Despite organisations becoming increasingly data-driven, attitudes towards backup have not necessarily kept pace.
Even in the age of big data, real-time operations keep the focus on processing data now, rather than its long-term value. Everything is captured, but not everything is properly protected against loss or corruption.
Indeed, 40% of organisations currently have inadequate backup, or are unable to meet their SLA obligations¹. Clearly this is a significant problem that has major implications– but just 33% have a plan to improve security risk and governance². A system outage will cost them dearly, in terms of lost productivity, reduced client satisfaction and large fines if the outage results in unauthorised data exposure or theft.
This guide will help you understand the principles of data protection. We also explain some of the terminology you will encounter when speaking to vendors, so you are better able to understand their solutions.
So where do you start?
Backup is not just a “nice-to-have” function. Nor should it be a bolt-on afterthought. Backup needs to be a critical aspect of your strategy, allowing you to maintain or resume operations in the event of a system outage or similar. It’s likely that you’ll have some provision in place, but when was the last time you reviewed your backup and data protection strategy?
Given the statistics we looked at earlier, and the widespread move to hybrid and remote working, is the strategy still fit for purpose? A good starting point could be a backup health check to determine your current state of affairs. It will help you identify all your workloads and progress you naturally to the next step.
Some datasets and applications are more important than others to your operations. In a disaster recovery scenario, you will need to prioritise recovery so that line-of-business operations can resume as quickly as possible.
The fact that not all data is equally valuable means that backup strategies are becoming increasingly granular, so you need backup solutions to support that granularity, rather than trying to determine a single target to cover the entire IT estate.
And don’t forget to consider the data stored in the various cloud-based SaaS services that your organisation uses. Easily overlooked details such as emails and files held in Microsoft 365 need to be protected against loss too. It’s a common misconception that Microsoft 365 backup is built-in to the product, but sadly that’s not the case, with Microsoft merely guaranteeing the availability of the service, not retention of your data. It’s a concern that a recent survey found that 67% of users are completely reliant on the built-in Microsoft 365 backup mechanisms – even though they know this feature does not provide the granularity and control they need³.
When looking at prioritisation, there are some key factors to consider, Recovery Point Objectives and Recovery Time Objectives. These will affect where backups will be stored and be influenced by how long they need to be kept for.
Recovery Point Objective (RPO)
The RPO defines how much data your organisation is prepared to lose in the event of a failure. If you take one backup every day, your business stands to lose up to 24 hours’ worth of data. Mission-critical applications may need to be set to replicate in real-time, reducing the RPO to a matter of seconds.
Recovery Time Objective (RTO)
The RTO is the amount of time your organisation is prepared to allow to get systems back up and running after a failure. For example, for mission-critical systems, the RTO likely needs to be quite short so that operations are restored quickly.
43% of businesses reported they had suffered unrecoverable data loss at least once in the
The most common reasons for this loss were gaps between backups and corrupted data caused by malware and ransomware. Regardless of the cause, any loss is concerning in the age of data-driven operations and ever stronger privacy laws.
Some other key terms that it would help to be familiar with, if you're not already:
Despite being essential to many mission-critical processes, the Internet also poses one of the most significant risks to your operations. Any system – including backups – that is connected to the Internet is a potential attack surface for cybercriminals.
An air gap recovery strategy is designed to keep a backup copy of your data that is stored completely offline so that it cannot be stolen, accessed or tampered with in any way. It is worth noting that a true air gapped system is completely separate from not only the Internet, but also the internal network too.
Historically, backup tapes provide a physical air gap; the data cannot be accessed without putting the tape into a drive – and the tape is typically stored off-site too. These days it is possible to achieve virtual air gap equivalent using cloud services (data is stored offsite, physically separate from your network) and immutability.
Replication in real-time carries the very real risk of copying more than just your data. Ransomware is designed to encrypt the files it touches; replicating malware could potentially compromise your backup sets.
Immutable backups are a read-only copy of your data that cannot be overwritten or altered. Ransomware cannot encrypt files, nor can they be accidentally altered or deleted. This means that your backup set will always be accurate and unchanged from the moment it is copied.
Modern data protection solutions go a step further. Instead of using standard protocols like NFS and SMB, they operate a zero-trust cluster – the only way to read or write data is through authenticated APIs. Unauthorised parties simply cannot access the data in any way.
Some backup products offer a ‘retention lock’ feature. The retention lock is a software policy that sets your backups to be immutable for a specified period – or indefinitely. This feature can help with governance and compliance, providing extra peace of mind that you’re adhering to your industry and organisational requirements.
What's the plan?
Principles are helpful – but they need to be put into practice. With priority data and workloads identified, and an undersanding of what the key terms mean, you must now begin mapping out your backup and recovery plan.
Despite its mission-critical status, data protection is still subject to budgetary constraints. It’s not financially viable – or necessarily desirable – to place all your backup sets on high-performance platforms targeted at your most important workloads.
Instead, you should choose the most appropriate backup medium for your RTOs. Lowest priority, archive data can be backed up to a slower, cheaper medium like tape or a cold-storage cloud service. Higher priority workloads need to be saved on an appropriate medium such as SAS or SSD to provide the recovery time required.
It’s also vital to consider how your data protection plan will protect the data captured. Threats like ransomware can propagate into your replicated data, rendering it similarly unusable. Storing backups on medium that can be made immutable is a key part to planning. Once the backups have been written, they cannot be overwritten nor appended to, keeping them safe from attacks and complying to your organisation’s retention requirements.
Retention typically defines how long you keep your backup sets. Historically, backup tapes would be recirculated weekly, with a complete backup set archived in cold storage on a regular basis, such as once per month.
Although the cost of storage continues to fall, retention is increasing in importance once again. The pay-as-you-use model means that every gigabyte of cloud storage used will be billed, even if the data is rarely/never accessed. This raise questions - do you really need to keep everything? Or can you really afford to keep increasing on-premises data centre capacity to retain archived data indefinitely?
There are also questions relating to personal data protection - you are not legally permitted to retain information for any longer than is necessary. Even records held on forgotten archives in cold storage must be removed at the individual’s request.
But backup is just half of the data protection story...
As well as planning your backups, you also need to define the mechanisms for recovering systems in the event of an incident. Your recovery plan will need to address several factors, including:
Answering these questions will help you to develop a workable recovery plan. But a little bit of extra help never hurts...
What can you automate?
While drawing up the recovery plan, you will quickly realise just how many moving parts there are. Even with the best recovery plan, your IT team will likely be stretched beyond their limits to ensure everything proceeds as expected.
Modern data protection solutions typically offer the ability to automate recovery workflows and automation. This will allow your team to initiate a recovery protocol that performs at least some of the low-level administration tasks automatically. This frees internal resources to deal with other issues, such as legacy applications that require greater manual intervention.
Similar functionality should also be available to automate backup tasks from within your systems management tools to help simplify and accelerate administration.
Where is your data stored?
Proper data protection relies on ensuring you always have an RTO-compliant copy of your data available for recovery. For many years businesses have followed the 3-2-1 rule:
The number of copies of data you need; the production copy and two additional versions for backup.
Each backup copy should be stored on a different media to ensure you are still protected in the event that the production copy and one of the backups is corrupted or fails.
At least one of the backup copies should be taken offsite so you can recover your systems in the event of a localised disaster that physically damages the other two copies.
Cloud backup services
Cloud backup services can help to simplify the 3-2-1 rule by being one of the two different media and storing data offsite. But, however you choose to proceed, this rule provides a useful guide for how to plan where your data is stored.
Many organisations are already using cloud extensively for backup purposes. Online backup and recovery claims the largest proportion of hosted spend, accounting for 13% of total cloud budgets².
Does the plan work?
Ideally, you never want to have to execute the disaster recovery element of your data protection plan. But you do need to be sure that the plan works as expected. You should run regular tests to confirm:
Testing the plan provides an opportunity to identify shortcomings and blind spots in advance. Discovering issues during a real data recovery incident will delay recovery and stretch resources even further, potentially jeopardising the entire operation.
Can you improve?
Your data protection strategy is not a one-off, checkbox exercise. Your IT environment is constantly evolving and changing, so you will need to review and revise your plans periodically to ensure that systems are properly protected against loss at all times.
Once fundamental backup and recovery functions are sorted, you should be constantly looking for ways to optimise and improve.
Data protection will always be a vital aspect of your corporate strategy. From managing your localised disaster response to better defending against cybercrime, technology continues to develop and evolve to meet your changing needs.
At the same time, attitudes and approaches to backup and recovery need to change. Legislation like the General Data Protection Act (GDPR) place a heavy responsibility on organisations to better protect their data assets against loss, theft or accidental exposure. This should serve as a warning that backup cannot be regarded as a ‘nice-to-have’ function – it is actually crucial to protecting your organisation and your customers.
Hosted services and cloud platforms offer new ways to accelerate and enhance your data protection provisions. From simplifying the process of storing data offsite, to powerful new tools that prevent backed up data from being compromised, it has never been easier to replicate data – or to quickly recover from a significant system outage.
On a positive note, just 8.6% of respondents to a recent survey said they have no intention of modernising their data protection provisions4 – which means that the vast majority are on the road to a more secure, reliable computing future.
If you’re looking to kickstart your backup modernisation programme, or simply want to get an idea of areas you might need to improve, take advantage of our free backup health check. You can get impartial advice from seasoned experts and delve into some of the areas we’ve covered in this eBook in more detail. Find out more and book a free, half day workshop today.