Backup Strategy and Solutions

Backing up your business data is a critical foundation of any business continuity plan, cyber security strategy and contributes significantly to overall business resilience. Consider it your last line of defence in terms of mitigating risks to your organisations associated with data loss.

We have seen over recent years the impacts of WannaCry and other ransomware has had on businesses. From the most severe (business closure and failure) to bottom line (financial) impacts in the event a ransom is paid to retrieve encrypted data. Globally it was a significant earn with some suggesting it costs some 4 Billion USD globally in 2017.

Data loss events be it internal or externally driven can be prevented or the most risks mitigated with a complete backup regime. However backup strategies are not a one size fits all across businesses.

How do I develop a Backup Strategy?

Not all data within an organisation is the same, but it is all important in one way or another. To develop a Backup Strategy an organisation needs understand their data and the criticality of this data.

The priority of this data will then drive your organisations policies (risk acknowledgment and mitigating factors) around recovery times and acceptable data loss.

Once information is categorised an organisation is then able to determine the backup and continuity requirements around this data.

Questions that should be asked and answered:

What would be the impact on our business if we lost this data?
How long could our business continue to operate without this data?
In the event data a system went down and data was corrupted, what would be the longest acceptable time in which that data would be restored?
What would be the impact on our customers if this data was lost?
What are our compliance requirements in relation to data retention, archiving and loss?

Business Considerations

What is critical when reviewing your Backup or DR requirements?

Once information is categorised and prioritised, a business will often need to be able to answer two questions when considering backup planning and disaster recovery efforts.

How much data can the organisation afford to lose (I.e. None, 15 minutes, 30 Minutes a Day etc.)?

This is referred to as Recovery Point Objective or RPO

…”A recovery point objective, or “RPO”, is defined by business continuity planning. It is the maximum tolerable period in which data might be lost from an IT service due to a major incident.[1] The RPO gives systems designers a limit to work to.”…

/wiki/Recovery_point_objective

How quickly must systems and information be back up and running?

This is referred to as the Recovery Time Objective or RTO.

…”The recovery time objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.”…

/wiki/Recovery_time_objective

When looking at both of these, there is a trade-off between the timeframe and the investment required to meet each of the metrics. (I.e. if your RPO is 0, then the Investment is significantly more then and RPO of 1 week for instance).

Once an organisation has categorised and assigned RPO and RTO to their data, solutions need to be architected to meet these requirements.

When architecting a solution ask yourself:

Where does our information need to get backed up to?
How quickly can we restore from these locations? (Primary vs Secondary sites and Tiered storage – Fast restore times vs Slower restore times for older data)
How many copies of this data should be available? (Again we add to a business’s resiliency within the backup infrastructure to ensure that data is available within two separate locations);
Data Retention… How much data do I need to retain for restoration purposes.
What compliance requirements MUST be met in relation to data retention and archival;

Considerations in sourcing a backup solution

There are a plethora of backup solutions within the marketplace. Each with their strengths and weaknesses that deliver against particular use cases and meet data recovery objectives. When evaluation a backup solution, consider the Total Cost of ownership (TCO) and consider:

Software and licensing outlays;
Storage Costs (associated with onsite and offsite components) and the requirements around restore times (Tiered storage often assists with the investment costs at this point)
Consider the costs associated with maintenance, testing and restoration activities.

These are often hidden overheads not considered during the purchasing phase. Company budgets will also play a part in.

Do I need to backup my Cloud Data (IaaS, PaaS and SaaS)?

We often get asked this question and in most cases, we would recommend that all data regardless of where it resides be backed up (to one extent or another). Most “as a service” providers will backup data to meet their SLAs to you, but often these do not meet an organisations requirements. This is often overlooked when evaluating a cloud strategy.

How can Secure-ISS help?

Secure-ISS can assist business with backup planning and strategy sessions, solution design, consultancy, overall business continuity planning or through fundamental risk assessment. We can also assist with testing of both Backup Strategies and Business Continuity planning to ensure that systems and solutions are effective when/ if they are needed.

As part of a larger (turn-key) offering or as a once off engagement our professionals are able assist your business build resiliency.