Backup Systems all Need These 10 Things

Facebook X

Look, I’ve been doing this backup thing for a long time. And I can tell you right now that most companies think they have backups when they really don’t. They’re missing key pieces that turn what looks like a solid backup system into a house of cards waiting to collapse.

This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/

After decades in this industry, I’ve seen every possible way a backup system can fail. I’ve also seen what works. So Prasanna and I put together a list of the 10 design elements that every backup system absolutely must have. Miss even one of these, and you’re taking risks you probably can’t afford.

The 3-2-1-1-0 Rule: Your Backup System’s Foundation

First up is the 3-2-1 rule, which has evolved into the 3-2-1-1-0 rule. Here’s what that means: three copies of your data, two different types of media, one copy offsite, one copy that’s immutable, and zero errors because you’ve done proper validation.

If your backup system doesn’t meet at least the basic 3-2-1 standard, you don’t really have backups. You have a single point of failure dressed up to look like data protection. The immutable copy is critical now because ransomware specifically targets backup systems. And zero errors? That’s where validation comes in, which we’ll get to.

Automated Scheduled Backups

If you’re not doing scheduled backups, you’re not really doing backups. Period. And I’m not talking about you manually running backups on a schedule – I mean automated, scheduled backups that run whether you remember them or not.

Get humans out of the system as much as possible. People forget. People get busy. People leave the company. Your backup system needs to run automatically based on what you and the business have decided. If you’re relying on someone to push a button, you’ve already failed.

Recovery Testing and Validation

Here’s the truth: no one cares if you can back up. They only care if you can restore. Recovery testing needs to be part of your backup system design from day one.

I remember working at a large cell phone manufacturing company. We’d been backing up for months, feeling pretty good about ourselves. Then we did a recovery test and found out the tape drives could write just fine, but they weren’t so good at reading. You only find out about problems like that when you actually test your restores.

There was another time we turned on a new compression feature in our backup system. Looked great on paper. But we never tested it. When we finally tried to restore from tape, it was ultra slow. Turns out the feature had design assumptions that just weren’t true. You won’t know about stuff like that until you actually do testing.

Defined Recovery Objectives: RTO and RPO

Your backup system needs defined recovery objectives. That means knowing your Recovery Time Objective (RTO) – how long you can be down – and your Recovery Point Objective (RPO) – how much data you can afford to lose.

These aren’t just acronyms for your next meeting. They’re agreements with your business about what you’ll deliver when disaster strikes. If the business needs to be back up in 4 hours but your backup system takes 24 hours to restore, you’ve got a problem. Design your backup system around these objectives, not the other way around.

Backup System Security and Isolation

Ransomware changed everything about backup security. Attackers know that if they can hit your backups, you’re way more likely to pay the ransom. That’s why your backup system needs proper security and isolation built in.

Air gaps, immutability, and proper access controls aren’t nice-to-haves anymore. They’re required. If an attacker can reach your backups with the same credentials they used to hit your production environment, your backup system has a fatal flaw. Design in security from the start.

SaaS Backup Protection

I don’t care what Microsoft tells you – your Office 365 data isn’t backed up by default. Same goes for Google Workspace. These vendors have service level agreements about uptime, not data protection. If a user deletes something or your tenant gets compromised, you need your own backup system for that SaaS data.

Too many companies assume their cloud provider is handling this. They’re not. Build SaaS backup into your overall backup system design, because that data is just as critical as what’s in your data center.

Documentation and Runbooks

Documentation seems boring until it’s 2 AM, everything’s on fire, and you’re trying to figure out how to restore for the first time. Every backup system needs proper documentation and runbooks that anyone on your team can follow.

Write down the steps. Document the exceptions. Keep it updated. When disaster strikes, you don’t want to be learning your backup system under pressure. The time to figure out how things work is now, while everything’s calm.

Retention Policies

How long should you keep backups? Your backup system needs defined retention policies based on both business needs and compliance requirements. Some data might need to be kept for 7 years. Other data might only need 30 days.

And don’t forget about legal hold. If you’re in litigation, you might need to keep certain backups indefinitely until the case resolves. Build retention management into your backup system so you’re not scrambling when legal comes calling.

Monitoring and Alerting

A backup that fails silently is worse than no backup at all. At least with no backup, you know you’re in trouble. Your backup system needs monitoring and alerting that tells you immediately when something goes wrong.

Did last night’s backup complete? Were there any errors? Is the backup size what you expected? You need to know about problems right away, not three months later when you try to restore and discover your backups haven’t been working.

Endpoint Device Protection

Finally, don’t forget about endpoints – phones, tablets, and laptops. If you have data being created on endpoint devices, your backup system needs to protect that too.

If you’re just using cloud services that sync automatically, you might be fine. But if you have third-party apps creating data that only lives on the device, you’ve got a problem. I don’t want to hear about Steve’s phone with all the job site photos getting run over by a truck and taking your critical data with it. Protect those endpoints.

These 10 elements aren’t optional. They’re the foundation of any backup system that actually works when you need it. Take a look at your current setup. Are you missing any of these? If so, it’s time to fix that before you find out the hard way that your backups aren’t really backups.

Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data

Backup Systems all Need These 10 Things

NetWorker DIDN'T mess up an old feature

What it takes to make a successful SaaS product

Is Holographic Storage the future of archive & backup?

Get rid of tape? Inconceivable!

Hyper-V ahead of VMware in the backup race

More Misinformation About Dedupe

Related Posts

Similar Posts