Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Revising Your Backup Strategy in 2023

Home
Industry Insights
Revising Your Backup Strategy in 2023

Blog Article Published: 01/13/2023

By Alex Vakulov

Data protection is an important task for any organization. Backups can protect not only from the loss of information but also from the suspension of the company's activities. What are the specifics of good backup strategies? What backup algorithms should you follow?

For every company, data is the most valuable asset. However, it can be lost for a variety of reasons. For example, data can be lost due to:

  • Human factor (accidental or intentional deletion).
  • Ransomware attack.
  • Hard drive failures.
  • Natural disasters.
  • Accidents at the organization's site (data center) or the inaccessibility of the entire site, including if it is located in another country.

At the same time, the data can be anywhere: “in the cloud” and “on the ground.” Data location does not guarantee protection against accidental deletion or other harmful factors.

Why backup data?

If you do not back up or do it untimely, then the main risk is the complete or partial loss of data or its inaccessibility for an indefinite period. When we talk about cloud security and various SaaS platforms, it should be noted that service providers offer the functionality of the software and guarantee the operability and security of the platform, but not the data itself (with rare exceptions). Therefore, any information may be accidentally or intentionally lost. It should also be noted that some providers offer a limited data retention period, so it is recommended to carefully study the relevant policy of the cloud solution provider in advance.

Even if your organization uses the services of a cloud provider, it still needs to carry out backups on its own. One option is Backup-as-a-Service (BaaS). In some cases, such a solution may have limited functionality – back up only to the cloud of the same provider that provides this service or provide insufficient backup granularity.

In any case, even when using the BaaS service for direct and prompt access to copies of protected data, it is recommended to have additional backups stored locally. A local backup guarantees data safety in the event of a physical failure of the equipment and its more rapid recovery.

How to choose backup storage?

The 3-2-1 backup rule explains the benefits of three copies of data or applications. Two copies are stored locally on the same site but on different media. The third copy is separated from the previous two, for example, kept in the cloud. Accordingly, if something happens to the first storage, then the data still remains in another storage in the data center. If access to the entire data center is lost, a backup copy remains in the cloud. In such a scenario, we can talk about the guaranteed safety of critical data.

When choosing local storage, it is worth considering the storage period and the speed of working with data. Depending on the company's internal regulations or local legislation, some data classes must remain in the organization for five or more years. In this case, enterprises often choose tape libraries for archiving since such data is rarely accessed.

If from time to time, it is necessary to access some data quickly, then higher-speed storage is needed. For example, in the event of incident analysis, the information security department must be able to quickly access the contents of the mailbox of a remote employee who was fired several years ago.

Peculiarities of the construction and operation of a backup system

There are two fundamental backup indicators: Recovery Point Objective (RPO) and Recovery Time Objective (RTO), which must be taken into account while creating of a backup system.

The RPO indicator characterizes the maximum timeframe for which the company is ready to lose data. This means that in the event of an incident, data accumulated during the selected period can be lost. So, the backup frequency is adjusted based on this period.

The RTO indicator represents the time during which data or an information system will be unavailable. After an incident, data, an application, a virtual machine, or an OS needs to be restored. RTO is the time required for this process.

The RPO and RTO parameters are calculated individually depending on the category of data in terms of its importance to the business and the cost of restoring it, and whether it is a virtual machine, an application or an array, etc.

The most common mistake made in the operation of a backup system is the untimely updating of its regulations and tasks. As the company's IT infrastructure develops, the number of internal services, data, applications, etc., grows. However, the backup policies that were written several months or even years ago do not change. In this case, you may face data loss risks, problems with data integrity, or unacceptable downtime of a critical information system.

The second issue is the lack of data recovery testing. To ensure full recovery in the event of a disaster, tests must be carried out periodically, following all regulations.

Possible algorithm for building a backup system

  1. Analyze. It is recommended to analyze your infrastructure and determine what data, systems, and files need to be backed up. It is also desirable to build dependencies for information systems that will be subject to backup. Next - set the requirements for RTO and RPO.
  2. Register results. At this stage, there should already be complete analytics for each information system and its requirements. It is best if the results are presented in the form of a table. Based on this info, a backup strategy is developed.
  3. Select a backup vendor and solution. Once you have a complete understanding of all IS components to be backed up, it is recommended to determine the functionality of the future backup system. It must comply with the requirements formed at the previous stages and the developed strategy.
  4. Determine hardware requirements. After strategy development, the requirements for the hardware should be formed that include storage systems, tape libraries, servers, and other infrastructure elements. They are created based on a compiled list of information systems to be backed up, time and place of storage, as well as the number of backups and their type.
  5. Deployment of a backup system. When all elements are included in the infrastructure, the backup system software is installed, policies and tasks are created, the backup process starts, and troubleshooting is performed if any problems occur. This stage should prove that the backup process is working correctly and that everything is properly configured and comply with the regulations.

Do not forget that as the infrastructure grows, the backup system must also grow and develop.

Conclusion

Backing up critical data is a must for any company. It is advised to back up to several types of storage according to the “3-2-1” model: two copies on the local site but on different media, and the third copy goes to the cloud.

When building a backup system, two indicators should be taken into account: RTO and RPO, which are calculated individually depending on the category of data in terms of its importance to the business and the cost of its restoration. It is also recommended not to forget about the timely updating of regulations and backup system testing.

The algorithm for building a backup system consists of five points: infrastructure analysis, registration of audit results, backup vendor selection, formation of requirements for hardware, and the actual deployment of the system.

About the Author

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He is writing for numerous security-related publications sharing his security experience.
Enhancing cloud security strategy

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.
Related Articles:
10 Tips to Guide Your Cloud Email Security Strategy

Published: 04/17/2024

The Widening Overlap Between Cloud Workloads and Cybersecurity

Published: 04/17/2024

How to Audit Your Outdated Security Processes

Published: 04/16/2024

Sealing Pandora's Box - The Urgent Need for Responsible AI Governance

Published: 04/12/2024