Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Revising Your Backup Strategy in 2023

Published 01/13/2023

Revising Your Backup Strategy in 2023

By Alex Vakulov

Data protection is an important task for any organization. Backups can protect not only from the loss of information but also from the suspension of the company's activities. What are the specifics of good backup strategies? What backup algorithms should you follow?

For every company, data is the most valuable asset. However, it can be lost for a variety of reasons. For example, data can be lost due to:

  • Human factor (accidental or intentional deletion).
  • Ransomware attack.
  • Hard drive failures.
  • Natural disasters.
  • Accidents at the organization's site (data center) or the inaccessibility of the entire site, including if it is located in another country.

At the same time, the data can be anywhere: “in the cloud” and “on the ground.” Data location does not guarantee protection against accidental deletion or other harmful factors.

Why backup data?

If you do not back up or do it untimely, then the main risk is the complete or partial loss of data or its inaccessibility for an indefinite period. When we talk about cloud security and various SaaS platforms, it should be noted that service providers offer the functionality of the software and guarantee the operability and security of the platform, but not the data itself (with rare exceptions). Therefore, any information may be accidentally or intentionally lost. It should also be noted that some providers offer a limited data retention period, so it is recommended to carefully study the relevant policy of the cloud solution provider in advance.

Even if your organization uses the services of a cloud provider, it still needs to carry out backups on its own. One option is Backup-as-a-Service (BaaS). In some cases, such a solution may have limited functionality – back up only to the cloud of the same provider that provides this service or provide insufficient backup granularity.

In any case, even when using the BaaS service for direct and prompt access to copies of protected data, it is recommended to have additional backups stored locally. A local backup guarantees data safety in the event of a physical failure of the equipment and its more rapid recovery.

How to choose backup storage?

The 3-2-1 backup rule explains the benefits of three copies of data or applications. Two copies are stored locally on the same site but on different media. The third copy is separated from the previous two, for example, kept in the cloud. Accordingly, if something happens to the first storage, then the data still remains in another storage in the data center. If access to the entire data center is lost, a backup copy remains in the cloud. In such a scenario, we can talk about the guaranteed safety of critical data.

When choosing local storage, it is worth considering the storage period and the speed of working with data. Depending on the company's internal regulations or local legislation, some data classes must remain in the organization for five or more years. In this case, enterprises often choose tape libraries for archiving since such data is rarely accessed.

If from time to time, it is necessary to access some data quickly, then higher-speed storage is needed. For example, in the event of incident analysis, the information security department must be able to quickly access the contents of the mailbox of a remote employee who was fired several years ago.

Peculiarities of the construction and operation of a backup system

There are two fundamental backup indicators: Recovery Point Objective (RPO) and Recovery Time Objective (RTO), which must be taken into account while creating of a backup system.

The RPO indicator characterizes the maximum timeframe for which the company is ready to lose data. This means that in the event of an incident, data accumulated during the selected period can be lost. So, the backup frequency is adjusted based on this period.

The RTO indicator represents the time during which data or an information system will be unavailable. After an incident, data, an application, a virtual machine, or an OS needs to be restored. RTO is the time required for this process.

The RPO and RTO parameters are calculated individually depending on the category of data in terms of its importance to the business and the cost of restoring it, and whether it is a virtual machine, an application or an array, etc.

The most common mistake made in the operation of a backup system is the untimely updating of its regulations and tasks. As the company's IT infrastructure develops, the number of internal services, data, applications, etc., grows. However, the backup policies that were written several months or even years ago do not change. In this case, you may face data loss risks, problems with data integrity, or unacceptable downtime of a critical information system.

The second issue is the lack of data recovery testing. To ensure full recovery in the event of a disaster, tests must be carried out periodically, following all regulations.

Possible algorithm for building a backup system

  1. Analyze. It is recommended to analyze your infrastructure and determine what data, systems, and files need to be backed up. It is also desirable to build dependencies for information systems that will be subject to backup. Next - set the requirements for RTO and RPO.
  2. Register results. At this stage, there should already be complete analytics for each information system and its requirements. It is best if the results are presented in the form of a table. Based on this info, a backup strategy is developed.
  3. Select a backup vendor and solution. Once you have a complete understanding of all IS components to be backed up, it is recommended to determine the functionality of the future backup system. It must comply with the requirements formed at the previous stages and the developed strategy.
  4. Determine hardware requirements. After strategy development, the requirements for the hardware should be formed that include storage systems, tape libraries, servers, and other infrastructure elements. They are created based on a compiled list of information systems to be backed up, time and place of storage, as well as the number of backups and their type.
  5. Deployment of a backup system. When all elements are included in the infrastructure, the backup system software is installed, policies and tasks are created, the backup process starts, and troubleshooting is performed if any problems occur. This stage should prove that the backup process is working correctly and that everything is properly configured and comply with the regulations.

Do not forget that as the infrastructure grows, the backup system must also grow and develop.

Conclusion

Backing up critical data is a must for any company. It is advised to back up to several types of storage according to the “3-2-1” model: two copies on the local site but on different media, and the third copy goes to the cloud.

When building a backup system, two indicators should be taken into account: RTO and RPO, which are calculated individually depending on the category of data in terms of its importance to the business and the cost of its restoration. It is also recommended not to forget about the timely updating of regulations and backup system testing.

The algorithm for building a backup system consists of five points: infrastructure analysis, registration of audit results, backup vendor selection, formation of requirements for hardware, and the actual deployment of the system.


About the Author

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He is writing for numerous security-related publications sharing his security experience.

Share this content on your favorite social network today!