Do you know the difference between a backup and a backup strategy?

Ask any IT professional worth their salt and they’ll all tell you that regardless of how much you spend building out your infrastructure, or how advanced your systems are, your data security and reliability will only ever be as good as your backup strategy. Hardware fails, systems get breached, files get deleted, people download malicious software. One or all of these things will happen to you eventually. What protects you is having a safe copy of your data stored safely and effectively so that you can get back to normal as quickly and painlessly as possible.

I have met “professionals” who think that a RAID array is sufficient protection for mission critical data. I have seen multi million dollar companies convinced that a single external drive will protect them. I have seen all manner and combination of these horrendous attempts at data protection, and I still get surprised by how badly prepared some people are from time to time. Before we go any further, and regardless of it’s presence in our strategy pyramid, I want everyone to repeat after me: “RAID is not backup!” Make this a mantra that you live by.

What does a complete backup strategy entail?

Let’s quickly take a look at the kinds of threats that you need to protect from, then we can build up from there. There are 4 major categories we’ll be concerning ourselves with:

1 - Hardware Failure

2 - Accidental Damage (Deleting or saving over a file, software failure or corruption, etc)

3 - Intentional Destruction (Viruses, Malware, Security Breaches, Ransomware, etc)

4 - Environmental Damage (Eg: Fire, Flood, Natural Disasters)

If we look at the above list, we want to accomplish a couple different things with our backup strategy, and achieving them all requires a couple different tiers of solution working in tandem. Following along, we’re going to build a pyramid of stability here.

Level 1

RAID/ZFS or similar. This IS NOT A BACKUP, but is an uptime enhancement. Having redundancies in storage hardware allows for replacement of hardware with no downtime. It does not protect against anything other than certain hardware failures, and actually INCREASES the risk of some kind of loss over time. If uptime isn’t a super critical component of your infrastructure considerations then you can safely skip this level.

Level 2

We want some form of quickly accessible on-site duplication of the data that we can recover quickly for minor issues. Downtime or lengthy downloads of backup data can be problematic in some environments. Just about any form of secondary drive or external drive can accomplish this task. You can use a scheduled backup task, or a simple drive/directory synchronization tool. This DOES, however, need to be a separate solution from any kind of RAID or hardware level duplication you may have in place as it is meant to be the first level of actual backup in your pyramid. This level is primarily aimed at protection from accidental damage.

Level 3

A disconnected but local backup that is not continually connected to the running system(s). While level 1 is aimed at uptime and level 2 is aimed at protection from accidental damage, level 3 is starting to take aim at intentional destruction. To protect against intentional damage, the backed up data needs to be inaccessible to any entity actively trying to cause harm. Any internal or external drive does not achieve this level of protection during the time it is connected to a running system. We do still want this level to remain on site though, so as to facilitate rapid recovery from such damage.

Level 4

Offsite backup. All previous levels are onsite solutions. As such, they do not offer protection from environmental damages. A fire, flood, tornado, or similar that is likely to damage your primary systems is also going to damage any other onsite backups. This level needs to be somewhere geographically separated from your primary location. An extra drive/tape/etc that someone takes home and swaps out at periodic intervals may be sufficient to accomplish this. If you have the ability to run a remote system at a second location and synchronize files to it in a secure manner, that can also solve this level. Alternatively there are a host of online options that will also serve to fill this niche.

Final Considerations

If you are an individual, or can continue operations while waiting to recover data from a remote solution, the right level 4 solution may be able to serve most of your requirements on its own. The caveat I will offer to that is that if the level 4 solution you are using is a commercial service, I would highly recommend maintaining ANY kind of secondary backup on the off chance that something happens to the provider. It can take time to produce a backup, and if the company/provider you are using goes away, you are left vulnerable during the time it takes you to realize this and to implement an alternative.

If you are in need of a provider for your backup needs, we will likely be putting forward a list of reputable providers in the near future. Stay tuned!