With cyber incident tactics and environmental threats constantly evolving, your organization needs a backup & disaster recovery strategy in place to ensure ongoing security and business continuity.
When creating your plan, it’s important to consider technology infrastructure, the length of downtime your business can handle, and more.
In this guide, we’ll cover best practices for data backup and disaster recovery and share recommended solutions for optimizing your recovery efforts.
Let’s get started.
What are data backup, retention, and disaster recovery?
Before you can understand how to back up your organization’s data, it’s essential to differentiate between key backup & recovery terms.
Although data backup, disaster recovery, and retention are often used in the same context, they have different meanings and uses.
Data backup occurs when files, systems, and other information are duplicated and stored in another location and can be accessed if the primary system is unavailable or under attack.
On a small scale, you can think of this as plugging an external hard drive into your computer to back up your personal files or having an application back up your files to a cloud service.
Retention for compliance occurs when you have to retain backup data based on strict compliance standards.
Depending on your industry and organization, you may need to retain specific data for a certain number of years. These backups may be required to protect against litigations or financial investigations.
You will frequently see the need for this used with terms like Data Loss Prevention (DLP) or Information Governance.
Disaster recovery is the process of restoring and regaining access to your data after an environmental event (flood, hurricane, etc.) or cyber event (ransomware, file corruption, etc.) and is documented in a Disaster Recovery Plan (DLP).
Disaster recovery also serves as the stepping stone to business continuity planning.
Business Continuity Plans (BCP) are frequently used with a disaster recovery plan and outline how a business will return to normal operations.
In other words, disaster recovery planning often only refers to your data and gaining access to it again. They are often one part of a larger business continuity plan.
Business continuity planning refers to the organization as a whole and includes other facets of your business operations, not just IT systems.
“To fail to prepare is to prepare to fail”
Disaster recovery and business continuity plans highlight the importance of preparing your business for any situation.
Benjamin Franklin said, “To fail to prepare is to prepare to fail.”
If you don’t take the necessary steps to safeguard your business from emergencies, you leave your company open to disasters, like environmental crises or cyber attacks.
By failing to have a plan in place in the event of an incident, it will be much harder to restore essential data and get your business back up and running.
For instance, if there were a fire or gas leak in your home, you would want to know exactly which number to call for help and which essential documents to save.
If you had a plan in place beforehand, like a list of emergency numbers and a fireproof bag containing documents like birth certificates and medical information, you would be better equipped to handle the crisis.
The same idea applies to your business.
Creating a plan with core steps and key backup information will streamline the restoration process and improve your business’s ability to continue providing products and services.
What is the 3-2-1 backup rule?
Now that you understand the importance of a backup and disaster recovery plan, consider the 3-2-1 rule: the minimum backup approach that any business needs.
The 3-2-1 backup rule suggests that businesses need 3 different copies of their data, stored on 2 different types of media, with 1 of them being offsite.
In a typical scenario, the 3 separate copies of your data may exist in this way.
1. Data stored on the live server you’re working on every day
2. A backup of your data stored on a backup server
3. A copy of your data stored offsite
However, the 3-2-1 backup rule is often not enough to protect your data, so we passionately advocate for a more thorough approach!
How does Miles approach the 3-2-1 backup rule?
Our team typically advocates for a deeper approach than the 3-2-1 rule.
We recommend that customers follow the 3-2-1 rule and modify the “2” portion for enhanced protection.
We suggest having 3 different copies of your data, stored on 2 different types of media that are not physically connected, with 1 being offsite.
For example, backing up data onto a USB drive attached to the server and then copying offsite will technically meet the 3-2-1 rule, but will not protect your data sufficiently. If there was an event on the server itself, it would impact the backup on the USB drive, too, most likely rendering it unusable.
Backup files are often targeted by bad actors to be destroyed or encrypted during a cyber incident, so having your backup files adjacent to your main files wouldn’t protect them.
Using a different backup server or appliance is preferred because it keeps your backups physically separate from your central systems.
Recommended Backup Solutions
Once you understand the fundamentals of backups, you can begin to consider your technology environment and the best solutions.
Although every organization is different, there are several solutions that we generally recommend based on their comprehensive capabilities.
What programs should my organization have in place for backups?
When choosing the right backup solution for your business, it’s important to consider your infrastructure and organizational needs.
Backup recommendations for physical infrastructure
We recommend choosing one of two backup options if your company has local servers and infrastructure.
One is Datto BCDR, which backs data up locally to a hardened appliance and also offloads backups to the Datto Cloud.
The second recommendation consists of various combined approaches, which we call MiBackup.
MiBackup is an all-in-one solution for your business that uses the Veeam Data Platform to back up your data to a hardened appliance and send it offsite.
Either way, our experts provide quality consultation to determine the best approach and can tailor backup solutions to your unique needs.
Backup recommendations for offsite or cloud-based infrastructure
If your business has servers hosted in Azure, AWS, or Google Cloud Platform, you may assume that you don’t need to back up your data.
After all, these solutions will keep your data protected, right?
The cloud is just somebody else’s computer.
In-depth data backups and disaster recovery models aren’t Microsoft, Amazon, or Google’s responsibility. While these services have fantastic reliability numbers, data loss within the platform is still possible.
Even if you think you are safe from the platform’s perspective, you still have users that can make mistakes and bad actors that want to access your data, so protect it!
It’s your job to create a comprehensive plan and quality backup solution in case your data is affected by user error or malicious activity.
If you have servers running in Azure, AWS, or Google Cloud Platform, Veeam is our recommended solution. Veeam builds on the native backup options available on these platforms and takes your backups to the next level.
It provides more protection and significantly faster restoration for the recovery of files and folders (which is ultimately the most frequent use of backup systems!)
How does the 3-2-1 rule apply to cloud backups?
Even if your data is located in Azure, AWS, or Google Cloud, you’ll still want to follow the 3-2-1 backup approach.
If you complete a cloud backup for your data, it will back up your data locally and replicate it to another Azure, AWS, or Google Cloud data center.
Let’s take Azure as an example. Veeam Backup for Azure will first engage Azure Backup to take a snapshot of the servers so that you can quickly revert in the event of a server failure.
Then, it copies the backup data from that snapshot to Azure Blob Storage. These backups in Blob storage are retained locally at that data center and then backed up offsite.
This offsite backup occurs by configuring the Blob as GRS (Geographically Redundant Storage), which copies your backups to another Azure data center.
As a result, you’ll have 3 different copies of your data; one that you’re running, the local backup, and the offsite backup.
Your backups will also be on two different types of media because one is in another data center.
Creating a Disaster Recovery Plan
Disaster recovery plans differ for every business based on their industry and the unique products and services they provide.
Your plan should align with your RPO & RTO and include an in-depth implementation and testing process to ensure it continues to fit your changing needs.
Step one of this process is to define your objectives clearly.
RPO & RTO are two key metrics that influence the specifics of your disaster recovery plan.
Recovery Point Objective (RPO) refers to the point in time you restore to.
It considers how much data, measured in time, you are willing to lose in the event of a disaster or business disruption.
In other words, how fresh or stale is your data since your last valid backup? If you had to recover from last night’s backup, is that good enough?
RPO helps determine how frequently you need to run backups at your organization.
For example, many organizations specify an RPO of 1 hour, 4 hours, or 1 day.
Recovery Time Objective (RTO) refers to how quickly you can perform a restore.
This objective considers the amount of time you have to get your IT systems back up and running before you can no longer maintain effective business operations.
Essentially, this figures out how fast your restore needs to be to protect your business from experiencing too much downtime or lost profit.
Some organizations may think they can’t afford any downtime, but having 100% uptime is incredibly expensive and something you need to consider carefully.
Overall, RTO ensures that your solution will get your business back up and running in a reasonable time frame for your employees, customers, and vendors.
The RTO is always going to be greater than the RPO. Examples of RTOs that organizations look for are 2 days, 1 day, or 4 hours.
When defining your recovery objectives, remember that the larger the environment, the more granular your objectives can be.
Organizations with just one server cannot get very granular, but an organization with 20 servers should determine each object’s importance. If there are test servers, then they should not have the same recovery objectives as production servers.
What process does Miles follow for implementing a backup and disaster recovery solution?
To help you optimize your RPO and RTO, we use a structured approach for selecting and implementing the right solution.
Typically, we follow a four-step process that helps us understand your business’s unique needs.
Step 1: Assess the environment and solutions already in place
Before sharing recommendations, it’s essential to gain a clear picture of a business’s technology infrastructure and operations.
Clearly understanding how they run, the systems they are most dependent on, and the types of systems they use are excellent starting points.
Taking stock of solutions already in place is crucial, too.
For instance, we found that one of our clients already had a backup solution in place, yet it was a highly manual procedure dependent on a single employee.
We spend significant time on this step to ensure we understand how different systems fit together with core business practices.
Step 2: Provide key analysis and recommendations
Once we understand the current business processes and technology stack, we provide thoughtful recommendations based on our analysis.
Keeping considerations like RPO and RTO in mind, we analyze the business’s needs and determine the appropriate solution to fit those needs. This will involve discussions about cost; a more highly available solution will cost more.
Our goal is to find the right solution for you and your business.
Step 3: Create plan and implement solution
Once you have approved the chosen course of action, we implement the solution.
First, we ensure that local backups are working as intended and that these backups are replicated or copied to the destination selected for deployment.
If needed, we can work with your team to develop an in-depth disaster recovery and/or business continuity plan, or provide the necessary information to update an existing plan.
Step 4: Verification and testing
A backup is not successful if it cannot be restored!
We conduct thorough verification and testing to ensure your system is working correctly.
Miles Assurance Plan customers may also benefit from our Backup Success Monitoring, where we proactively search for successful backups.
With the number of threats increasing in today’s world, preparing your business for the unknown isn’t an option; it’s a necessity.
The right backup solution and proper planning ensure that you can get back on your feet quickly after an incident without experiencing devastating data loss or a dip in profits.
Keep your business ahead of potential threats so you can readily access your data, even if an incident occurs.
Miles IT 2023.