How do you choose the best backup strategy for your data?

Some ways to get started: - Start with Business impact assessment to have critical list of asset, RPO and RTO - Define Backup solution - Define Backup Strategy and method(full, incremental, differential) according to RTO and RPO provided by Asset owner - Regular review backup report to check the failed backup - Regular do restore test to ensure the backup success

Instead of stating best backup strategy plan, let's say affordable and key considerations for Choosing the backup strategy for data depends on various factors, including the type of data, importance, budget, and compliance. Considering the following factors, it can decide the backup strategy that fits to organization, 1. Identify Critical Data in line with Business strategy 2. Backup Frequency, Backup Locations, Automate Backups & Redundancy 3. Versioning & Security Measures 4. Testing and Validation 5. Scalability, User Accessibility & Cost Considerations 6. Compliance Requirements 7. DR Plan, Monitor and Update As I always recommend that, chose the solution by performing DEMO or Free trail, that will provide visibility to Organization.

Classify your data based on importance and sensitivity. Prioritize critical information, ensuring it receives more frequent and secure backups. This approach helps allocate resources efficiently.

Objectifs de la sauvegarde : Assurer la disponibilité des données. Prévenir la perte de données en cas de sinistre. Faciliter la récupération rapide en cas de défaillance. Exigences en matière de sauvegarde : Plan de sauvegarde régulier. Stockage sécurisé des copies de sauvegarde. Test périodique de la restauration pour garantir l'intégrité des données. Conformité aux politiques de confidentialité et de sécurité.

Back in the EMC days our first question when consulting clients was: What is your desired recovery point objective (RPO)? And what is your desired recovery time objective (RTO)? And translating this in understandable word: 1) What amount of data can you lose and still sustain your business? 2) And how long can your business sustain until recovery must have happened? Those two above are business questions and must be discussed with /given by the business owners. Another overall topic that needs to be considered is: 3) What do I need to ensure to be compliant? (Depending on my industry and market operating in). Everything else derives from these business requirements.

Selecting the optimal backup types and methods involves a careful evaluation of your data retention requirements, recovery objectives, and resource constraints. By aligning backup strategies with the specific needs of your organization, you can strike a balance between data protection, operational efficiency, and recovery readiness. Regularly reviewing and testing your backup processes ensures the resilience and reliability of your data backup and recovery capabilities in the face of potential disruptions or data loss events. understanding the nuances of full, incremental, and differential backups empowers organizations to tailor their backup strategies to effectively safeguard data assets, mitigate risks, and expedite recovery processes.

Types de sauvegarde : Sauvegarde complète : Copie de l'ensemble des données. Sauvegarde incrémentielle : Copie des données modifiées depuis la dernière sauvegarde. Sauvegarde différentielle : Copie des données modifiées depuis la dernière sauvegarde complète. Méthodes de sauvegarde : Sauvegarde locale : Stockage sur un support physique sur place. Sauvegarde distante : Stockage des données hors site, souvent via le cloud. Sauvegarde automatisée : Planification automatisée des sauvegardes à intervalles réguliers. Sauvegarde miroir : Réplication en temps réel des données sur un autre emplacement.

As ferramentas de backup estão bem robustas atualmente no quesito de backup incremental, mas ainda considero importante realizar backups completos pelo menos a cada 3 ou 6 meses, dependendo da criticidade dos dados.

Technology has vast options: Full backup, incremental, virtual full backup, break in media or not. Air-Gap-Solutions.... But it really goes back to what RTO (and RPO) is needed? If RTO must be really low, Recovery from a full backup from different media (let say tape), is not the most fitting solution. If compliance demands a media break and RTO is not a major issue, tape is a very cost-efficient solution.

The subsequent step in selecting a backup strategy involves choosing backup types and methods that align with your backup goals and requirements. One classification method distinguishes between full, incremental, and differential backups. A full backup duplicates all data from source to destination, regardless of changes, requiring the most time and storage space. Incremental backups copy only changed data since the last backup, decreasing time and space requirements but increasing complexity and restoration risk. Conversely, a differential backup copies only changed data since the last full backup, offering a compromise between full and incremental backups, reducing time and space requirements, and simplifying the restoration process.

The 3-2-1 backup strategy is a fundamental approach to data protection, ensuring you have multiple copies of your data to prevent loss. It involves having at least 3 total copies of your data, 2 of which are local but on different devices (e.g., an external hard drive and a network-attached storage device), and 1 copy offsite, such as in the cloud or at a remote location. This method combines the benefits of local, remote, and cloud backups, mitigating risks like data corruption, hardware failure, and catastrophic events. By diversifying storage media and locations, the 3-2-1 strategy provides a robust defense against data loss, aligning with various backup types and methods to suit individual or organizational needs.

Escolher o local do backup pode ser uma tarefa difícil e exige conhecimento do negócio. Existem três opções: local, remoto e na nuvem. Cada um tem vantagens e desvantagens, principalmente na latência, custo e segurança. O local permite rapidez na restauração; o remoto propicia segurança e redundância; e a nuvem, mais escalabilidade, porém aumenta o custo. Latência demasiada pode ser um problema para uma empresa de e-commerce, por exemplo. Se o problema é complexo, vale a pena realizar um projeto piloto e testá-lo antes. Uma forma híbrida pode ser a solução. Nunca esquecer quais os planos de médio e longo prazos da empresa: eles podem impactar em aumento de capacidade de armazenamento (escalabilidade).

Devido a modalidade de ransomware, o melhor cenário é possuir backup local, remoto e na nuvem, sendo um deles obrigatoriamente imutável (preferencialmente o remoto).

The choice of media and backup-destination is, besides technological preference and commercial viability, a choice driven by compliance. Ensure to meet your needed compliance criteria if you want to choose cloud backup. And on the commercial side - As a rule-of-thumb: Backup to the cloud can be financially attractive if RTO is non of your problems and you have small amounts of data to recover. As usually Data-Ingress is inexpensive, while Data-Egress is much higher in cost than Data-Ingress. If no idea where to start, use the 3-2-1 rule: 3 copies of the data 2 different medias used 1 remote located copy of the data, at least

The third step in selecting a backup strategy is deciding on the backup media and location. Options include local, remote, and cloud backups. Local backups involve storing data on a physical device near the source, providing quick access but exposing data to risks like theft. Remote backups use a device in a different location, offering security but introducing latency. Cloud backups store data on a virtual device by a third-party provider, offering scalability but raising concerns about cost and privacy. Each option has trade-offs, requiring careful consideration of factors such as data security, accessibility, and compliance obligations.

Define backup frequency based on data volatility. Critical systems may require daily backups, while less volatile data can be backed up less frequently. Establish retention policies to balance storage costs with recovery needs.

This is driven by RTO and RPO, too. When both points are defined, it is a reverse calculation. Which technology can fulfill the criteria? What can we effort? And then balance criteria and commercial constraints.

Possuir um backup e não saber os tempos de restauração e se ele realmente funciona, é quase a mesma coisa que não possuir um backup. Testes de recuperação semanais aleatórios são indispensáveis, além dos testes do Plano de Recuperação de Desastres onde o backup é fundamental.

One of the points that we joke about in the industry: "It is a 'backup'-strategy, not a 'recovery'-strategy". But on a serious note: Without verifying backup, I do not see a way to comply with NIST SP 800-209, e.g. The choice of technology can partially help here. Some backup-solutions offer things like automatic verification of data stored on the backup-target.

Testar a efetividade do backup é primordial. Além de verificar se as expectativas serão atendidas (tempo de retomada do negócio, compliance dos dados, dados que, eventualmente, serão perdidos e outros aspectos) é uma excelente oportunidade para se testar o Plano de Gerenciamento de Crises e verificar se todos entendem seu papel diante de um incidente cibernético.

Regularly test backup restoration processes to verify data integrity and accessibility. Periodic drills help identify and address potential issues before a crisis occurs.

To optimize and improve your backup strategy: - Adhere to the 3-2-1 rule. - Automate backup processes to ensure consistency and minimize human error, aligning with your Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for timely data recovery. - Utilize storage optimization techniques like deduplication and compression to maximize efficiency and reduce storage costs. - Regularly test backup and recovery processes to validate their effectiveness and identify any weaknesses, ensuring they meet your RPO and RTO goals. - Stay updated on advancements in backup technologies and adjust your strategy accordingly to meet evolving business needs and technological trends.

Having backup is important, protecting the backup is equally importance to protect the back up from infected by malware ... Offline and Air-Gapped Backups: Store backups offline or on air-gapped systems that are physically isolated from the network. This prevents malware from accessing or infecting the backup data. Immutable Backups: Use technologies such as write-once read-many (WORM) storage or immutable storage solutions to create immutable backups that cannot be modified or deleted by malware. Backup Segregation: Segregate backup networks and infrastructure from production environments to minimize the risk of malware spreading from production systems to backup systems.

Prioritize data security by encrypting backups both in transit and at rest. Implement robust access controls to ensure that only authorized personnel can manage and restore backups.

Dentre os obstáculos para se implementar uma estratégia de backup está o convencimento da alta direção. Muitas vezes, sequer existe uma política de segurança da informação (PSI) que apoie essa iniciativa. É importante não se esquecer de sistemas legados que podem conter dados valiosos para a empresa. Devem ser mantidos guardados e segregados a fim de manter a confidencialidade e a privacidade desses dados. Assim, um bom argumento para convencer a alta direção são as sugestões da ISO 27000 quando se trata de backup e manutenção da confidencialidade, integridade e disponibilidade dos dados pessoais de acordo com a Lei Geral de Proteção de Dados (LGPD). O fato é que uma boa política de backup propicia boa resiliência e reputação ao negócio.

Manythings to be considered. Starting with the business needs, the criticallity of the data, and the capacity of your storage. Some data needs to have mirrored backup such as financial transactions, some data needs to have daily backup, and some not very critical needs weekly or monthly backup. It's good to use to type of backups to optimize the storage capacity (Incrimentail backup, and fullabckup) Set with stakeholders, define the needs then draft the backup policy get it approved, then publish the backup scheduel and procedure.