There was a time when the focus of backup was ensuring that the business has recoverable data in the event of a disaster or a business need – such as litigation.
However, as data today can reside on virtually any device and platform, the challenge for CIOs and data protection officers also need to worry about making data is recoverable and protected against threats – both physical and digital.
In the report, The Criticality of Data Integrity for Successful Cyber Resilience… and More, ESG senior analyst for data protection Christophe Bertrand noted that “organisations are trying to overcome data-compliance and data-governance challenges against a backdrop of frequent attacks by savvy cybercriminals.
“Simply leveraging backups to remediate those attacks won’t suffice. Robust content indexing and data classification are also needed, not only to achieve a higher degree of cyber resilience but also to boost IT’s understanding of the organisation’s sensitive data and to foster additional reuse capabilities of the data assets.
FutureCIO approached three executives for their perspective on backup in the context of modern-day data protection strategies where data is everywhere and threats, whether intentional or accidental, are the only constant.
What is the most efficient data protection method? And how do I determine which is best for my business?
He suggested that businesses recognise the need for modern backup and storage solutions that are infrastructure agnostic, that can back up, secure, and restore data across physical, virtual, cloud, SaaS, and Kubernetes environments.
“This will allow companies to preserve their data no matter where they are or will be, throughout their Digital Transformations,” he added.
Andy Ng, VP and MD for Asia South and Pacific region at Veritas Technologies, says with growing IT complexity, the most efficient solution entails the ability to provide unified data protection for different applications and data across on-premises, virtual and hybrid cloud environments from a single pane of glass – by standardising on a single platform. This will enable businesses to achieve agility while keeping their data secure.
In the hybrid environment, what does a standard backup strategy involve?
He recommends taking the 3-2-1-1 strategy: 3 backup copies of your data on 2 different media, such as disk and tape, with 1 of those copies located offsite for disaster recovery.
“The final 1 is immutable object storage, which safeguards the information in the event of a ransomware attack and is the last line of defence. It works by continuously taking snapshots of it every 90 seconds. Even if disaster strikes, you can quickly recover your data,” he continued.
Russell suggested taking it one step further by adding a new step to that rule for guaranteed data recovery, stating that one of these copies should be immutable. “This means that the data cannot be changed, deleted, or encrypted,” he added.
Veeam also offers automated backup verification to ensure that there are zero errors in the backup process; ensuring that data is recoverable.
Ng noted that a key consideration for a hybrid cloud is ensuring that irrespective of where the data is located, it can be properly managed and protected. With remote working now the norm, it is also important to address the data sprawl this has created.
He suggested that organisations consider adopting key steps to regain control of data, such as using a standardised set of collaboration and messaging tools to meet business needs and limit data sprawl.
“Also, create policies for information sharing to control the sharing of sensitive information, incorporating all data sets into the protection and compliance strategy and training all employees on the tools and policies to reduce accidental data breaches,” Ng continued.
Given that data is everywhere, including in some SaaS applications, how do I verify my backups?
Ng warned of an alarming misconception that SaaS providers are responsible for backing up and protecting cloud data.
“The truth is that, as part of their standard service, most cloud providers only provide a guarantee of the resiliency of their service. Storing data in the cloud does not automatically make it safe, it still requires strong data protection,” he posited.
Florian suggests choosing a solution that combines security controls, ransomware detection, and data protection to ensure security across private cloud, public cloud, and SaaS-based environments.
“It should also deliver backup and disaster recovery services, including protection for physical, virtual, and cloud workloads,” he suggested.
When formulating backup strategies that include SaaS, Russell suggests focusing on preparation, assuming the worst, keeping compliance in mind, checking your responsibilities, and planning an exit strategy.
He stressed the importance of defining clear roles and responsibilities between SaaS and Backup admins to ensure that every stage of data protection has an owner.
“With SaaS growth accelerating and driving growth in Kubernetes deployment, businesses must not only establish clear lines of responsibility but also work with a third party backup specialist,"Dave Russell
When evaluating a backup strategy, what are the top 3 questions I should ask?
As with all things that involve technology, including those for which organisations are merely hiring the services of a third party, Russell suggests asking:
- How important is your data?
- How much data can you afford to lose?
- How fast do you need to recover your data and be operational again?
Malecki adds to the list how much testing should be done, how to protect individual users from being vulnerable to cyberattacks, and what measures to put in place to respond to and mitigate a cyberattack?
Ng, for his part, suggests asking if the business can secure and monitor its data effectively, as well as if the backup solution can be consolidated to reduce IT complexity.
He opined that in a hybrid environment, a sound backup strategy should ensure that an organisation’s critical workloads are backed up both in the cloud and offline, to ensure that data is effectively secured and compliant.
What questions should the CIO ask his team to ensure that their backup strategy complies with the company's risk appetite?
Russell believes the CIO should focus on ensuring the business remains in business and is able to weather the different challenges it will likely face during business-as-usual.
“An ideal approach would be for the CIO to ensure that the requisite policies are put in place to manage the lifecycle of data in terms of the backup frequency, the data retention phases and the management of data storage mechanisms."Andy Ng
Malecki suggests asking if data protection is a primary objective of the company’s security policies. He also recommends asking if one has data immutability built-in to protect the organisation from ransomware and whether staff has been through extensive cybersecurity training?
Where does backup fit in the organisation's data protection strategy?
Ng says data protection is the process of safeguarding important information from corruption, compromise or loss and includes both the operational backup of data, as well as disaster recovery capabilities.
“An effective backup strategy will ensure data is always available for businesses, even if the data is damaged or lost due to application and user errors, ransomware attacks, machine failure or facility outages," added Ng.
Malecki believes that companies need data protection to achieve their primary objective of data security and availability. How well they achieve this depends on data backup and storage. These solutions underpin all business operations and are prime targets for hackers during cyberattacks.
“They should, therefore, also be the top priority when preparing data security policies. Finally, immutable storage solutions are the last line of defence against a ransomware attack and must be part of the data protection strategy.”Florian Malecki
According to Russel, backup and recovery solutions are essential foundations of any organisation’s Modern Data Protection strategy. He opined that organisations need to ensure their data protection capabilities keep pace with the demands of their business, to close the gap between how much data they can afford to lose after an outage versus how frequently data is backed up.
“Backup is often your last line of defence against equipment failure, software corruption, natural disaster, and cyber events, and as such, it is the foundation of a complete data protection strategy,” he concluded.
Happy World Backup Day!