Summary
Many organisations fail to understand that backing up data is not enough – to avoid problems, they must also test the integrity of their backups and their ability to quickly restore data. Cyber security and IT expert Intersys recommends immutable backups for data integrity and multiple layers of redundancy based on a 3 – 2‑1 strategy, according to your level of need. They also recommend using trusted data backup testing and recovery providers such as Veeam to ensure compliant, robust backups that get your organisation up and running quickly in the event of a data disaster.
Introduction
You’ve suffered a ransomware attack. Or human error has resulted in a mass data loss. But it’s okay – your business has a backup and recovery plan in place. It’s just the case of restoring the data, getting back on your bike and away you go.
Isn’t it?
Well, it might be. But it also might not. And if this blog post has one overriding message, it’s this: you must regularly undertake backup and recovery testing to ensure you are correctly and efficiently backing up your data. The cost of not doing so could be catastrophic.
Key reasons to test your backups
You need to undertake backup and recovery testing because you could encounter the following issues:
Corruption
Your backup files are corrupted and you cannot access some or all of the data successfully.
False reporting
Your backups might report as having been successful when in reality they’re not. This can happen if the backup targets hosts or systems that have been decommissioned or no longer contain the expected data, so the job completes without actually protecting anything.
Attacks
Ransomware attacks can infiltrate your backups if they are not stored safely, which pretty much makes your backup a redundant concept.
Time to restore
An often-overlooked fact is that even if you do have a working backup, restoring from it can take up to a week. How will your business cope during this time? And how much will it lose in terms of reputation and money?
A best practice backup strategy
While testing is intrinsic to your disaster recovery planning, you can prevent many problems by ensuring your backup protocol follows best practice. Here’s two fundamental concepts for creating robust backups.
1. Immutable backups
Firstly, an immutable backup should form part of your backup strategy.
As the name suggests, an immutable backup is stored in a read-only state that cannot be modified, deleted or encrypted for a defined period of time. The advantages of this type of backup include:
Data corruption prevention: the backup cannot be maliciously altered, which protects against data corruption, accidental modifications or deletions.
Protection from cyber attacks: immutable backups can’t be encrypted or deleted by ransomware or malicious insiders.
Compliance with regulations: many regulations such as GDPR and HIPAA require strong data protection measures that immutable backups deliver – namely, data protection and safeguards against unauthorised changes, tamper-proof records and verifiable audit trails.
Faster recovery time objectives (RTOS): restores can take time, but a clean, immutable backup speeds up the process significantly.
Lower recovery point objectives (RPOs): Immutable backups enable you to back up more often and securely retain restore points, which minimises data loss.
As you’ll see, immutable backups are a key part of our methodology for comprehensive backups for an organisation.
2. Backups with multiple layers of redundancy
Secondly, you need multiple layers of redundancy. This means having several independent backup copies stored in different ways or places, so if one backup fails, you have others to fall back on.
Yacer Sellam, Intersys’ Head of Infrastructure, explains our approach. As a cyber security company complying with ISO 27001 and National Cyber Security Centre guidelines, we set the bar high and recommend some or all of the below to clients, depending on their level of need.
Says Yacer:
‘Intersys implements a comprehensive 3 – 2‑1 backup strategy, an approach that focuses on immutable backups and multiple layers of redundancy. This mandates you have three copies of data (one original + two backups); two different media/storage types; and one offsite copy. In fact, as you can see from the below, we exceed 3 – 2‑1.’
The Intersys approach to backups
- Original running live copy
- Hyper‑V replication host. This is a dedicated server for business continuity and replicates all servers every five minutes. If a catastrophe happened, it could replicate all production systems within five minutes of the last replication
- Daily onsite disk backups to the repository on disk storage every 24 hours
- Cloud immutable backup – we take an immediate cloud copy to immutable storage every 24 hours
- Office disaster recovery servers – this replicates every 15 minutes for our business continuity plan
Partnering with Veeam
Veeam has become an integral part of our backup and backup and recovery testing solution toolkit. Veeam provides an automated service for the backups described in 2 – 4 above and, crucially, the immutable cloud backup.
Says Yacer,
‘Veeam is an all-in-one platform, which undertakes your backups and your testing. (And from experience, I would definitely recommend that your backup system undertakes the testing as part of the service.) It integrates with multiple different infrastructure components, and it is detailed in its reporting and flexible about frequency. It also ties into our business continuity planning process and ISO 27001 requirements.’
Veeam’s SureBackup service for backup testing
Bringing this article full circle, Veeam also provides the backup testing that is so crucial to a data backup strategy, via its SureBackup service. This is a monthly automated (‘hands off’) verification process, where backup data objects are randomly selected and scanned for data integrity, viruses and malware.
Intersys has found this service invaluable for its own system and for clients. It’s more efficient, thorough and effective than previous methods. (Before automated testing, we used to undertake manual testing quarterly, restoring data from backup tapes).
One exceptional feature of Veeam is its adaptability and user-friendly interface. We’ve found it key to creating a backup alert level that avoids the dreaded ‘false security’ – when you think backups are functioning correctly but they are not.
For instance, some monitoring approaches are set up to notify only for warnings or errors, but what if the backup software crashes, or the system hosting it fails? That could create a false positive situation, giving the impression everything is fine when it isn’t. To avoid that, we use Veeam together with CheckCentral for exception-based alerting, monitoring successes, warnings, and failures. If there’s a delay in a success notification, it raises an alert so we can act fast to investigate.
Veeam Data Cloud for Microsoft 365
Where does MS 365 Cloud fit in all of this? And, since Microsoft is considered a very secure environment, does this data need backing up at all?
Firstly, MS 365 is built on a hyper-resilient architecture, so you don’t expect your data to be lost here. However, a virus or – more likely – human error and accidental deletions could still occur. And remember that a comprehensive backup of your data is not included in a standard Microsoft 365 license.
Veeam Data Cloud for Microsoft 365 provides comprehensive data protection and data recovery for Microsoft Exchange, SharePoint, OneDrive for Business and Teams, and support for Entra ID data protection. It offers unlimited storage and exceptionally fast data restoration with speeds of more than 1TB per hour.
For some businesses, Veeam’s Data Cloud for Microsoft 365 may be enough to secure their data. Others – and especially highly regulated industries such as financial services or life sciences – may implement layered protection. This may include combining Veeam Data Cloud with local backups or secondary cloud storage to achieve true redundancy across different providers and geographic regions. This is the methodology we outlined in our five-point backup plan above.
What backup and backup and recovery testing methodology should I choose?
Says Yacer,
‘There really is no one size fits all, but a partner such as Intersys can help you on your journey to meet your compliance and business continuity requirements. If I had to zero in on one thing, it would be that routine testing, automated or manual, must happen. Aim for a balance between how often and how much effort you spend.
‘However, we always use Veeam’s back-up and back-up and recovery testing services as part of the solution. Veeam is industry standard and, in our view, the best backup solution there is out there. We’ve tried a few providers over the years and stayed with Veeam for its robustness and simplicity.’
A final word from Yacer for highly regulated industries.
‘Many highly regulated industries use Veeam for backup and backup testing. In fact, we have several clients with strict compliance needs that achieve their goals via Veeam and its various security and recovery solutions.’
Join our operational resilience webinar
On 11 November 10:30 am, Intersys is running a Webinar: ‘Achieving Operational Resilience’ in partnership with Veeam .
We’ll cover areas such as the importance of backups and validation testing, maintaining operational resilience in the cloud and other key points to help you develop a robust backup strategy in order to achieve operational resilience.
To register, click here.