Data Protection Policy of the Institute

Permanent Link:

Overview

• Important: When you accidentally remove something, please tell IT immediately via the ticket system—_even on weekends_! The earlier we know, the better. However, the actual protection mechanisms may sometimes exceed guarantees given here.
• Important: Every user of the institute is responsible for their data. Everyone has to ensure that their data is located at a storage location which is suitable for the value of the data. The protection policy for data storage locations of the institute is described on this page.
• Depending on the location of the data, IT gives certain guarantees about the safety. These guarantees are grouped into numeric protection-"Levels".
• This page is about protection against data loss not about security against attackers or data leaks.
• To find out how well data is protected against data loss in a given location, have a look at the Locations table.
• To find out where to store your data, have a look at the Where_to_put table.

Different protection levels for different classes of data

The value of data varies greatly. RAW data from MRI machines are subject to an archiving procedure as soon as they leave the machine. Since the data is "RAW", no changes have to be taken into account later. A backup is not necessary—just the preservation of one original state.

On the other hand, personal data in users' home directories changes a lot. Accidental removal or unwanted changes are very common there. These data are protected by a revision based backup system. A system like that is able to restore the state of a file or directory tree from a given point in time, e.g. from two weeks ago.

There are several protection levels starting at "no backup" (level 0) and "revision based backup" (level 3) which vary greatly in cost. This usually means, only a small subset of data can be protected at the highest level. Data of an easy reproducible job gets less or no protection.

Since IT's resources (manpower, hardware, even server rooms) is limited, it is impossible to protect all or even most of the data at levels > (1). You'll have to decide carefully, where to put your data.

Protection levels and threats to your files

Level -1 - No data should be put here (nouserdata)

No data should be put into this location. This is just mentioned since it might be shown by the STORAGEPOLICY script.

Level 0 - No protection, just a simple harddisk (nobackup)

Permanent Link:

Data on regular disks is lost when the respective disk fails. Linux computer's storage devices are automatically checked for signs of problems. However, those checks just reduce the likeliness of predictable failure and there are unpredictable failures as well.

Protected against:

• Minor sudden changes on the hard disk. Error correcting checksums protect your data within certain limits, several flipped bits on the disk can be compensated.
• Nothing else!

Level 1 - Protection against disk failure (diskprotect)

Permanent Link:

Disk arrays are collections of hard disks containing redundancy information. It is assumed that multiple disk failure is far less likely than a single disk failing. Broken disks in the collection will be replaced by new disks and after a while, the collection can tolerate the next disk failure. Storage like this is always built into servers which are locked away in server rooms. IT always uses disk failure protection that can tolerate at least two disk of the array failing completely.

Protected against:

• All the problems covered by protection level 0.
• Simple theft. All servers are under lock and key in server rooms.
• Failure of up to two hard disks on the server.
  Fun fact: There has never been a three-harddisk-failure in the institute (as of March 2023).
• Minor problems in the server's main memory. Level 1 storage and higher always resides on servers equipped with memory error correction.
  FYI: There has never been a memory problem in the institute that would have exceeded this protection.
• Sudden power failure: All file servers are connected to redundant power supplies.
• Power surges (e.g. Lightning strikes): All fileservers are attached to professional power-surge protection
• "Bit rot". All disk arrays are tested for integrity on a regular basis (currently once a month). Broken or suspicious disks are replaced by IT without users noticing.
• Flooding: At least 20cm of water on the floor. If the server is on the ground floor or below, it will tolerate at least 50cm of water level.
• Nothing else!

Level 2 - Daily synchronisation (dailysync)

Permanent Link:

Data is synchronized to another server every night. If you remove or overwrite data, the synchronizing process will remove or overwrite the data from/on the mirror every night as well. The mirror target server is always located in a different part of a building or in a different building which means a fire or even a small plane crash will not destroy both of them.

Protection against:

• All the problems covered by protection level 0 and 1.
• Massive hardware problems on the server (failing computer mainboards, disk controller cards, disk backplanes, memory, ...).
• Fire in a server room
• Structural failure of a building
• When reported immediately during the day, accidental data removal or change can be reverted. However, there's no guarantee.
• Only for StorageUnified storage blocks: Massive failures during the synchronization process on either the productive system or the backup system. If e.g. the productive system is destroyed while copying data to the backup system, you are still guaranteed a consistent backup.
• Nothing else!

Level 3 - Revision based backup (backup)

Permanent Link:

A revision based backup creates snapshots of the protected data every night. This way, data accidentally removed/changed several days or weeks ago can be restored.

The backups are stored on magnetic tapes or hard disks and will be kept for at least two months. When storage runs out, the backup system removes snapshots starting with the oldest ones. A backup system can therefore never replace an archive.

Protection against:

• All the problems covered by protection level 0, 1 and 2.
• Accidental removal or change of data by users, if the missing data resided on the storage system for at least 24h
  Example: You created a file on Monday in the morning but accidentally removed it in the afternoon. The backup does it's job in the evening—no protection in this case. If you'd removed the file on Tuesday, it could be restored.
• Intentional removal or change of data by attackers acting as a user having permissions. This is possible e.g. after an account password was shared with others.
• Nothing else!

The file archive system (hsm)

Permanent Link:

This special level is only suitable for long term storage and only relevant for the data archive.

Protected against:

• Minor changes on tapes is compensated by error correction mechanisms.
• Single media (tape) failure. All data is written to two independent storage media.
• All kinds of electrical problems (e.g. voltage spikes or direct lightning strike) since tapes don't have a connection to any kind of conductor.
• Nothing else!

At this time explicitly not protected against:

• Fire
• Structural failure of building C

FAQ

Expand all Collapse all

Where to put which kind of data?

More ...Less ...
Permanent Link:

The following table recommends where you should put the different kinds of data. Please check whether the recommended location has the protection level (PL) you expect.

Data	Location	Protection Level
Research results, scripts, notes	protected study storage ( /data/p_... )	2
Storage for computational working sets (High data rate, low latency)	fast study storage ( /data/pt_... )	1
Research results, scripts & notes associated to older research projects	/afs/cbs.mpg.de/projects/...	2
Self written research papers	protected study storage ( /data/p_... )	2
Your Thesis	/data/u_[username]_thesis This storage can be created here.	2
Custom software (e.g. Python environment, customized FSL)	/data/u_[username]_software This storage can be created here.	2
Downloaded research papers	/data/tu_[username] This storage can be requested here..	1
To share data within your group	/data/p_gr_[grouphead]_share This storage needs to be requested via ticket.	2
RAW MRI/EEG/... data	protected study storage ( /data/p_... ) Archive (HSM)	2 1

Back to FAQ start

Which protection level is required for which kind risk/damage?

More ...Less ...
Permanent Link:

The following table shows the possible threads for your data and the protection levels that avoid data loss.

Danger	Minimum Protection Level
crash of one disk	1
crash of two disks	1
Theft of a single computer	2
Overwriting good data with bad data	3 2, if you act quickly and write a ticket immediately.
Errors in a server's hardware component (disk controller, processor, memory, ...)	2
Erroneous removal/overwriting of data and recognizing the error before night	2
Erroneous removal/overwriting of data and recognizing the error after night	3
Changing/removing data that was just created	Not Possible
Having removed/overwritten a file in the past	3
Placing data outside the scope of the protection service	Not possible
Fire, water damage, crashes of small airplanes	2

Back to FAQ start

How can I see the safety of my files while I'm working?

More ...Less ...
Permanent Link:

The environment STORAGEPOLICY (which is run by the command with that name) can be used to show the storage policy in real time. The command prompt of the shell is used to show the storage policy of the current working directory. This script modifies your shell environment slightly.

Each folder is assigned a storage policy which includes

Property	A question you might ask	Description
protection level	"How well is the folder secured against data loss?"
auto remove (-delay)	"How many days after the last change will my files be removed automatically?"	This property is set only for a very small number of temporary folders. An example is /tmp . It is explicitly not set on a folders under /afs/cbs.mpg.de/projects . Folders in /data marked with a d -flag (i.e dt_transfer ) are subject to regular cleaning.
namespace stability	"Will this path name ever change?"	For some folders, IT guarantees that it will never be renamed until the folder is removed for good.

Back to FAQ start

Which storage paths are protected how well?

More ...Less ...
Permanent Link:

Use this table to find out, how well your data is protected in a certain location. The numerical protection levels used in the last column are described below. Data in /afs (drive letter Z: in Windows) always reside on disk arrays in file servers which means: protection level (1).

Description	Path in Linux	Path in Windows	Protection level	Quota	Removal Policy	Stable Namespace
Home directories	/data/hu_...	M:	3	10GB	Data will be removed on account timeout.
Personal storage (Personal software, Theses, ...)	/data/u_...	X:\u_...	2	50GB	Data will be removed on account timeout.
Personal storage (Cloud sync folders, temporary data, ...)	/data/tu_...	X:\tu_...	1	as requested	Data will be removed on account timeout.
Study storage ("Fast storage") Request storage	/data/pt_...	X:\pt_...	1	as requested	Data will be removed when the last person having access permissions left the institute.
Study storage ("Protected storage") Request storage	/data/p_...	X:\p_...	2	as requested	Data will be removed when the last person having access permissions left the institute.
Legacy study storage	/afs/cbs.mpg.de/projects	-	2	as requested	Data will be removed when the last person having access permissions left the institute.
Group share/exchange folders Request group folder via ticket	/data/gt_... m /data/pt_gr_..._share	X:\gt_..._share , pt_gr_..._share	1	as requested, max 100GB	Data will be removed when the research group no longer exists
Exchange directory	/data/dt_transfer	X:\dt_transfer	1	-	Data older than 7 days is removed automatically
Worlwide exchange directory	/afs/cbs.mpg.de/tmp/internet	-	1	-	Data older than 60 days is removed automatically
Local harddisks on workstation computers	/nobackup/[Computer]{[Disknumber]} /NOBACKUP	-	0	-	After account timeout data will be removed upon request of other users.
Local harddisks on servers	/LOCAL	-	0	-	Data handling is up to the data manager of the group owning the server.
Institute Archive (HSM)	Server grauserv		HSM	-	(No policy set, yet)
Temporary data	/tmp	-	0	-	Folder is cleared when the computer re-boots. Data older than 2 days is removed.

Hints:

• Higher protection level = lower speed = more restrictive storage assignment = better protection against failure and accidental removal
• Storage block protection level rules in /data : (refer to DataProtectionPolicy for information on guarantees associated with protection levels)
  • t before the first _ : Protection level 1
  • h before the first _ : Protection level 3
  • None of the above: Protection level 2
• d before the first _ means "Automatic data removal is to be expected in this storage block"
• u before the first _ means: Only one user is granted access. No Exceptions! When the user leaves the institute, the data is removed since no one has access anymore.
• Almost all research data is stored in p_ and pt_ storage.
• The command 'mydata' will show you all storage blocks you have access to.

Back to FAQ start

What are the reasons for hard disks failing?

More ...Less ...
Permanent Link:

These classes of harddisk failures have already happend in the institute:

• Mechanical shocks from the user. This is why laptops are equipped with non-mechanical storage (SSDs) now
• Manufacturing errors which cause the magnetic surface not to store data as reliable as necessary
• Power surges that destroy the disk's controller electronic
• Head crash: The disk's read-write-head collides with the magnetic surface, e.g. by an office chair colliding with the computer's chassis. In this case, debris of the collision starts moving around in the rotating disk, destroying it when getting in contact with the read-write-head.
• Spindle motor failure
• The disk's semiconductor based memory breaks.
• A piece of metal dust breaks from inner surface of the hard disk's chassis and starts moving on the rotating disk. The result is comparable to that of a head crash.

Here es an even longer list of reasons for harddisk failure.

BTW: Using Solid state disks is no solution. Apart from being way more expensive, they have a limited lifespan. We do use SSDs for some storage block types, though.

Back to FAQ start