How do you choose the best backup strategy for your data?
Data is one of the most valuable assets of any organization, and losing it can have serious consequences for business continuity, reputation, and compliance. That's why having a reliable backup strategy is essential for information security management. But how do you choose the best backup strategy for your data? In this article, we'll explore some key factors and options to consider when planning and implementing your data backup and restore process.
-
Shady ShakerCISM, PMP, Prince2 Agile, MSP, ISO27001 Snr lead implementer
-
Cristiano Maynart PereiraCISO - Chief Information Security Officer na APESC/UNISC/Hospital Santa Cruz - Membro do Instituto Brasileiro de…
-
Umang Mehta25x LinkedIn Top Voice 🏆 | Global Delivery Head | CISO | CISA | Global Thought Leader Top 10 IT Leadership | Global…
When selecting a backup strategy, it is important to define your backup goals and requirements. These may differ based on the type and amount of data, the frequency and speed of modifications, legal and regulatory requirements, and the budget and resources available. Common backup goals and requirements include data availability, data integrity, data security, and data retention. Data availability refers to how quickly and easily you can access and restore your data in case of a disaster, outage, or corruption. Data integrity looks at how accurate and consistent your backup data is compared to the original data. Data security focuses on how well your backup data is protected from unauthorized access, modification, or deletion. Lastly, data retention looks at how long you need to keep your backup data for compliance or audit purposes.
-
Some ways to get started: - Start with Business impact assessment to have critical list of asset, RPO and RTO - Define Backup solution - Define Backup Strategy and method(full, incremental, differential) according to RTO and RPO provided by Asset owner - Regular review backup report to check the failed backup - Regular do restore test to ensure the backup success
-
Instead of stating best backup strategy plan, let's say affordable and key considerations for Choosing the backup strategy for data depends on various factors, including the type of data, importance, budget, and compliance. Considering the following factors, it can decide the backup strategy that fits to organization, 1. Identify Critical Data in line with Business strategy 2. Backup Frequency, Backup Locations, Automate Backups & Redundancy 3. Versioning & Security Measures 4. Testing and Validation 5. Scalability, User Accessibility & Cost Considerations 6. Compliance Requirements 7. DR Plan, Monitor and Update As I always recommend that, chose the solution by performing DEMO or Free trail, that will provide visibility to Organization.
-
Classify your data based on importance and sensitivity. Prioritize critical information, ensuring it receives more frequent and secure backups. This approach helps allocate resources efficiently.
-
Objectifs de la sauvegarde : Assurer la disponibilité des données. Prévenir la perte de données en cas de sinistre. Faciliter la récupération rapide en cas de défaillance. Exigences en matière de sauvegarde : Plan de sauvegarde régulier. Stockage sécurisé des copies de sauvegarde. Test périodique de la restauration pour garantir l'intégrité des données. Conformité aux politiques de confidentialité et de sécurité.
-
Back in the EMC days our first question when consulting clients was: What is your desired recovery point objective (RPO)? And what is your desired recovery time objective (RTO)? And translating this in understandable word: 1) What amount of data can you lose and still sustain your business? 2) And how long can your business sustain until recovery must have happened? Those two above are business questions and must be discussed with /given by the business owners. Another overall topic that needs to be considered is: 3) What do I need to ensure to be compliant? (Depending on my industry and market operating in). Everything else derives from these business requirements.
The next step in choosing a backup strategy is to select the backup types and methods that best suit your backup goals and requirements. One way to classify backups is between full, incremental, and differential backups. A full backup copies all the data from the source to the destination, regardless of whether it has changed or not, but it takes the longest time and consumes the most storage space. An incremental backup copies only changed data since the last backup, reducing time and storage space, but increasing complexity and risk of restoring data. A differential backup copies only changed data since the last full backup, offering a balance between full and incremental backups while reducing time and storage space, but also simplifying the restore process.
-
Selecting the optimal backup types and methods involves a careful evaluation of your data retention requirements, recovery objectives, and resource constraints. By aligning backup strategies with the specific needs of your organization, you can strike a balance between data protection, operational efficiency, and recovery readiness. Regularly reviewing and testing your backup processes ensures the resilience and reliability of your data backup and recovery capabilities in the face of potential disruptions or data loss events. understanding the nuances of full, incremental, and differential backups empowers organizations to tailor their backup strategies to effectively safeguard data assets, mitigate risks, and expedite recovery processes.
-
Types de sauvegarde : Sauvegarde complète : Copie de l'ensemble des données. Sauvegarde incrémentielle : Copie des données modifiées depuis la dernière sauvegarde. Sauvegarde différentielle : Copie des données modifiées depuis la dernière sauvegarde complète. Méthodes de sauvegarde : Sauvegarde locale : Stockage sur un support physique sur place. Sauvegarde distante : Stockage des données hors site, souvent via le cloud. Sauvegarde automatisée : Planification automatisée des sauvegardes à intervalles réguliers. Sauvegarde miroir : Réplication en temps réel des données sur un autre emplacement.
-
As ferramentas de backup estão bem robustas atualmente no quesito de backup incremental, mas ainda considero importante realizar backups completos pelo menos a cada 3 ou 6 meses, dependendo da criticidade dos dados.
-
Robert Rolle
Specialized Sales Cybersecurity | Coach für Sicherheit in Kommunikation und Emotion
(edited)Technology has vast options: Full backup, incremental, virtual full backup, break in media or not. Air-Gap-Solutions.... But it really goes back to what RTO (and RPO) is needed? If RTO must be really low, Recovery from a full backup from different media (let say tape), is not the most fitting solution. If compliance demands a media break and RTO is not a major issue, tape is a very cost-efficient solution.
-
The subsequent step in selecting a backup strategy involves choosing backup types and methods that align with your backup goals and requirements. One classification method distinguishes between full, incremental, and differential backups. A full backup duplicates all data from source to destination, regardless of changes, requiring the most time and storage space. Incremental backups copy only changed data since the last backup, decreasing time and space requirements but increasing complexity and restoration risk. Conversely, a differential backup copies only changed data since the last full backup, offering a compromise between full and incremental backups, reducing time and space requirements, and simplifying the restoration process.
The third step in choosing a backup strategy is to decide on the backup media and location that best suit your backup types and methods. There are various options for backup media and location, but one common distinction is between local, remote, and cloud backups. Local backups store the data on a physical device near the source, providing fast and easy backup and restore but also exposing the data to risks such as theft or power failure. Remote backups store the data on a physical device in a different location, offering more security and redundancy but also introducing more latency and complexity. Cloud backups store the data on a virtual device hosted by a third-party service provider, offering scalability and flexibility but raising issues of cost, privacy, and compliance due to the service level agreement and legal jurisdiction of the provider.
-
The 3-2-1 backup strategy is a fundamental approach to data protection, ensuring you have multiple copies of your data to prevent loss. It involves having at least 3 total copies of your data, 2 of which are local but on different devices (e.g., an external hard drive and a network-attached storage device), and 1 copy offsite, such as in the cloud or at a remote location. This method combines the benefits of local, remote, and cloud backups, mitigating risks like data corruption, hardware failure, and catastrophic events. By diversifying storage media and locations, the 3-2-1 strategy provides a robust defense against data loss, aligning with various backup types and methods to suit individual or organizational needs.
-
Escolher o local do backup pode ser uma tarefa difícil e exige conhecimento do negócio. Existem três opções: local, remoto e na nuvem. Cada um tem vantagens e desvantagens, principalmente na latência, custo e segurança. O local permite rapidez na restauração; o remoto propicia segurança e redundância; e a nuvem, mais escalabilidade, porém aumenta o custo. Latência demasiada pode ser um problema para uma empresa de e-commerce, por exemplo. Se o problema é complexo, vale a pena realizar um projeto piloto e testá-lo antes. Uma forma híbrida pode ser a solução. Nunca esquecer quais os planos de médio e longo prazos da empresa: eles podem impactar em aumento de capacidade de armazenamento (escalabilidade).
-
Devido a modalidade de ransomware, o melhor cenário é possuir backup local, remoto e na nuvem, sendo um deles obrigatoriamente imutável (preferencialmente o remoto).
-
Robert Rolle
Specialized Sales Cybersecurity | Coach für Sicherheit in Kommunikation und Emotion
(edited)The choice of media and backup-destination is, besides technological preference and commercial viability, a choice driven by compliance. Ensure to meet your needed compliance criteria if you want to choose cloud backup. And on the commercial side - As a rule-of-thumb: Backup to the cloud can be financially attractive if RTO is non of your problems and you have small amounts of data to recover. As usually Data-Ingress is inexpensive, while Data-Egress is much higher in cost than Data-Ingress. If no idea where to start, use the 3-2-1 rule: 3 copies of the data 2 different medias used 1 remote located copy of the data, at least
-
The third step in selecting a backup strategy is deciding on the backup media and location. Options include local, remote, and cloud backups. Local backups involve storing data on a physical device near the source, providing quick access but exposing data to risks like theft. Remote backups use a device in a different location, offering security but introducing latency. Cloud backups store data on a virtual device by a third-party provider, offering scalability but raising concerns about cost and privacy. Each option has trade-offs, requiring careful consideration of factors such as data security, accessibility, and compliance obligations.
When selecting a backup strategy, the fourth step is to decide on the frequency and schedule that best meets your backup types and methods. This depends on how often and how much your data changes, as well as your tolerance for data loss. Common frequency and schedule options include daily backups, which are done once every 24 hours, usually at the end of the day or during off-peak hours. This provides a reasonable level of data protection, but it also means you could lose up to one day of data in case of a disaster. Hourly backups are done once every hour, usually at the beginning or end of the hour, offering a higher level of data protection but requiring more resources and bandwidth. Lastly, continuous backups are done as soon as any data changes, often in real-time or near-real-time, providing the highest level of data protection but demanding the most resources and bandwidth.
-
Define backup frequency based on data volatility. Critical systems may require daily backups, while less volatile data can be backed up less frequently. Establish retention policies to balance storage costs with recovery needs.
-
This is driven by RTO and RPO, too. When both points are defined, it is a reverse calculation. Which technology can fulfill the criteria? What can we effort? And then balance criteria and commercial constraints.
Verifying and testing your backup data is the fifth step in choosing a backup strategy. This involves assessing the integrity, availability, security, and retention of your backup data, as well as simulating different scenarios of data loss and recovery. Backup validation is used to ensure that your backup data is complete, consistent, and accurate compared to the source data. It can be done manually or automatically, with checksums, hashes, or other tools. Backup restoration verifies that your backup data can be accessed and restored in case of a disaster or outage. It can be done partially or fully, with different backup types and methods. Finally, a backup audit checks that your backup data complies with legal and regulatory obligations as well as internal policies and standards. It can be done periodically or randomly using logs, reports, or other evidence.
-
Possuir um backup e não saber os tempos de restauração e se ele realmente funciona, é quase a mesma coisa que não possuir um backup. Testes de recuperação semanais aleatórios são indispensáveis, além dos testes do Plano de Recuperação de Desastres onde o backup é fundamental.
-
Robert Rolle
Specialized Sales Cybersecurity | Coach für Sicherheit in Kommunikation und Emotion
(edited)One of the points that we joke about in the industry: "It is a 'backup'-strategy, not a 'recovery'-strategy". But on a serious note: Without verifying backup, I do not see a way to comply with NIST SP 800-209, e.g. The choice of technology can partially help here. Some backup-solutions offer things like automatic verification of data stored on the backup-target.
-
Testar a efetividade do backup é primordial. Além de verificar se as expectativas serão atendidas (tempo de retomada do negócio, compliance dos dados, dados que, eventualmente, serão perdidos e outros aspectos) é uma excelente oportunidade para se testar o Plano de Gerenciamento de Crises e verificar se todos entendem seu papel diante de um incidente cibernético.
-
Regularly test backup restoration processes to verify data integrity and accessibility. Periodic drills help identify and address potential issues before a crisis occurs.
The sixth step in choosing a backup strategy is to continuously optimize and improve your process to meet changing needs and expectations. This involves monitoring, evaluating, and adjusting your goals and requirements, types and methods, media and location, frequency and schedule, verification and testing, as well as resolving any issues or gaps. Backup performance can be measured using metrics, benchmarks, or feedback to ensure data availability, integrity, security, and retention. Additionally, backup efficiency can be improved by utilizing compression, deduplication, encryption, or other tools to use resources more effectively. Finally, backup innovation should be considered by researching new technologies, trends or opportunities such as cloud computing, artificial intelligence or blockchain.
-
To optimize and improve your backup strategy: - Adhere to the 3-2-1 rule. - Automate backup processes to ensure consistency and minimize human error, aligning with your Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for timely data recovery. - Utilize storage optimization techniques like deduplication and compression to maximize efficiency and reduce storage costs. - Regularly test backup and recovery processes to validate their effectiveness and identify any weaknesses, ensuring they meet your RPO and RTO goals. - Stay updated on advancements in backup technologies and adjust your strategy accordingly to meet evolving business needs and technological trends.
-
Having backup is important, protecting the backup is equally importance to protect the back up from infected by malware ... Offline and Air-Gapped Backups: Store backups offline or on air-gapped systems that are physically isolated from the network. This prevents malware from accessing or infecting the backup data. Immutable Backups: Use technologies such as write-once read-many (WORM) storage or immutable storage solutions to create immutable backups that cannot be modified or deleted by malware. Backup Segregation: Segregate backup networks and infrastructure from production environments to minimize the risk of malware spreading from production systems to backup systems.
-
Prioritize data security by encrypting backups both in transit and at rest. Implement robust access controls to ensure that only authorized personnel can manage and restore backups.
-
Dentre os obstáculos para se implementar uma estratégia de backup está o convencimento da alta direção. Muitas vezes, sequer existe uma política de segurança da informação (PSI) que apoie essa iniciativa. É importante não se esquecer de sistemas legados que podem conter dados valiosos para a empresa. Devem ser mantidos guardados e segregados a fim de manter a confidencialidade e a privacidade desses dados. Assim, um bom argumento para convencer a alta direção são as sugestões da ISO 27000 quando se trata de backup e manutenção da confidencialidade, integridade e disponibilidade dos dados pessoais de acordo com a Lei Geral de Proteção de Dados (LGPD). O fato é que uma boa política de backup propicia boa resiliência e reputação ao negócio.
-
Manythings to be considered. Starting with the business needs, the criticallity of the data, and the capacity of your storage. Some data needs to have mirrored backup such as financial transactions, some data needs to have daily backup, and some not very critical needs weekly or monthly backup. It's good to use to type of backups to optimize the storage capacity (Incrimentail backup, and fullabckup) Set with stakeholders, define the needs then draft the backup policy get it approved, then publish the backup scheduel and procedure.
Rate this article
More relevant reading
-
IT ServicesWhat are the most important data recovery standards and policies for large enterprises?
-
Information TechnologyWhat are the best ways to manage backup jobs and schedules?
-
Internet ServicesWhat are the key components of a successful server backup plan?
-
System DevelopmentYou need to manage your system backups in System Development. How do you ensure your data is safe?