Align Backups With Your Data Protection Requirements

Making a copy of your data does not always result in data protection.

EXECUTIVE BRIEF

Analyst Perspective

Some organizations implement backups without considering what they are missing. Are all systems, services, applications, and data backed up? On-premises and in the cloud? Did you remember that SaaS application? What about those customizations in the configuration settings? Ignorance isn’t bliss when it comes to data protection.

Backup and recovery solutions are a part of most organizations, but are they just a routine operation or are they actually protecting the entire suite of data, applications, services, and systems from threats and loss?

Many organizations fall under standards and compliance requirements, but are those standards and requirements part of the backup process? They certainly should be. Not abiding by Health Insurance Portability and Accountability Act (HIPAA) or General Data Protection Regulation (GDPR) could result in financial penalties for your organization.

Identify what data, applications, services, and solutions you have and make sure they are on the backup list. Don’t forget those Software-as-a-Service (SaaS) solutions. Now investigate the compliance regulations that apply to you. They could be regional or industry specific. Your organization will also have specific requirements about backups – they will want their systems back up and running immediately in the event of a loss or outage. Whether it was accidental does not matter.

Assess your threats. You can mitigate them with the right backup solution. Assess your restore scenarios as well. They are not always as straightforward as you think.

Determine what you need in a backup solution and implement it. Test the backups, and soon you will be aligned with the data protection requirements of your organization.

P.J. Ryan
Research Director, Infrastructure & Operations
Info-Tech Research Group

Executive Summary

Info-Tech Insight

Organizations fail to consider all their data protection requirements when implementing a backup solution. Data protection requirements dictate that backups meet complex demands that go beyond making a copy of your files and storing it.

Your Challenge

Data protection requirements are constantly changing and becoming more challenging at once. Your backup solution, which was good enough in the past, may no longer be adequate.

• Threat actors continue to create new ways to steal corporate data and hold it for ransom. How do you protect against current and evolving threats?
• Climate change is resulting in more storms and environmental events. Servers and other on-premises equipment don’t operate well in extreme heat or cold. Equipment failures, which result in data loss, are a concern.
• Systems are hosted in your data center as well as the cloud, or multiple clouds. This includes hosted applications and services your employees use. Are they backed up?

“… in a recent poll of 100 IT executives, 89% said they’re always on the lookout for better data protection solutions.”

Source: Calamu, 2023

Common Obstacles

Knowing what to back up challenges most organizations. How do you know if you have all your data covered? How do you keep that backup copy of data safe? Are you sure the data will be there when you need to restore it?

• Cyberthreats are always in the news. And all the experts say you should never pay the ransom, but you just want your data back.
• Your data and applications are scattered everywhere – local data centers, Azure, AWS, maybe even Google. How do you track them down to back them up?
• Finance and HR use hosted applications. Who is backing them up?
• If my production site gets compromised, does it make sense to restore back to that compromised site? Where do you send my recovery job?
• Software keeps changing, along with the features they offer. How do you know what features you need in a backup solution?

“79% of executives say their data protection budget has increased in the past 1-2 years.”

Source: Calamu, 2022

Info-Tech’s Approach

1. Identify

Identify what data and systems you must back up and why you must back them up.

2. Assess

Assess threats to your data and backups as well as obstacles that may impede data restoration.

3. Align

Align your list of data and systems, your reasons for backing them up, and your threats into a list of requirements that will lead you to a backup solution that meets all your data protection requirements.

Case Study

Is there such a thing as too much insurance?

INDUSTRY: Insurance

SOURCE: Interview

This case study is based on a real company but was anonymized for use in this research.

Situation

A managed service provider (MSP) provided two separate backup solutions for one insurance company at their insistence as they were not content with just one.

“If you lived through a ransomware attack, you are more inclined to double up or even triple up on protection and be extra, extra cautious.”

– MSP Principal Consultant

An insurance company (the client) suffered a ransomware attack which left their entire suite of virtual servers encrypted. The response was swift, and recovery of most systems was completed without any issues – except for one. A key server proved to be a challenge and required escalation by the hosting cloud solution provider to internal experts as well as the backup solution vendor. In the end, the system and all data was restored. The source of the ransomware was detected and removed, but the attack had long-term consequences for the client.

What if that key server could not be recovered and the business was destroyed? The client wanted extra precautions in place to ensure the risk they faced during the ransomware attack could be mitigated. At the top of that list was a second backup.

The initial backup was provided by their cloud hosting vendor. Backups of their virtual servers occurred once per day. They implemented a solution from Datto that backed up everything once per hour and provided space to restore all the servers if required. Datto also tested the backed-up servers daily to ensure they would boot properly.

As a tertiary measure, the client exported the full backup to a local disk daily and stored that disk offline.

Triple coverage to satisfy well-founded concerns.

3 steps to align your backups with your data protection requirements

Backups are not just a copy of your data

They come with many more considerations and serve a greater purpose. Here are some of those considerations.

What are you backing up?

Where will you find your data and systems for backup?

Why are you backing them up?

How will you protect that data during and after backup?

Identify

Identify what you need to back up and why

• Identify all the data that should be backed up. This will include your applications, services, configurations, and raw data. Don’t forget the cloud, and the other cloud. And what about those SaaS applications? That is your data. Is it backed up? Are you sure?
• Now focus on the requirements. Why are you backing up data? Where are you backing up data? Does it matter? GDPR, HIPAA, PIPEDA, ISO/IEC 270XX regulations and other standards/governing bodies insist that it matters.
• Are there other internal requirements? Does your finance team have requirements? What about HR? Did that last audit reveal any shortcomings related to data that you could address?

Identify what to back up and what the requirements are so you can align the two.

“In the last three years since the pandemic began, organizations have experienced sudden remote workforces and a significant increase in IaaS, PaaS, and SaaS deployments, necessitating the need to modernize backup because the production environment has changed.”

Source: Veeam Software

What should you back up?

Files? Applications? Operating systems? Metadata? Archived data? Network device config files? Cloud-based data? SaaS? The CEO’s laptop? Yes.

Identify everything that you must back up but realize that schedules differ between data types and systems. Every four hours or even more frequent may be desirable for some data while once per day, week, or even year may be acceptable for other data or systems. A server may have two backup requirements – frequently for the data but less often for the operating system or application. Archive data is still production data, but it seldom changes. Once per year may be adequate for archives.

“Backup protects data from several risks, including hardware failures, human error, cyberattacks, data corruption and natural disasters. It's important to protect data from any potential issue so that an organization isn't blindsided when something happens.”

Source: TechTarget, 2021

Data protection requirements

Internal corporate requirements, regional requirements, and industry-based requirements. Make sure you know who is setting guidelines and constraints on your data.

• General Data Protection Regulation (GDPR)
• Sarbanes-Oxley Act (SOX)
• Payment card industry (PCI)
• Health Insurance Portability and Accountability Act (HIPAA)
• Recovery time objective (RTO)
• Recovery point objective (RPO)
• Data residency restrictions
• Audit requirements

Many companies are guided by some industry- or region-specific regulation or Act. Internal requirements must also be respected and complied with for a properly aligned backup strategy.

“Not only is data backup a cyber-healthy way for healthcare institutions to survive, but it’s also a requirement for businesses under the Health Insurance Portability and Accountability Act of 1996 or HIPAA.”

Source: Intelligent Technical Solutions

Typical compliance regulations

Healthcare
HIPAA: Health Insurance Portability and Accountability Act

Retail
PCI DSS: Payment Card Industry Data Security Standards

Education
FERPA: Family Educational Rights and Privacy Act

Financial Reporting
SOX: Sarbanes-Oxley Act

Financial Services
GLBA: Gramm-Leach-Bliley Act

Government
FISMA: Federal Information Security Management Act
CJIS: Criminal Justice Information Services

Assess

What are the threats to your data as well as your backup and restore capabilities?

• Ransomware and other cyber-related threats are increasing and evolving. They can infect your data and encrypt it, making it inaccessible to you.
• Human error can also result in a deleted file at best or, at worst, a full deletion or compromise of an entire application or system.
• Is restoring data to a known compromised environment the best option? What other considerations must you give to the act of recovering data?
• Who is responsible for the data, including its backup and restoration, when required? Microsoft is responsible for your email and everything else in the Microsoft 365 (M365) environment, right? Guess again. What about other hosted data and applications? If the SaaS host is not backing up data to your satisfaction, who is? You are responsible for your data. How will you back it up?

Assess all the threats and plan your mitigation strategy.

“2 out of 3 midsize companies were affected by ransomware in the past 18 months.”

Source: Enterprise Apps Today

Threats

Internal, external, intentional and unintentional, threat actors, environmental events. It seems like threats and threat scenarios are everywhere.

• Cyberthreats are increasing. Threat actors try to breach your network through a variety of methods with the intention of making money. This could be through encrypting your data and demanding cash before releasing the decryption keys, or taking over your corporate website and holding it ransom until money is paid.
• Human error is very common. Employees accidentally delete files regularly.
• Environmental events could impact internet access, general network connectivity, and power which could lead to loss of cooling. Most servers don’t operate well in extreme heat or extreme cold.
• Disgruntled employees could pose a threat if they have sufficient access.

"82% of breaches are caused by human error."

Source: Enterprise Apps Today

Data restoration

Restoring back to the original location is not always an option. Do you have alternatives?

• If your production server is known to be compromised, restoring a file back to that server is not logical. The same applies for a compromised network.
• Technology can help with replicas, snapshots, and continuous protection and instant recovery, but if connectivity to your backup site is lost, will that impact the restore process?
• Your organization may face other challenges with restoring data and systems. Explore those challenges and document your restore process for the impacted systems with flowcharts for others to easily follow.

“93% of companies that experience a major data loss and do not have a plan for recovery will be out of business in one year.”

Source: Enterprise Apps Today

Backup solution options

Backup solutions have come a long way in recent years with multiple options to address modern concerns.

• Encryption
• Continuous protection
• Cloud-based
• SaaS backup
• Secure access
• Multiple licensing models
• Threat detection
• Many others

There are also many diverse players in the backup solution provider market today. Some offer local installation options while others are completely cloud based. Some only back up virtual devices while others offer support for virtual and physical. Many integrate and back up SaaS solutions. Some even offer cloud-based storage space for your backups, for a price, of course.

Explore the market and find the right solution for your backup alignment.

“AI is revolutionizing the way data is backed up and recovered. AI-driven solutions can automate tasks, detect anomalies, and predict failures. This can help to prevent data loss and reduce the time it takes to restore data.

Source: Techwrix

Align

Align refers to supporting and moving in the same direction

Take the results of your identification exercises and assessment activities and align them with a backup strategy that addresses all your requirements.

This will include threat mitigation, protection mechanisms, and addressing restoration challenges.

Alignment will also include follow-up activities beyond the backup process. Follow-up activities include testing backups with a restore and confirming that what was restored is accessible or performs as expected. Alignment also includes periodically revisiting some identification and assessment activities to update them and adjust the backup alignment as necessary.

“Some believe that backups are a routine that should be set and forgotten about. Such people also believe that ransomware attacks, downtime caused by hardware failures, and human mistakes that lead to data loss are things that happen to people in the news, or topic starters on Reddit – in other words, to someone else.”

Source: MSP360

Backup solution evaluation

Now that you have a list of backup requirements, seek out a suitable backup solution. Perhaps you already own it.

• Evaluate your existing backup solution thoroughly before dismissing it. Can it provide what you need with an update or two?
• If it can’t, find a replacement. Rate vendors on their ability to provide the requirements you defined as well as several other considerations like their demonstration of their solution, their terms and conditions, and their cost.
• Evaluate multiple vendors in depth using the InfoTech Backup Alignment Vendor Evaluation Scorecard.

“Cyber attacks, particularly ransomware attacks are surging, and the demand for better data protection is imminent. Organizations are evaluating new strategies and technologies to protect data in increasingly hybrid and cloud environments.”

Source: Calamu, 2022

Explore the SoftwareReviews Backup and Availability Software Category: Best Backup and Availability Software 2023

Additional alignment

Selecting a suitable backup solution is not the end of your alignment.

• When you have everything identified and assessed, evaluate your current backup solution. If it is no longer up to the task, select a new solution.
• Test your backups on a regular basis. You don’t want to wait for a critical scenario to find out that they do not work.
• Regularly confirm what you are backing up as well. New applications, additional data, new employees, they all impact your data.
• Threats constantly increase and evolve. Stay ahead of the latest threats. Your backup solution may offer new features through an update in response to evolving threats.
• Keep everything documented. Executives and auditors will come inquiring, and you will be ready for them.

“Backup and recovery tests are not mere routine and dull exercises. Although they do not sound like the most enjoyable activities for the IT professional, they are designed to make sure that you can bring back every piece of your infrastructure in the event of any disaster, human fault, or failure.”

Source: MSP360

3-2-1 backup rule expanded

3-2-1 has evolved into 3-2-1-1-0

The concept of 3-2-1-1-0 is not new, but it isn’t highly publicized or preached in backup circles. It’s time to upgrade the conversation.

3-2-1-1-0 starts with similar guidance as 3-2-1 (three copies, two formats, one offsite) but adds more precautions relevant to a modern approach to backups.

Source: Veeam Community

“Adhering to the 32110 backup rule is essential for maintaining robust data resilience in today’s digital landscape. By following the rule’s principles of creating multiple copies of data, employing different media types, implementing air gaps, and ensuring zero errors and warnings, organizations can significantly enhance their disaster recovery capabilities.”

Source: Cyberfortress, 2023

Info-Tech’s methodology to align backups with data protection requirements

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks are used throughout all four options.

Insight summary

Overarching insight
Organizations fail to consider all their data protection requirements when implementing a backup solution. Data protection requirements dictate that backups meet complex demands that go beyond making a copy of your files and storing it.

Phase 1 insight
Many backup managers rely on the IT team only when adding systems, services, and buckets of data to the backup system. This could be a mistake. Not including a broader audience could inevitably lead to missing some important system or application.

Phase 2 insight
The bottom line is that cyberthreats are nothing to ignore, and they are not going away. The good news is that as threats increase and evolve, the defense tactics that protect your data and backups today will continue to work against that new threat that appears next week, next month, or even next year.

Phase 3 insight
Backups are a critical component of disaster recovery and business continuity plans. They also come up in infrastructure roadmap discussions, cloud offering discussions, and even strategic corporate discussions. Maintain good channels of communication with other thought leaders in your organization to keep up with new developments and keep your backups aligned with your data protection requirements.

Tactical insight
Data protection requirements are constantly changing and becoming more challenging at the same time. Your backup solution, which was good enough in the past, may no longer be adequate.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Backup Alignment Workbook	Backup Alignment Workflow Template	Backup Alignment Vendor Evaluation Scorecard
Use the Backup Alignment Workbook to organize your activities as you work through the various phases and steps of the blueprint.	Work with your team to define your steps to restore files, servers, applications or systems into your existing production environment or address solutions when that production environment is not available. Transfer your steps into a workflow diagram for easier understanding.	This tool provides a resource to compare up to 4 separate backup solution vendors on criteria such as Adherence to RFI instructions, vendor specific information, vendor understanding of project goals, product viability & history, terms & conditions of any vendor proposals, the results of a solution demo, cost summary, and most importantly, your own backup solution requirements.

Key deliverable:

Backup Alignment Plan Presentation Template

The purpose of this presentation is to help you create a single repository for information regarding your organization’s backup alignment with your data protection requirements. The presentation will contain the results of all your activities throughout the blueprint phases and steps summarized in one location. Data lists, threat considerations, threat risk ratings, backup solution requirements, vendor evaluation templates, test schedules, and update schedules will all be included for presentation to executives or auditors as necessary.