Backing up your organizations data sounds like a fairly simple thing to do. However, it’s often not until something can’t be retrieved that it’s discovered that the backup strategy was badly designed to the organizations goals, or has been poorly implemented. With organizations increasingly relying on their data and IT systems to operate on and service their clients, this is a level of risk that should be reviewed and minimized. The ten components below should be kept in mind and approached proactively to ensure that you can restore that file you need when you need it.
- Classify your data – When considering a backup strategy, it’s useful to remember that not all data has the same value to you or your company. Losing the company picnic photos or an employee’s music collection versus a database powering your main Oracle ERP system are completely different things and would have equally different impacts on your business, and clients, if the data was lost. To have the most efficient back-up, classify the data into different groups, and treat them differently from a backup standpoint. One classification may even mean that the data is not backed up at all.
- Understand your data – Once your data has been classified, it is time to establish a recovery point objective (RPO) and recovery time objective (RTO) for each data class. This will determine the frequency of which backups are conducted along with the extent and method of backup required. The answers to other questions such as what level of security needs to protect the data, how often a restore is likely to be conducted and how long the data needs to be retained for, will also impact the selection of the solution to be put in place.
- Don’t forget about mobile devices – with more and more enterprise users utilizing mobile devices as their main device for conducting business, protecting the data held on those devices- from contacts and emails through to spreadsheets, documents, photos and personalized device settings- becomes more and more critical to business operations. No longer does the loss or failure of a device simply mean that only a couple of phone numbers have to be reentered into the new phone; critical data can be lost!
- Choose the backup strategy and method – different data sets may require different solutions in order to optimally meet the goals of the business and its data sets. Tiered recovery known as Backup Lifecycle Management or BLM is the most cost effective approach to storing data today. In most companies, more than 50% of data is older, of less value, and should cost less to protect. By setting up the correct strategy, you can align the age of your data to the cost of protecting it.
- Assign a responsible party for ensuring successful backups – just because a backup strategy has been implemented, doesn’t mean it’s going to run successfully every time. Contentions, lack of storage media and timing issues can occur and need to be dealt with in a timely fashion to make sure the data is protected. To ensure this happens it’s recommended that responsibility is clearly assigned with making this happen.
- Secure your data – The backup data whether that’s held on tape, disk or in the cloud offsite, should be protected both physically and logically from those who do not need access to it. Even for those that are actively managing the backup process, it is often not necessary for them to work with the data in its raw form, but rather they can manage the process with the data encrypted, adding another level of security and privacy. Although the best practice is to encrypt the data while it is in flight and at rest on the backup media, it is often not put in place due to the extra time required to encrypt the data during the backup process and as such increasing the backup window required. Ideally, look for 256 bit AES encryption.
- Conduct test restores – it’s always more preferable to find an issue proactively than reactively when there is no hope of restoration of data or time constraints are in place. So conduct periodic test restores of data to ensure that the process is working as planned.
- Keep track of your backups and document – documentation is key for control of the process and security around your data. Ensure that the backup process, methods, goals and ongoing operational status are documented both for internal purposes as well as to comply with any 3rd party audit requirements such as FDIC, HIPAA or PCI.
- Destroy backup media appropriately – whether you are handling HIPAA, Credit Card or “regular’ corporate data, it is a best practice to ensure that you are sufficiently keeping track of the backup media through it’s useful life all the way through to physical destruction. As common practice and to minimize any data leakage, this life cycle should be documented both from a process perspective and an actual traceable activity standpoint.
- Things change, review your strategy and implementation on a regular basis – if there is one thing in business and technology that holds true, it is that change is constant. With this in mind, a regular review of what is being backed up (or not) and verification that the business requirements around the data are consistent should be conducted.
In a world where the volume of data to be backed up is increasing substantially year over year and the complexity of the IT systems is not decreasing, proactive planning, management and execution is becoming ever more important. I hope these ten components to having a successful backup and recovery implementation helps guide you towards tackling that challenge head on.