
be required.

Security Hazards
1. Unauthorized Access (Hacker and Cracker): One of the most common
security risks in relation to computerized information systems is the
danger of unauthorized access to confidential data. The main concern
comes from unwanted intruders, or hackers, who use the latest technology
and their skills to break into supposedly secure computers or to disable
them. A person who gains access to information system for malicious
reason is often termed of cracker rather than a hacker.

2. Computer Viruses: Computer virus is a kind of nasty software written

deliberately to enter a computer without the user’s permission or
knowledge, with an ability to duplicate itself, thus continuing to spread.
Some viruses do little but duplicate others can cause severe harm or
adversely affect program and performance of the system. Virus program
may still cause crashes and data loss. In many cases, the damages caused
 by computer virus might be accidental, arising merely as the result of poor
programming. Type of viruses, for example, worms and Trojan horses.

3. Theft: The loss of important hardware, software or data can have

significant effects on an organization’s effectiveness. Theft can be divided
into three basic categories: physical theft, data theft, and identity theft.

4. Sabotage: With regard to information systems, damage may be on

purpose or accidental and carried out an individual basis or as an act of
industrial sabotage. Insiders have knowledge that provide them with
capability to cause maximum interruption to an agency by sabotaging
information systems. Examples include destroying hardware and
infrastructure, changing data, entering incorrect data, deleting software,
planting logic bombs, deleting data, planting a virus etc.

5. Vandalism: Deliberate damage cause to hardware, software and data is

considered a serious threat to information system security. The threat
from vandalism lies in the fact that the organization is temporarily denied
access to someone of its resources. Even relatively minor damage to parts
of a system can have a significant effect on the organization as a whole.

6. Accidents: Major of damage caused to information systems or corporate

data arises as a result of human error. Accidental misuse or damage will
be affected over time by the attitude and disposition of the staff in
addition to the environment. Human errors have a greater impact on
information system security than do man-made threats caused by
purposeful attacks. But most accidents that are serious threats to the
security of information systems can be mitigated.
 How these Threats affect Information
Systems

1. Unauthorized Access (Hacker and Cracker)

Hackers and crackers gain unauthorized access by finding weaknesses in
the security protections employed by Web sites and computer systems,
often taking advantage of various features of the Internet that make it an
open system that is easy to use.

1. Spoofing and Sniffing: Hackers attempting to hide their true identity

often spoof, or misrepresent themselves by using fake e-mail addresses
or masquerading as someone else. Spoofing redirecting a Web link to an
address different from the intended one, with the site masquerading as
the intended destination. Links that are designed to lead to one side can
be reset to send users to a totally unrelated site, one that benefits the
hacker. For example, if hackers redirect customers to a fake Web site that
looks almost exactly like the true site, they can collect and process orders
effectively stealing business as well as sensitive customer information from
the true site. While a sniffer is a type of eavesdropping program that
monitors information travelling over a network. When used legitimately,
sniffers can help identify potential network trouble-spots or criminal
activity on network, but when used for criminal purposes, they can be
damaging and very difficult to detect. Sniffer enable hackers to steal
proprietary information from anywhere on a network, including e-mail
messages, company files, and confidential reports.

2. Denial of Service Attacks (DOS): The main aim of this attack is to bring
down the targeted network and make it to deny the service for legitimate
users. Hackers flood a network server or Web server with many thousands
of false communications or requests for services to crash the network.
They will install a small program called zombies on some computers those
are in intermediate level in the networks, whenever they want to attack,
 they will run those programs remotely and will make the intermediate
computers to launch the attacks simultaneously.

2. Computer Viruses
1. Worms: A variation of virus that is targeted at networks, take advantage
of security holes in operating systems and other software to replicate
endlessly across the Internet, thus causing servers to crash, which denies
service to Internet users. Worms can destroy data and programs as well as
disrupt or even halt the operation of computer networks. A worm is
similarly constructed to get into data-processing programmes and to
modify or destroy the data, but it differs from a virus in that it does not
have the ability to duplicate itself. The consequences of worm attack can
be as serious as those of the virus attack. For example, a bank computer
can be instructed, by a worm program me that consequently destroys
itself, to continually transfer money to an illegal account.

2. Trojan Horses: A Trojan appears as a legitimate in order to gain access to

computer. The use of Trojans to disrupt company activities or gain access
to confidential information has grown sharply in the past few years.
Typically, a Trojan will incorporate a key logging facility, which also called
a ‘keystroke recorder’ to capture all keyboard input from a given
computer. Capturing keyboard data allows the owner of the Trojan to
gather a great deal of information, such as passwords and the contents of
all outgoing e-mail messages. Trojans are often used as delivering systems
for spyware and other forms of malware. When a Trojan horse is being as
spyware, it monitors someone computer activities. It is designed to give
owners control over the target computer system. Effectively, the Trojan act
as a remote control application, allowing the owner to carry out actions
on the target computer as if they were sitting in front of it. Sometimes, the
owner of the Trojan will make no effort to conceal their activities, for
example, the victim’s sees actions being carried out but is unable to
intervene, short of switching off the computer. More often, however, the
Trojan operates silently and the victim is unaware that their computer is
running programs, deleting files, sending e-mail, and so on. Trojan horses
 can destroy files and data, but commonly contain spyware, and an even
backdoor program. Trojans is usually contained in software downloads
from unknown or entrusted source.

3. Theft
1. Physical Theft: Physical theft, as the term implies, involves the theft of
hardware and software. It is worth nothing than physical theft is not
restricted to computer systems alone, components are often targeted by
criminals because of their small size and relatively high value. Physical
theft results in the loss of confidentially and availability and make the
integrity of the data stored on the disk suspect.

2. Data Theft: Data theft normally involves making copies of important files
without causing any harm to the originals. This can involve stealing
sensitive information and confidential data or making unauthorized
changes to computer records. Such data can include passwords activation
keys to software, sensitive correspondence, and any other information
that is stored on a victim’s computer. However, if the original files are
destroyed or damaged, then the value of the copied data is automatically
increased. Service organizations are particularly vulnerable to data theft
since their activities tend to rely heavily upon access to corporate
databases. The impact is if a competitor gaining access to a customer list
belonging to a sales organization cannot be imagined. The immediate
effect of such an event would be to place both organizations on an
essentially even footing. However, in the long term, the first organization
would no longer enjoy a competitive edge and might, ultimately, cease to
exist.

3. Identity Theft: Identity theft is a crime in which an imposter obtains key

pieces of personal information, such as social security identification
numbers, driver’s license numbers, or credit card numbers, to impersonate
 someone else. The information may be used to obtain credit, merchandise,
or service in the name of the victim or provide the thief with false
credentials. The Internet has made it easy for identity thieves to use stolen
information because goods can be purchased online without any personal
interaction. Credit card files are a major target Website hackers. Moreover,
e-commerce sites are wonderful sources of costumer’s personal
information-name, address, and phone numbers. Armed with this
information, criminals can assume a new identity and establish new credit
for their own purposes. A serious problem related to identity theft is spam.
Spam electronic junk mail or junk newsgroup postings, usually for the
purpose advertising for some product and / or service. Spammers
commonly use zombie computers to send out millions of e-mail
messages, unbeknown to the computer users.

4. Sabotage
1. Individual Sabotage: Individual sabotage is typically carried out by a
disgruntled employee who wishes to do some form of revenge upon their
employer. The logic bomb, is a destructive computer program that
activates at a certain or in reaction to a specific event, which is a well-
known example of haw an employee may cause deliberate damage to the
organization’s information systems. In most cases, the logic bomb is
activated some months after the employee has left the organization. This
tends to have the effect of drawing suspicion away from the employee.
Another well-known example is known as a back door which is a section
of program code that allows a user to circumvent security procedures in
order to gain full access to an information system. Although back doors
have legitimate uses, such as for program testing, they can also be used
as an instrument of sabotage. If should be noted, however, that individual
sabotage is becoming more infrequent due to various legislation’s.

2. Industrial Sabotage: Industrial sabotage is considered rare, although

there have been a number of well publicized cases over the past few years.
Industrial sabotage tends to be carried out for some kind of competitive
or financial gain. The actions of those involved tend to be highly
 organized, targeted at specific areas of a rival organization’s activities, and
supported by access to a substantial resource base.

3. Unintentional Sabotage: An intent to cause loss or damage need not be

present for sabotage to occur. Imagine the case of an organization
introducing a new information system at short notice and without proper
consultation. Employees may feel threatened by the new system and may
wish to avoid making use of it. A typical reaction might be to enter data
incorrectly in an attempt to discredit the new system. Alternatively, the
employee might continue to carry out tasks manually, claiming that this is
a more efficient way of working. In such cases, the employee’s primary
motivation is to safeguard their position-the damage or loss caused to the
organization’s information systems is incidental to this goal.

5. Vandalism
In a small network system, for example, damage to server or share storage
device might effectively halt the work of all those connected to the
network. In larger systems, a reduced flow of work through one part of the
organization can create bottlenecks, reducing the overall productivity of
the entire organization.

Damage or loss of data can have more severe effects since the
organization cannot make use of the data until they have been replaced.
The expense involved in replacing damaged or lost data can far exceed
any losses arising from damage to hardware or software. As an example,
the delays caused by the need to replace hardware or data might result in
an organization’s being unable to compete for new business, harming the
overall profitability of the company.

6. Accidents
Some examples of the ways in which human errors can occur included:
1. Inaccurate Data Entry: As an example, consider a typical relational
database management system, where update queries are used to change
records, table’s reports. If the contents of the query are incorrect, errors
might be produced within all of the data manipulated by the query.
Although extreme, significant problems might be caused by adding or
removing even a single character to a query.

2. Attempts to carry out tasks beyond the ability of the employee: In

smaller computer-based information systems, a common cause of
accidental damage involves users attempting to install new hardware
items or software applications, existing data may be lost when the
program is installed or the program may fail to operate as expected.

Technological solutions for privacy

protection
What Is Data Protection and Why Is It Important?
Data protection is a set of strategies and processes you can
use to secure the privacy, availability, and integrity of your data.
It is sometimes also called data security.

A data protection strategy is vital for any organization that

collects, handles, or stores sensitive data. A successful
strategy can help prevent data loss, theft, or corruption and can
help minimize damage caused in the event of a breach or
disaster.

Data Protection vs Data Privacy

Although both data protection and privacy are important and
the two often come together, these terms do not represent the
same thing.
One addresses policies, the other mechanisms

Data privacy is focused on defining who has access to data

while data protection focuses on applying those restrictions.
Data privacy defines the policies that data protection tools and
processes employ.

Creating data privacy guidelines does not ensure that

unauthorized users don’t have access. Likewise, you can
restrict access with data protections while still leaving sensitive
data vulnerable. Both are needed to ensure that data remains
secure.

Users control privacy, companies ensure protection

Another important distinction between privacy and protection is

who is typically in control. For privacy, users can often control
how much of their data is shared and with whom. For
protection, it is up to the companies handling data to ensure
that it remains private. Compliance regulations reflect this
difference and are created to help ensure that users’ privacy
requests are enacted by companies.

12 Data Protection Technologies and Practices to

Protect Your Data
When it comes to protecting your data, there are many storage and
management options you can choose from. Solutions can help you
restrict access, monitor activity, and respond to threats. Here are some
of the most commonly used practices and technologies:

1. Data discovery—a first step in data protection, this involves

discovering which data sets exist in the organization, which of
them are business critical and which contains sensitive data that
might be subject to compliance regulations.

2. Data loss prevention (DLP)—a set of strategies and tools that

you can use to prevent data from being stolen, lost, or accidentally
 deleted. Data loss prevention solutions often include several tools
to protect against and recover from data loss.

3. Storage with built-in data protection—modern storage

equipment provides built-in disk clustering and redundancy.

4. Backup—creates copies of data and stores them separately,

making it possible to restore the data later in case of loss or
modification. Backups are a critical strategy for ensuring business
continuity when original data is lost, destroyed, or damaged, either
accidentally or maliciously.

5. Snapshots—a snapshot is similar to a backup, but it is a complete

image of a protected system, including data and system files. A
snapshot can be used to restore an entire system to a specific
point in time.

6. Replication—a technique for copying data on an ongoing basis

from a protected system to another location. This provides a living,
up-to-date copy of the data, allowing not only recovery but also
immediate failover to the copy if the primary system goes down.

7. Firewalls—utilities that enable you to monitor and filter network

traffic. You can use firewalls to ensure that only authorized users
are allowed to access or transfer data

8. Authentication and authorization—controls that help you verify

credentials and assure that user privileges are applied correctly.
These measures are typically used as part of an identity and
access management (IAM) solution and in combination with role-
based access controls (RBAC).
 9. Encryption—alters data content according to an algorithm that
can only be reversed with the right encryption key. Encryption
protects your data from unauthorized access even if data is stolen
by making it unreadable

10.Endpoint protection—protects gateways to your network,

including ports, routers, and connected devices. Endpoint
protection software typically enables you to monitor your network
perimeter and to filter traffic as needed.

11.Data erasure—limits liability by deleting data that is no longer

needed. This can be done after data is processed and analyzed or
periodically when data is no longer relevant

12.Disaster recovery—a set of practices and technologies that

determine how an organization deals with a disaster, such as a
cyber attack, natural disaster, or large-scale equipment failure. The
disaster recovery process typically involves setting up a remote
disaster recovery site with copies of protected systems, and
switching operations to those systems in case of disaster.

Critical Best Practices for Ensuring Data Privacy

Creating policies for data privacy can be challenging but it’s not impossible.
The following best practices can help you ensure that the policies you
create are as effective as possible.

Inventory Your Data

Part of ensuring data privacy is understanding what data you have, how it
is handled, and where it is stored. Your policies should define how this
information is collected and acted upon. For example, you need to define
how frequently data is scanned for and how it is classified once located.

Your privacy policies should clearly outline what protections are needed for
your various data privacy levels. Policies should also include processes for
auditing protections to ensure that solutions are applied correctly.
Minimize Data Collection

Ensure that your policies dictate that only necessary data is collected. If
you collect more than what you need, you increase your liability and can
create an undue burden on your security teams. Minimizing your data
collection can also help you save on bandwidth and storage.

One way of achieving this is to use “verify not store” frameworks. These
systems use third-party data to verify users and eliminate the need to store
or transfer user data to your systems.

Be Open with Your Users

Many users are aware of privacy concerns and are likely to appreciate
transparency when it comes to how you’re using and storing data.
Reflecting this, GDPR has made user consent a key aspect of data use
and collection.

You can be sure to include users and their consent in your processes by
designing privacy concerns into your interfaces. For example, having clear
user notifications outlining when data is collected and why. You should also
include options for users to modify or opt-out of data collection.

Data Protection Trends

Here are some important trends driving the evolution of data protection.

Data Portability and Data Sovereignty

Data portability is an important requirement for many modern IT

organizations. It means the ability to move data between different
environments and software applications. Very often, data portability means
the ability to move data between on-premises data centers and the public
cloud, and between different cloud providers.

Data portability also has legal implications—when data is stored in different

countries, it is subject to different laws and regulations. This is known as
data sovereignty.

Mobile Data Protection

Mobile device protection refers to measures designed to protect sensitive

information stored on laptops, smartphones, tablets, wearables and other
portable devices. A fundamental aspect of mobile device security is
 preventing unauthorized users from accessing your corporate network. In
the modern IT environment, this is a critical aspect of network security.

There are many mobile data security tools, designed to protect mobile
devices and data by identifying threats, creating backups, and preventing
threats on the endpoint from reaching the corporate network. IT staff use
mobile data security software to enable secure mobile access to networks
and systems.

Common capabilities of mobile data security solutions include:

 Enforcing communication via secure channels

 Performing strong identity verification to ensure devices are not
compromised
 Limiting the use of third-party software and browsing to unsafe websites
 Encrypting data on the device to protect against device compromise and
theft
 Perform regular audits of endpoints to discover threats and security issues
 Monitoring for threats on the device
 Setting up secure gateways that can allow remote devices to connect
securely to the network

Ransomware

Ransomware is a rising cybersecurity threat, which is a top security priority

for almost all organizations. Ransomware is a type of malware that
encrypts user data and demands a ransom in order to release it. New types
of ransomware send the data to attackers before encrypting it, allowing the
attackers to extort the organization, threatening to make its sensitive
information public.

Copy Data Management (CDM)

Large organizations have multiple datasets stored in different locations,

and many of them may duplicate data between them.

Duplicate data creates multiple problems—it increases storage costs,

creates inconsistencies and operational issues, and can also result in
security and compliance challenges. Typically, not all copies of the data will
be secured in the same way. It is no use securing a dataset and ensuring it
is compliant, when the data is duplicated in another unknown location.
CDM is a type of solution that detects duplicate data and helps manage it,
comparing similar data and allowing administrators to delete unused
copies.

Disaster Recovery as a Service

Disaster recovery as a service (DRaaS) is a managed service that gives an

organization a cloud-based remote disaster recovery site.

Traditionally, setting up a secondary data center was extremely complex

and involved massive costs, and was only relevant for large enterprises.
With DRaaS, any size organization can replicate its local systems to the
cloud, and easily restore operations in case of a disaster.

DRaaS services leverage public cloud infrastructure, making it possible to

store multiple copies of infrastructure and data across multiple
geographical locations, to increase resiliency.