When it comes to backups, there are some obvious questions to ask – starting with “are we backing up our data regularly?”
But there are also critical data backup questions you should be asking that are not necessarily so obvious. Simply having backups in place is no guarantee that your data is actually safe. Nor is following outdated backup best practices, such as the 3-2-1 backup rule.
With that reality in mind, here’s a look at 10 questions that every organization should be asking itself. The answers to these questions provide essential insight into whether your backup strategy is simply covering the basics, or goes above and beyond in ways that maximize your ability to protect data and maintain business continuity when the unexpected happens.
Basic data backup practices
Before diving into less-than-obvious data backup questions, let’s go over the basics of data backup – meaning the types of practices that are absolutely fundamental for an effective backup strategy.
They include:
- Defining an appropriate Recovery Time Objective (RTO) and Recovery Point Objective (RPO), which determine how often you need to create backups of your data.
- Ensuring that your backup frequency reflects the RTO and RPO goals you set.
- Having a recovery plan in place so that you actually know what to do when it comes time to restore data.
- Testing backups regularly to mitigate the risk of failed recovery.
- Storing multiple copies of data backups, ideally in multiple places, to minimize the risk of having all of your backup data wiped out.
You don’t win any awards for following these backup practices. These are just the bare essentials that every organization needs to have in place to stake any kind of credible claim to operating an effective backup program.
Advanced backup practices
When it comes to something as important as data backup, you shouldn’t settle for the bare minimum. You should also implement advanced backup practices that maximize your ability to keep backup data safe and use it for effective recovery.
How do you know whether you have advanced backup practices in place? Ask the following questions.
1. Do we have a failover region?
A failover region is a cloud region separate from the one that normally hosts your production workloads. In the event of a failure in your primary region, you can restore data and workloads within the failover region.
It’s possible, of course, to set up a failover region as part of your recovery operations. But that takes time and effort, delaying recovery. A better strategy is to configure a failover region ahead of time so that you can switch over to it as rapidly as possible.
Perhaps you’re thinking, “But we don’t want to pay for two regions!” That’s a fair point, given that your cloud bills will increase if you operate in two regions at once. However, failover regions can be inexpensive to maintain if you leverage strategies like “pilot light” – which means keeping a minimal environment running in the failover region.
The environment will cost little to operate because it doesn’t include much. But as long as you have a disaster recovery tool like N2WS Backup & Recovery that enables immediate restore into a different region, you can rapidly scale up your backup environment to become your new production environment in the event that a regional outage takes out your original production environment.
2. Do we need cross-cloud protection?
Even if you have a failover region set up, that may not be enough to protect against the most serious cloud outages. If multiple cloud regions go down at once – or if there is an issue such as a major networking problem that affects an entire cloud platform, loss of data due to a ransomware attack, a malicious internal attack by one of your employees (or former employees) or accidental data deletion from your cloud environment – having a failover region set up won’t necessarily save you.
That’s why you should also consider setting up a backup environment in a separate cloud. If a worst-case scenario strikes your primary cloud, you can fail over to the other cloud.
Here again, operating a separate cloud will increase your cloud bills, but you can save money by maintaining a minimal environment in the non-production cloud.
3. Do we regularly test full-scale recovery operations?
Data backup and recovery testing can mean many different things – from occasionally checking whether a recovery script actually runs, to performing a full-scale simulation of a recovery in response to a total outage.
Ideally, you’ll be doing the latter on a regular basis. It’s only when you can perform a complete recovery drill – and document what happens during it – that you gain the highest degree of readiness for actually recovering quickly from a real failure.
4. Are we reviewing compliance mandates?
Increasingly, compliance frameworks include requirements to ensure that reasonable backup and recovery protections are in place. What counts as “reasonable” varies from one framework to the next, but practices such as storing backup data off-site and testing recovery plans may be essential for meeting compliance rules.
To that end, organizations should assess which compliance mandates apply to them in the realm of data backup and recovery, and ensure that their backup strategies meet the requirements.
5. Are we securing our backup data and network?
If threat actors encrypt or delete your production data, you’ll want to restore operations from your backups. But what if the bad guys manage to encrypt your backup data, too, making it impossible to use it for recovery unless you pay them ransom to decrypt the data? What if the backups contain sensitive information that falls into the wrong hands? Or what if threat actors launch a Denial-of-Service (DoS) attack against your network that impedes your ability to recover data?
To protect against risks like these, you should properly secure your backup data, as well as your network. Encrypting backups makes it more challenging (albeit not impossible) for attackers to find and abuse backup data, and network defenses help to keep your network operational when you need it for recovery.
- Incorporate immutable backups: Implement immutable backups to protect against ransomware attacks and accidental deletions. These backups cannot be modified or deleted for a specified retention period, ensuring data integrity.
- Utilize cloud-native disaster recovery orchestration: Use cloud-native disaster recovery orchestration tools like N2WS Backup & Recovery to automate failover and failback processes. These tools streamline recovery by automating the entire process, reducing downtime.
- Utilize network segmentation for backup environments: Isolate your backup environments using network segmentation to protect against lateral movement attacks. This practice ensures that if your production network is compromised, your backup data remains secure.
- Monitor and audit backup activities with real-time alerts: Set up real-time monitoring and alerts for all backup and recovery operations. This allows you to detect issues as they occur and respond quickly to any irregularities, ensuring continuous protection.
- Integrate compliance checks into your backup process: Automate compliance checks within your backup process to ensure all backups meet regulatory requirements. Use tools that can verify encryption, retention policies, and geographic restrictions automatically.
6. Are we cloning and capturing infrastructure settings?
Backing up data is not enough to guarantee successful, rapid recovery. You also need to be able to restore the infrastructure configurations that your workloads depend on – such as networking rules, IAM policies and storage tier settings, to name just a few.
This is why cloning and capturing infrastructure settings in addition to backing up data itself is an essential part of an effective backup and recovery strategy.
7. Do we store multiple copies of our backups across diverse locations?
Encrypting backups is one way to prevent tampering with the critical information you’ll need to restore operations in the event of a data breach. But it doesn’t safeguard your business against risks like accidental deletion of backup data by one of your admins, or by a poorly configured software tool. Nor does it protect against risks like a natural disaster that destroys the physical infrastructure that hosts your backups.
This is why creating multiple copies of backups and storing them in different locations is a best practice. The rule of thumb was once the 3-2-1 backup rule, which states that organizations should have a total of three instances of their critical data (one instance can be the production data itself, while the other two are backups). Two instances of the data should be stored on separate storage media to mitigate the risk that infrastructure failure will lead to loss of critical information, and one copy should exist in a remote site – so that even if your entire production data center is wiped out, you’ll still be able to recover.
However keep in mind with new cloud capabilities and emerging compliance requirements, the 3-2-1 backup rule has become outdated as now off-site can mean both physically, a different region and even another cloud. Also in addition to data being replicated, network and infrastructure settings should be cloned and captured for a completely reliable failover and smooth transition back to production.
8. Do we know what to prioritize during recovery?
During recovery operations, your eventual goal is to recover all of your data. But in all likelihood, some data is more important for business operations than others. Word documents that no one has opened in three years probably don’t need to be recovered as quickly as a database connected to revenue-generating applications, for instance.
That’s why it’s critical to decide ahead of time, as you run recovery orchestration drills which data you’ll prioritize and factor your priorities into recovery planning. Otherwise, the chances that you can recover critical resources quickly enough to prevent serious disruptions to your business are much lower.
9. Who handles data recovery – and what if they’re not available?
Most organizations with a basic data recovery plan in place have designated individuals to manage data recovery operations. But what they don’t always plan for is the chance that those people won’t be available – or that they’re simply unreachable during an outage due to the failure of standard communication channels.
These are the types of risks you need to address to take your recovery plans to the next level. Ideally, you’ll develop a recovery strategy that will work no matter who ends up performing recovery. This becomes possible when you leverage backup and recovery tools that are available from a central location, with no scripting or special expertise required to use them.
10. How do we communicate with customers during an outage?
Communicating with customers or other external stakeholders during an outage isn’t strictly necessary for recovery data successfully, so we’re not going to include this as one of the “main” questions you should ask yourself.
But from the perspective of brand protection and customer satisfaction, effective external communication during an outage is critical. To that end, it’s worth asking whether you have a communications plan in place – and whether the people who will spearhead communication (which is typically your PR or communications department, although other groups, like sales and customer support, may need to be looped in as well) know what they need to do to keep customers appropriately informed when an outage occurs.
Taking data backup and recovery to the next level
Today, having basic data backup and recovery practices in place is like washing your hands when you use the restroom: It’s a fundamental expectation, not a sign of special enlightenment. If you want to stand out from the crowd – and optimize your business’s ability to protect itself against cyberattack and accidental data loss – you need to aim higher by implementing solutions like failover regions, backup security, and beyond.
N2WS makes it easy to implement a next-level backup and recovery strategy. With N2WS, you get not just a comprehensive set of backup, disaster recovery, and lifecycle management capabilities, but also the ability to perform regular disaster recovery drills and tests and create documentation along the way. N2WS lets you identify which resources to prioritize during recovery, too, and it offers advanced features like cross-region backup and infrastructure settings cloning.
