Professional Documents
Culture Documents
DR Data Center Services VX XX
DR Data Center Services VX XX
Directive
Content
1. Purpose...................................................................................................................................................... 4
2. Area of application ..................................................................................................................................... 4
3. Definition of terms & abbreviations ............................................................................................................ 4
4. Content of the directive .............................................................................................................................. 4
4.1 Data and Backup Management ............................................................................................................. 4
4.1.1 Area of application ............................................................................................................................. 4
4.1.2 Data Backup Strategy ........................................................................................................................ 6
4.1.4 Quarterly Backups ............................................................................................................................. 7
4.1.5 Monthly Backups ............................................................................................................................... 8
4.1.6 Locations with automatic tape libraries .............................................................................................. 8
4.1.7 Locations with simple tape drives ...................................................................................................... 8
4.1.8 Locations with Backup deduplication Appliance ................................................................................ 8
4.1.9 Database Backup (others than Oracle or SQL Server) ..................................................................... 8
4.1.10 Backup of Oracle Databases ............................................................................................................. 8
4.1.11 Backup of SQL Server Databases ..................................................................................................... 9
4.1.12 Hypervisor-based Backups ................................................................................................................ 9
4.2 Networking ........................................................................................................................................... 10
4.2.1 Hardware environment for data network ......................................................................................... 10
4.2.2 Passive data network ....................................................................................................................... 10
4.2.3 Configuration and Backup Management ......................................................................................... 10
4.2.4 External Partner Networks / Internet ............................................................................................... 10
4.2.5 Network Protocols ............................................................................................................................ 11
4.2.6 IP addressing ................................................................................................................................... 11
4.2.7 Network Management ...................................................................................................................... 11
4.2.8 Network Monitoring .......................................................................................................................... 11
4.2.9 Redundant WAN Connections ......................................................................................................... 11
4.2.10 High Available LAN .......................................................................................................................... 11
4.2.11 Stand-by equipments ....................................................................................................................... 11
4.3 Servers................................................................................................................................................. 11
4.3.1 Compute .......................................................................................................................................... 11
4.3.2 Server Roles .................................................................................................................................... 12
4.3.3 Environments ................................................................................................................................... 12
4.3.4 Naming Convention ......................................................................................................................... 12
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 2 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
Overview
Short description DRÄXLMAIER Group (DRX) Information Technology
Function provides centralized and decentralized storage,
backup, networking, database services to all the functions
across the group. The services are provided from Server
Rooms (SR) located at the company HQ and also in
company locations across the world.
Area of application This directive is a guideline to describe and standardize
the infrastructure requirements in the Data Center
Services area for storage, backup, networking, compute
and database services. It is mandatory to all IT staff who
is involved in planning, building and operating these
services.
Related to process evaluate IT infrastructure solution, develop IT
Infrastructure solution, manage IT changes, manage IT
security
Information class Internal
Translated No
document
Control data
Author/reviewer Ghita Victor
Creation/revision 13.03.2020
date
Verifier Ciuca PetruDoru
Verification date 13.03.2020
Approver Moeller Gernot
Approval date 16.03.2020
Version 4
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 3 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
1. Purpose
This directive defines the services provided by the SR, responsibilities in the operation and technical
framework for Datacenter Services; and it ensures that the SR remains secure by having in place directives
and procedures.
2. Area of application
This directive is a guideline to describe and standardize the infrastructure requirements in the Data Center
Services area for storage, backup, networking, compute and database services. It is mandatory to all IT staff
who is involved in planning, building and operating these services.
Term Definition
Retention Policy set of guidelines that describes which data will be archived, how long it will
be kept, archival rules, data formats, and the permissible means of storage,
access, and encryption.
Direct Attached Storage dedicated storage attached directly to the server unit
(DAS)
Synchronous Replication writes the data in the same time on both storage units
Asynchronous Replication writes the data to the primary storage unit than it commits the data to the
memory to be replicated or to a disk-based journal to be replicated latter on.
Abbreviations All relevant abbreviations you can find in the D-World abbreviations list
Access to the backup systems and the storage media has to be documented.
For deleting the data from the backup media special software must be used.
When deleting the media special data protection containers has to be used, if the containers aren't available
is the responsibility of the competent security administrator as specified by the site management, the OEMs
or the law. Lengthy retention periods required by local regulations are to be adhered to.
The backup system or at least the physical storage system should be set up at a place that is separate from
the main data center; if this is not possible for technical reasons (single data center on premise) the backup
media MUST be stored as early as possible at a place that is sufficiently remote to protect it from disasters.
The data has to be stored in a fire-resistant data protection safe or a data protection cabinet. This includes
features such as protection against the penetration of fire, water, gas and against burglary and theft. The
applied resistance class must be DIS90 or equivalent.
Backup data is stored as required by legal, statutory or contractual stipulations according to their individual
time limits and necessary safety levels.
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 4 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
The „DRÄXLMAIER Group backup directive applies to all systems which use the
DRÄXLMAIER Group backup infrastructure.
For any software as a service (SaaS), infrastructure as a service (IaaS), platform as a service (PaaS),
managed service:
If a backup or data protection is required, the available possibilities of the vendor have to be preferred.
This has to be always a case by case decision.
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 5 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
Definition:
It regulates the protection and restoration of data on all production servers, all storage devices in all sites of
DRÄXLMAIER Group.
It is designed to protect data in the organization, to be sure it is not lost and can be recovered in the event of
an equipment failure, intentional destruction of data, or disaster and it should be able to:
− Recover from data loss in all circumstances like hard drive failure, virus attacks, theft, accidental
deletes or data entry errors, sabotage, fire, flood, earth quakes and other natural disasters.
− Recover to an earlier state if necessary like due to data entry errors or accidental deletes.
− Recover as quickly as possible with minimum effort, cost and data loss.
− Require minimum ongoing human interaction and maintenance after the initial setup - able to run
automated or semi-automated.
Classification:
Dependent of the data to backup, DRÄXLMAIER Group offer the following backup classes:
Bronze 30 days no
Silver 90 days no
Backup classes are defined on a per-server basis. The default class is defined as “Bronze”.
Application / data owner have to decide the required backup class, during the request process.
This have to be done during the project, when a new share, server or infrastructure is implemented.
The assignment has to be documented in the document “Backup Classes - Server Matrix.xlsx”.
Changes of the backup class have always to be aligned between application/data owner and backup team.
The change has to be documented in the document “Backup Classes - Server Matrix.xlsx”.
The new backup classes are introduced in 2018. Older existing systems remain in “Gold” class until it will be
changed.
Strategy:
The data has to be available in monthly updates (monthly backup) one year prior
to this time period. Furthermore, tapes have to be kept for long-term data
backup in quarterly intervals for a period of 20 years (quarterly backup: beginning of January, April, July and
October). The full backups which are to be retained are to be carried out on separate media on the first
weekend of the month, preferably on Fridays. It must be pointed out here, however, that this is not a certified
compliance-conform archiving solution.
The backup type may vary due to different hardware and software equipment used at the individual
subsidiaries.
Before backup is started, the data set should be available in closed consistent state at the start of the backup
and backup job must finish before data is accessed again.
IT in each site is responsible for the backup / restore process. For next level support the Incident
Management process should be followed.
An assessment of whether certain systems and data records should be backed up has to be made by each
subsidiary IT in agreement with the subsidiary head.
LTO uses an automatic verify-after-write technology to immediate check the data as it is being written. A full
verify is made through the clone job of the monthly full backup.
Furthermore, an adequate supply of backup and cleaning tapes is to be assured and defective tapes should
be replaced immediately.
The head of SO-IT is responsible for permanent adherence to the directives according to specifications.
As mentioned before, implementation of the DRX backup strategy largely depends on the hardware and
software equipment used at each of the subsidiaries.
All Quarter backups have to be performed and monitored locally. Incident Management process has to be
used if any issues are encountered.
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 7 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
In doing so, tapes always have to be used at full capacity and if necessary, additional capacity has to be
provided. After the Thursday backup is finished the tape media has to be stored in a fireproof data backup
safe. At the same time, the tapes are to be appropriately and clearly labeled.
The first backup Friday in the month is to be marked as the monthly backup. The monthly backups at the
beginning of each quarter are declared as being quarterly backups and are then filed for long-term backup.
Once the retention policy of the weekly (full + incr.) backup tapes has expired, they can be returned to the
backup circuit. The same applies to the monthly backup tapes, which can be reused once the calendar year
has come to an end.
In the central location a copy of the quarter backup is made to tape. The tapes have to be stored accordingly
to the ruling directive. Backup server is the server in the central site; therefore a backup server locally is not
necessary.
Backups based on hypervisor level are used for disaster recovery purposes.
These backups are limited to backup class “Bronze” or “Silver”.
If there are any long term retention requirements of the data within the VM, backup of the data must be done
by backup agents on guest level.
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 9 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
4.2 Networking
Secured communication between all the subsidiaries of the DRÄXLMAIER Group has become essential in
the course of expanding the DRÄXLMAIER Group into a globally active systems supplier and at the same
time for the purpose of tapping new business areas.
The aim is to create an integrated, uniform structure of communication as a basis for the entire
communication among all the sites, both within the group of companies and to the external partners.
The following guidelines apply to this set-up:
− Adherence to general standards and avoidance of installation of proprietary mechanisms
− The extensibility of the entire system in every direction (open system)
− The provision of standby units for all the components used within the scope of the Provider contracts
− Ensuring communication between all the DRX subsidiaries
− Ensuring communication to all the customers and partners
− Applying hardware that is defined as standard.
The current network structure is shown in the Applicable Document (APD): "WAN_GLOBAL"
All the process details for installing, backing up and recovery are listed in the Applicable Documents
"NETWORK_PROCESSES" The responsibility for all steps are listed in the RACI Matrix "NETWORK_RACI"
Any new installations of access to the company network for a DRX employee require prior approval by the
line manager. An application form is available in DFM
Access options for partner companies are granted to trustworthy companies only. Responsibility for the
partner companies is assumed by the internal DRX applicant and also requires approval by a director.
All access to external networks, particularly to the Internet, has to be approved by CISO and safeguarded
according to the given specifications. Due to the high degree of risk, use of unapproved, not appropriately
safeguarded access is strictly prohibited.
Access to internet is allowed either centrally trough the main firewall in the HQ either with local internet
breakouts. In both situations internet access is monitored and protected against malware and viruses the
same way, access policies are defined and managed central.
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 10 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
Unsecure Internet access with 3/4G modems or any other devices except ones
described above is strictly forbidden.
4.2.6 IP addressing
A global IP addressing schema is defined and maintained central in the file "NETWORKS". The management
and documentation of the local IP addresses in the subsidiaries is the responsibility of the local IT.
.
4.3 Servers
This section describes the server deployments in DRÄXLMAIER Group in order to ensure required
availability of services, as well as the safety and efficiency of their operation.
4.3.1 Compute
Server infrastructure, except the mainframe located in headquarters, is standardized on Intel’s x86
architecture. On this hardware platform operating systems are installed either natively or virtualized. In the
central data centers it is preferred to virtualize operating systems for efficiency, flexibility and manageability.
In local SR's data centers operating systems are installed natively or virtualized dependent on cost
effectiveness.
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 11 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
4.3.3 Environments
Server roles are divided into different environments which describe the importance of the role. As an
example an application server role could be in once instance be a test instance and in another productive.
This means that there is a distinct difference to the operative importance the server plays in the different
environments. For example loss of data or service in the test environment is acceptable, whereby in
production this can lead to financial and/or image loss to the DRÄXLMAIER Group.
The rule applies that only persons who need access to a server in their capacity as an administrator of the
server or of a hosted application is permitted to logon to the server. The persons who have the right to
access the server, must be divided in roles which define the rights that person has on the server. The rights
assigned to a role must cover all the aspects of those users responsibilities and no more. Examples of this
are that the highest level system administrator has full control over all aspects of the server and a user who
administrates an hosted application must have all the rights to the application being administrated, but no
further rights to the operating system.
4.3.6 Storage
Servers provide storage for service to store or to serve data from. This storage can be locally attached to the
server inform of internal hard disks or consumed via SAN/NAS depending on the nature of the architecture,
location and service provided.
4.3.7 Backup
The services provided by the server inherently produce data, some of which is important to backup and other
that are not. Backup are to be made firstly to prevent loss of important data and to enable a speedy recovery
of service in the event that a service needs recovery. It is be ensured that servers that provided service that
can lead to financial and/or image loss to the DRÄXLMAIER Group are backed-up with our approved backup
solution.
4.3.8 Monitoring
As with backup monitoring is to be implemented, to reduce the implications of financial and/or image loss to
the DRÄXLMAIER Group, on system in this importance category. By detecting system health and
performance issues before they become problems and allowing administrators to react in a timely fashion to
proactively resolve detected issues.
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 12 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
4.4 Database
This section describes the database operation in DRÄXLMAIER Group in order to ensure required
availability of services, security and efficiency in operation.
Cloud Databases
A cloud database service represent a database that runs on a cloud computing platform. The cloud
database service can requested as PaaS/DBaaS (Platform as a Service,/Database as a Service) or
IaaS (Infrastructure as a Service). The DBaaS model is a based subscription service in which the
database runs on the service provider's physical infrastructure.
For IaaS, database delivery team support all the versions that exist on premise deployment (see
chapter 4.4.1.1). For PaaS, deployments database delivery team offer support for all database
technologies present in the agreed cloud vendors, for both database types: SQL and NoSQL.
A SQL or relational database is composed of a set of interrelated tables that are organized into rows
and columns. The relationship between tables and columns (fields) is specified in a schema.
NoSQL is a non-relational database management system that does not require a fixed schema and has
a different way of storage the data. The purpose of using a NoSQL database is for distributed data
stores with humongous data storage needs. NoSQL is used for Big data and real-time web apps.
NoSQL database stands for "Not Only SQL" or "Not SQL.". Some types of NoSQL databases: Key-
Value, Document store, Column based, Graph based.
A catalog of preferred database architecture deployments is maintained by the Database Architect in the
APD "Database Approved Architectures"
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 13 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
− Audit
Database audit and logging is implemented and maintained by the DBA Team in a unified way using scripts.
For Oracle databases the audit level is for SYSDBA connections. The audit trail is stored on disk in a specific
directory for each database instance. The audit trails is kept on disk for the last day only.
All audit trails are backed up on tape according to the effective backup procedure for file-system backups.
The database and listener logs and trace files are archived automatically using scheduled scripts. The
archive directory is backed up on tape according to the effective backup procedure for file-system backups.
On all Oracle productive databases the DDL (Data Definition Language) statements are audited via
AUDIT_DDL trigger. The audit records provide information about the operation that was audited, the user
who performed the operation and the time of the operation. Audit records are stored in a table, accessible
only by DBAs.
For SQL Server databases the audit and logs are recorded in Windows Event Logs. The logs are archived
and backup up according with the Windows File system backup policy implemented at server level.
− Patching
As a result of security scans database patches and specific database configurations are installed in order to
mitigate the identified security bugs.
As a result of incident analysis database software bugs are discovered. Depending on the criticality and type
of issue, patches are installed on specific database instances or on all database instances.
Patching activity takes place following the general change management procedure.
The procedure of updating the Oracle database is to create a new Oracle Home with the identified patches
applied and start to deploy it to the database servers. Whenever the downtime for databases is obtained,
configuration database file can be moved from the old home to the new one. In case of issues, rollback can
be performed meaning moving back the database files.
The plan is too apply patches according below steps:
1. Evaluate security fixes and bug fixes;
2. Check for patch conflicts;
3. Apply patch on test environment. Create a new patched Oracle Home;
4. Deploy the patched Oracle Home on QUAL and DEV environment;
5. Rollout on productive environment;
The full procedure of applying security patch is maintained by DBA in APD “Database Security Patch
Procedure".
The alerts are notifying the DBA team for Warning and Critical metrics and the ITCC team for critical metrics.
The detailed procedure for Database Monitoring is described in APD "Database Monitoring Procedure"
document.
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 14 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
In DRX two concepts are used for storing data: DAS (Direct Attached Storage) and dedicated central storage
units.
DAS is used in direct relation to Servers so will be defined and described in the server section.
Enterprise Storage Systems are dedicated storage systems which provide storage through a SAN (Storage
Area Network).
The DRÄXLMAIER Group standards and requirements for planning and implementing a Enterprise Storage
System are defined in Applicable Document "IT-Applicable Document Enterprise Storage Vx_xx"
A SAN (Storage Area Network) is used to provide LUN´s (logical unit numbers) to one or more servers
system.
To add security and simplify management, a fibre channel zoning is used to restrict access based on devices
or ports. There are two zoning models, WWN (World Wide Name) and port zoning.
DRÄXLMAIER Group uses the WWN (World Wide Name) zoning model in his Data Center in Vilsbiburg.
This provides the most flexible infrastructure. A cable can be moved from one port to another without
reconfiguring zones.
The DRÄXLMAIER standards and requirements for planning and implementing a Storage Area Network are
defined in Applicable Document "IT-Applicable Document SAN Vx_xx"
The protocols NFS or SMB/CIFS are used to access the storage through the Ethernet network infrastructure.
Security is provided through ACL´s on the file and share level.
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 16 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.
Directive IT - Data Center Services
5. Applicable documents
Name Description
WAN_GLOBAL Network Map
STANDARDARTIKEL Standard article list
PASSIVE_DATA_NETWORK Spefications for the passive LAN
NETWORK_PROCESSES Definition of network processes
NETWORK_RACI Responsibilities for operating the data network
NETWORKS Allocation of IP networks
MONITORING_RACI Describes how the network is monitored
Database Approved Architectures Description of database architectures approved
Database Monitoring Procedure Procedure which details the monitoring of databases
Database Security Patch Procedure Procedure which details the applying of database
security patches
IT-Applicable Document Enterprise Storage Vx_xx Description of the enterprise storage
IT-Applicable Document SAN Vx_xx Description of the enterprise SAN
6. Change history
Internal: All rights reserved. Distribution within DRÄXLMAIER Group, customer and partners.
Version 2 page 17 of 17
Printouts are only valid at the date of printing and are not covered by document control.
In case of misunderstandings with translated versions of this document, refer always to the original document.