Data protection requirements are constantly changing and becoming more challenging at the same time. Your backup solution, which was good enough in the past, may no longer be adequate.
- Threat actors continue to create new ways to steal corporate data and hold it for ransom. How do you protect against current and evolving threats?
- Climate change is resulting in more storms and environmental events. Servers and other on-premises equipment don’t operate well in extreme heat or cold. Equipment failures that could result in data loss are a concern.
- Systems are hosted in your data center as well as in the cloud – or in multiple clouds. This is in addition to the hosted applications and services your employees use. Are they backed up?
Our Advice
Critical Insight
Organizations fail to consider all their data protection requirements when implementing a backup solution. Data protection requirements dictate that backups meet complex demands that go beyond making a copy of your files and storing it away.
Impact and Result
Follow Info-Tech's approach to aligning your backups with your data protection requirements to meet the needs of all your customers while providing secure, error-free, resilient backups. Know your data.
- Identify the data you need to protect and the requirements that you must meet while protecting that data.
- Assess both the threats against your data and the challenges with restoring that data.
- Align everything to a backup requirements list and implement the solution that meets your needs.
Workshop: Align Backups With Your Data Protection Requirements
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Identify Your Data and Protection Requirements
The Purpose
- Identify all data, applications, systems, and solutions that need to be backed up.
- Establish awareness into your regional, industry-specific, and corporate data protection requirements.
Key Benefits Achieved
- Understand data protection requirements of the business when it comes to backup of data, applications, services, and systems.
Activities
Outputs
Identify data, systems, applications, and services to be backed up.
- Business Data Summary
Confirm industry and regional data protection requirements.
- Data Protection Requirement List
Identify business requirements for data protection.
Module 2: Assess Your Threats and Restoration Challenges
The Purpose
- Identify threats to your data, explore restoration challenges you may face, and establish a list of features you require in a backup solution.
Key Benefits Achieved
- Threat risks identified and prioritized, restoration workflows created, and a better comprehension of what features and options are required in a backup solution
Activities
Outputs
Identify and prioritize your threats.
- Threat Priority List
Consider restoration challenges and build recovery workflows.
- Restoration Workflows
Build RACI chart to outline roles and responsibilities for recovery.
- RACI chart
Explore and confirm backup requirements.
- Backup Requirements List
Module 3: Align Requirements With Solutions
The Purpose
- Combine all your discovered requirements and use that list to find a suitable backup solution for your organization.
Key Benefits Achieved
- Backup solution evaluated
- Backup testing schedule established
- Backup alignment resulted combined into an overall plan
Activities
Outputs
Identify shortcomings of your current backup solution.
- Backup Solution Evaluation Template
Create backup solution evaluation template.
- Restore/Recovery Testing Schedule
Establish backup confidence criteria and recovery testing schedule.
- Backup Alignment Plan
Finalize alignment plan.
Align Backups With Your Data Protection Requirements
Making a copy of your data does not always result in data protection.
EXECUTIVE BRIEF
Analyst Perspective
Some organizations implement backups without considering what they are missing. Are all systems, services, applications, and data backed up? On-premises and in the cloud? Did you remember that SaaS application? What about those customizations in the configuration settings? Ignorance isn’t bliss when it comes to data protection.
Backup and recovery solutions are a part of most organizations, but are they just a routine operation or are they actually protecting the entire suite of data, applications, services, and systems from threats and loss?
Many organizations fall under standards and compliance requirements, but are those standards and requirements part of the backup process? They certainly should be. Not abiding by Health Insurance Portability and Accountability Act (HIPAA) or General Data Protection Regulation (GDPR) could result in financial penalties for your organization.
Identify what data, applications, services, and solutions you have and make sure they are on the backup list. Don’t forget those Software-as-a-Service (SaaS) solutions. Now investigate the compliance regulations that apply to you. They could be regional or industry specific. Your organization will also have specific requirements about backups – they will want their systems back up and running immediately in the event of a loss or outage. Whether it was accidental does not matter.
Assess your threats. You can mitigate them with the right backup solution. Assess your restore scenarios as well. They are not always as straightforward as you think.
Determine what you need in a backup solution and implement it. Test the backups, and soon you will be aligned with the data protection requirements of your organization.
P.J. Ryan
Research Director, Infrastructure & Operations
Info-Tech Research Group
Executive Summary
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
---|---|---|
Backing up your data is already a challenge. Staying within a specific backup window and avoiding becoming a network bandwidth hog only begin to paint the picture. Modern backups must address modern challenges such as:
|
Your customers want 100% uptime, instantaneous recovery, and zero lost time of data. So, what’s holding you back?
|
Follow the Info-Tech approach to aligning your backups with your data protection requirements to meet the needs of all your customers while providing secure, error free, resilient backups. Know your data (level of importance).
|
Info-Tech Insight
Organizations fail to consider all their data protection requirements when implementing a backup solution. Data protection requirements dictate that backups meet complex demands that go beyond making a copy of your files and storing it.
Your Challenge
Data protection requirements are constantly changing and becoming more challenging at once. Your backup solution, which was good enough in the past, may no longer be adequate.
- Threat actors continue to create new ways to steal corporate data and hold it for ransom. How do you protect against current and evolving threats?
- Climate change is resulting in more storms and environmental events. Servers and other on-premises equipment don’t operate well in extreme heat or cold. Equipment failures, which result in data loss, are a concern.
- Systems are hosted in your data center as well as the cloud, or multiple clouds. This includes hosted applications and services your employees use. Are they backed up?
“… in a recent poll of 100 IT executives, 89% said they’re always on the lookout for better data protection solutions.”
Source: Calamu, 2023
Common Obstacles
Knowing what to back up challenges most organizations. How do you know if you have all your data covered? How do you keep that backup copy of data safe? Are you sure the data will be there when you need to restore it?
- Cyberthreats are always in the news. And all the experts say you should never pay the ransom, but you just want your data back.
- Your data and applications are scattered everywhere – local data centers, Azure, AWS, maybe even Google. How do you track them down to back them up?
- Finance and HR use hosted applications. Who is backing them up?
- If my production site gets compromised, does it make sense to restore back to that compromised site? Where do you send my recovery job?
- Software keeps changing, along with the features they offer. How do you know what features you need in a backup solution?
“79% of executives say their data protection budget has increased in the past 1-2 years.”
Source: Calamu, 2022
Info-Tech’s Approach
- Identify
- Assess
- Align
Identify what data and systems you must back up and why you must back them up.
Assess threats to your data and backups as well as obstacles that may impede data restoration.
Align your list of data and systems, your reasons for backing them up, and your threats into a list of requirements that will lead you to a backup solution that meets all your data protection requirements.
Case Study
Is there such a thing as too much insurance?
INDUSTRY: Insurance
SOURCE: Interview
This case study is based on a real company but was anonymized for use in this research.
Situation
A managed service provider (MSP) provided two separate backup solutions for one insurance company at their insistence as they were not content with just one.
“If you lived through a ransomware attack, you are more inclined to double up or even triple up on protection and be extra, extra cautious.”
– MSP Principal Consultant
An insurance company (the client) suffered a ransomware attack which left their entire suite of virtual servers encrypted. The response was swift, and recovery of most systems was completed without any issues – except for one. A key server proved to be a challenge and required escalation by the hosting cloud solution provider to internal experts as well as the backup solution vendor. In the end, the system and all data was restored. The source of the ransomware was detected and removed, but the attack had long-term consequences for the client.
What if that key server could not be recovered and the business was destroyed? The client wanted extra precautions in place to ensure the risk they faced during the ransomware attack could be mitigated. At the top of that list was a second backup.
The initial backup was provided by their cloud hosting vendor. Backups of their virtual servers occurred once per day. They implemented a solution from Datto that backed up everything once per hour and provided space to restore all the servers if required. Datto also tested the backed-up servers daily to ensure they would boot properly.
As a tertiary measure, the client exported the full backup to a local disk daily and stored that disk offline.
Triple coverage to satisfy well-founded concerns.
3 steps to align your backups with your data protection requirements
Identify |
1 |
Identify all your applications, services, configurations, and raw data that you need to back up. Next, identify what exactly your data protection requirements are. Do you abide by the HIPAA guidelines? Is GDPR a consideration? What does your business require when it comes to backups? |
---|---|---|
Assess |
2 |
Assess the threats to your data and backups. Ransomware, human error, environmental events – these are all well-publicized threats. How do you protect your data and backups from them? What about the recovery/restore process? If your primary site is compromised, where do you restore the applications and data? |
Align |
3 |
Combine your list of applications, services, and everything else that must be backed up, then add the requirements to determine what you need in a backup solution. What are the must-have features? Can your existing solution fulfill your needs, or do you need a new one? Don’t forget to keep that application list up to date and test the backups regularly. Now your backup plan is aligned with your data protection requirements. |
Backups are not just a copy of your data
They come with many more considerations and serve a greater purpose. Here are some of those considerations.
What are you backing up?
Where will you find your data and systems for backup?
Why are you backing them up?
How will you protect that data during and after backup?
What |
Where |
Why |
How |
---|---|---|---|
Servers, SANs, and other devices Endpoint devices Cloud-based systems and storage SaaS/PaaS |
On-premises data center Hosted data center Cloud Endpoints |
Operational recovery Disaster recovery Industry and regional compliance Governance, risk, and compliance |
Snapshots and CDP Encryption Access restrictions 3-2-1-1-0 |
Identify
Identify what you need to back up and why
- Identify all the data that should be backed up. This will include your applications, services, configurations, and raw data. Don’t forget the cloud, and the other cloud. And what about those SaaS applications? That is your data. Is it backed up? Are you sure?
- Now focus on the requirements. Why are you backing up data? Where are you backing up data? Does it matter? GDPR, HIPAA, PIPEDA, ISO/IEC 270XX regulations and other standards/governing bodies insist that it matters.
- Are there other internal requirements? Does your finance team have requirements? What about HR? Did that last audit reveal any shortcomings related to data that you could address?
Identify what to back up and what the requirements are so you can align the two.
“In the last three years since the pandemic began, organizations have experienced sudden remote workforces and a significant increase in IaaS, PaaS, and SaaS deployments, necessitating the need to modernize backup because the production environment has changed.”
Source: Veeam Software
What should you back up?
Files? Applications? Operating systems? Metadata? Archived data? Network device config files? Cloud-based data? SaaS? The CEO’s laptop? Yes.
|
Back it up. |
---|---|
|
Back it up. |
|
Back it up. |
|
Back it up. |
|
Back it up. |
|
Back it up. |
Identify everything that you must back up but realize that schedules differ between data types and systems. Every four hours or even more frequent may be desirable for some data while once per day, week, or even year may be acceptable for other data or systems. A server may have two backup requirements – frequently for the data but less often for the operating system or application. Archive data is still production data, but it seldom changes. Once per year may be adequate for archives.
“Backup protects data from several risks, including hardware failures, human error, cyberattacks, data corruption and natural disasters. It's important to protect data from any potential issue so that an organization isn't blindsided when something happens.”
Source: TechTarget, 2021
Data protection requirements
Internal corporate requirements, regional requirements, and industry-based requirements. Make sure you know who is setting guidelines and constraints on your data.
- General Data Protection Regulation (GDPR)
- Sarbanes-Oxley Act (SOX)
- Payment card industry (PCI)
- Health Insurance Portability and Accountability Act (HIPAA)
- Recovery time objective (RTO)
- Recovery point objective (RPO)
- Data residency restrictions
- Audit requirements
Many companies are guided by some industry- or region-specific regulation or Act. Internal requirements must also be respected and complied with for a properly aligned backup strategy.
“Not only is data backup a cyber-healthy way for healthcare institutions to survive, but it’s also a requirement for businesses under the Health Insurance Portability and Accountability Act of 1996 or HIPAA.”
Source: Intelligent Technical Solutions
Typical compliance regulations
Healthcare
HIPAA: Health Insurance Portability and Accountability Act
Retail
PCI DSS: Payment Card Industry Data Security Standards
Education
FERPA: Family Educational Rights and Privacy Act
Financial Reporting
SOX: Sarbanes-Oxley Act
Financial Services
GLBA: Gramm-Leach-Bliley Act
Government
FISMA: Federal Information Security Management Act
CJIS: Criminal Justice Information Services
Assess
What are the threats to your data as well as your backup and restore capabilities?
- Ransomware and other cyber-related threats are increasing and evolving. They can infect your data and encrypt it, making it inaccessible to you.
- Human error can also result in a deleted file at best or, at worst, a full deletion or compromise of an entire application or system.
- Is restoring data to a known compromised environment the best option? What other considerations must you give to the act of recovering data?
- Who is responsible for the data, including its backup and restoration, when required? Microsoft is responsible for your email and everything else in the Microsoft 365 (M365) environment, right? Guess again. What about other hosted data and applications? If the SaaS host is not backing up data to your satisfaction, who is? You are responsible for your data. How will you back it up?
Assess all the threats and plan your mitigation strategy.
“2 out of 3 midsize companies were affected by ransomware in the past 18 months.”
Source: Enterprise Apps Today
Threats
Internal, external, intentional and unintentional, threat actors, environmental events. It seems like threats and threat scenarios are everywhere.
- Cyberthreats are increasing. Threat actors try to breach your network through a variety of methods with the intention of making money. This could be through encrypting your data and demanding cash before releasing the decryption keys, or taking over your corporate website and holding it ransom until money is paid.
- Human error is very common. Employees accidentally delete files regularly.
- Environmental events could impact internet access, general network connectivity, and power which could lead to loss of cooling. Most servers don’t operate well in extreme heat or extreme cold.
- Disgruntled employees could pose a threat if they have sufficient access.
"82% of breaches are caused by human error."
Source: Enterprise Apps Today
Data restoration
Restoring back to the original location is not always an option. Do you have alternatives?
- If your production server is known to be compromised, restoring a file back to that server is not logical. The same applies for a compromised network.
- Technology can help with replicas, snapshots, and continuous protection and instant recovery, but if connectivity to your backup site is lost, will that impact the restore process?
- Your organization may face other challenges with restoring data and systems. Explore those challenges and document your restore process for the impacted systems with flowcharts for others to easily follow.
“93% of companies that experience a major data loss and do not have a plan for recovery will be out of business in one year.”
Source: Enterprise Apps Today
Backup solution options
Backup solutions have come a long way in recent years with multiple options to address modern concerns.
- Encryption
- Continuous protection
- Cloud-based
- SaaS backup
- Secure access
- Multiple licensing models
- Threat detection
- Many others
There are also many diverse players in the backup solution provider market today. Some offer local installation options while others are completely cloud based. Some only back up virtual devices while others offer support for virtual and physical. Many integrate and back up SaaS solutions. Some even offer cloud-based storage space for your backups, for a price, of course.
Explore the market and find the right solution for your backup alignment.
“AI is revolutionizing the way data is backed up and recovered. AI-driven solutions can automate tasks, detect anomalies, and predict failures. This can help to prevent data loss and reduce the time it takes to restore data.
Source: Techwrix
Align
Align refers to supporting and moving in the same direction
Take the results of your identification exercises and assessment activities and align them with a backup strategy that addresses all your requirements.
This will include threat mitigation, protection mechanisms, and addressing restoration challenges.
Alignment will also include follow-up activities beyond the backup process. Follow-up activities include testing backups with a restore and confirming that what was restored is accessible or performs as expected. Alignment also includes periodically revisiting some identification and assessment activities to update them and adjust the backup alignment as necessary.
“Some believe that backups are a routine that should be set and forgotten about. Such people also believe that ransomware attacks, downtime caused by hardware failures, and human mistakes that lead to data loss are things that happen to people in the news, or topic starters on Reddit – in other words, to someone else.”
Source: MSP360
Backup solution evaluation
Now that you have a list of backup requirements, seek out a suitable backup solution. Perhaps you already own it.
- Evaluate your existing backup solution thoroughly before dismissing it. Can it provide what you need with an update or two?
- If it can’t, find a replacement. Rate vendors on their ability to provide the requirements you defined as well as several other considerations like their demonstration of their solution, their terms and conditions, and their cost.
- Evaluate multiple vendors in depth using the InfoTech Backup Alignment Vendor Evaluation Scorecard.
“Cyber attacks, particularly ransomware attacks are surging, and the demand for better data protection is imminent. Organizations are evaluating new strategies and technologies to protect data in increasingly hybrid and cloud environments.”
Source: Calamu, 2022
Explore the SoftwareReviews Backup and Availability Software Category: Best Backup and Availability Software 2023
Additional alignment
Selecting a suitable backup solution is not the end of your alignment.
- When you have everything identified and assessed, evaluate your current backup solution. If it is no longer up to the task, select a new solution.
- Test your backups on a regular basis. You don’t want to wait for a critical scenario to find out that they do not work.
- Regularly confirm what you are backing up as well. New applications, additional data, new employees, they all impact your data.
- Threats constantly increase and evolve. Stay ahead of the latest threats. Your backup solution may offer new features through an update in response to evolving threats.
- Keep everything documented. Executives and auditors will come inquiring, and you will be ready for them.
“Backup and recovery tests are not mere routine and dull exercises. Although they do not sound like the most enjoyable activities for the IT professional, they are designed to make sure that you can bring back every piece of your infrastructure in the event of any disaster, human fault, or failure.”
Source: MSP360
3-2-1 backup rule expanded
3-2-1 has evolved into 3-2-1-1-0
The concept of 3-2-1-1-0 is not new, but it isn’t highly publicized or preached in backup circles. It’s time to upgrade the conversation.
3-2-1-1-0 starts with similar guidance as 3-2-1 (three copies, two formats, one offsite) but adds more precautions relevant to a modern approach to backups.
Source: Veeam Community
“Adhering to the 32110 backup rule is essential for maintaining robust data resilience in today’s digital landscape. By following the rule’s principles of creating multiple copies of data, employing different media types, implementing air gaps, and ensuring zero errors and warnings, organizations can significantly enhance their disaster recovery capabilities.”
Source: Cyberfortress, 2023
Info-Tech’s methodology to align backups with data protection requirements
1. Identify Your Data and Protection Requirements |
2. Assess Your Threats and Restoration Challenges |
3. Align Requirements With Solutions |
|
---|---|---|---|
Phase Steps |
|
|
|
Phase Outcomes |
|
|
|
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit | Guided Implementation | Workshop | Consulting |
---|---|---|---|
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks are used throughout all four options.
Insight summary
Overarching insight
Organizations fail to consider all their data protection requirements when implementing a backup solution. Data protection requirements dictate that backups meet complex demands that go beyond making a copy of your files and storing it.
Phase 1 insight
Many backup managers rely on the IT team only when adding systems, services, and buckets of data to the backup system. This could be a mistake. Not including a broader audience could inevitably lead to missing some important system or application.
Phase 2 insight
The bottom line is that cyberthreats are nothing to ignore, and they are not going away. The good news is that as threats increase and evolve, the defense tactics that protect your data and backups today will continue to work against that new threat that appears next week, next month, or even next year.
Phase 3 insight
Backups are a critical component of disaster recovery and business continuity plans. They also come up in infrastructure roadmap discussions, cloud offering discussions, and even strategic corporate discussions. Maintain good channels of communication with other thought leaders in your organization to keep up with new developments and keep your backups aligned with your data protection requirements.
Tactical insight
Data protection requirements are constantly changing and becoming more challenging at the same time. Your backup solution, which was good enough in the past, may no longer be adequate.
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Backup Alignment Workbook |
Backup Alignment Workflow Template |
Backup Alignment Vendor Evaluation Scorecard |
---|---|---|
Use the Backup Alignment Workbook to organize your activities as you work through the various phases and steps of the blueprint. |
Work with your team to define your steps to restore files, servers, applications or systems into your existing production environment or address solutions when that production environment is not available. Transfer your steps into a workflow diagram for easier understanding. |
This tool provides a resource to compare up to 4 separate backup solution vendors on criteria such as Adherence to RFI instructions, vendor specific information, vendor understanding of project goals, product viability & history, terms & conditions of any vendor proposals, the results of a solution demo, cost summary, and most importantly, your own backup solution requirements. |
Key deliverable:
Backup Alignment Plan Presentation Template
The purpose of this presentation is to help you create a single repository for information regarding your organization’s backup alignment with your data protection requirements. The presentation will contain the results of all your activities throughout the blueprint phases and steps summarized in one location. Data lists, threat considerations, threat risk ratings, backup solution requirements, vendor evaluation templates, test schedules, and update schedules will all be included for presentation to executives or auditors as necessary.