Backup Strategy Guide

Backups are the foundation of every disaster recovery plan. Without reliable backups, everything else is theoretical. This guide covers the principles, methods, and tools you need to build a backup strategy that actually protects your business.

The 3-2-1 Rule

The 3-2-1 rule is the gold standard for backup strategy. It is simple, proven, and applies to organizations of any size.

• 3 copies of your data: The original production data plus two backup copies. One copy is not enough because any single backup can fail, become corrupted, or be destroyed by the same event that takes out the original.
• 2 different storage types: Keep backups on at least two different media types. For example, a local NAS device and a cloud storage account. This protects against media-specific failures.
• 1 offsite copy: At least one backup must be stored in a different physical location. If a fire, flood, or ransomware attack destroys everything in your office, your offsite copy is your lifeline.

Some organizations extend this to 3-2-1-1-0: add one immutable (unchangeable) copy and verify zero errors through regular testing. Immutable backups are especially important for ransomware protection because attackers specifically target backup files.

Local vs Cloud Backups

The best backup strategy uses both. Each has strengths the other lacks.

Local Backups

• Pros: Fast backup and restore speeds (limited only by your local network), no internet dependency, no recurring bandwidth costs, full control over hardware
• Cons: Vulnerable to the same physical threats as your production systems (fire, flood, theft), requires hardware maintenance and replacement, limited by physical storage capacity
• Best for: Fast recovery of large datasets, first-line defense against hardware failures and accidental deletions

Cloud Backups

• Pros: Geographically separated from your office, scales without hardware purchases, often includes built-in encryption and redundancy, accessible from anywhere during a disaster
• Cons: Restore speed depends on internet bandwidth (restoring terabytes over a 100 Mbps connection takes days), ongoing monthly costs that grow with data volume, requires trust in the cloud provider's security
• Best for: Offsite protection, long-term retention, disaster recovery when primary site is inaccessible

RPO Considerations

Your Recovery Point Objective (RPO) determines how often you need to back up. RPO is the maximum amount of data loss your business can tolerate, measured in time.

• RPO of 1 hour: You need backups running at least every hour. This typically requires continuous data protection (CDP) or very frequent snapshots. Suitable for transactional systems like EHR or billing.
• RPO of 4 hours: Backups every four hours. Achievable with most modern backup solutions on a schedule. Reasonable for important but not mission-critical systems.
• RPO of 24 hours: Nightly backups are sufficient. Acceptable for file servers, email archives, and systems where a day of data loss would be inconvenient but not catastrophic.

Different systems in your organization will have different RPOs. Your billing system likely needs a tighter RPO than your marketing file share.

Testing Your Backups

A backup that has never been tested is not a backup. It is a hope. Build testing into your routine.

1. Verify backup completion daily. Check that every scheduled backup job completed successfully. Automate alerts for failures.
2. Perform a test restore monthly. Pick a random file, folder, or system and restore it to a test location. Verify the data is complete and usable.
3. Test full system recovery quarterly. Restore an entire server or application to a test environment. Verify it boots, applications work, and data is current.
4. Document restore times. Measure how long each restore takes. Compare this against your Recovery Time Objectives. If your RTO is four hours but a full restore takes twelve, you have a gap to address.

Encryption

Backup data is a high-value target for attackers. It contains everything: credentials, financial records, personal data, and business secrets.

• Encrypt backups at rest using AES-256 or equivalent
• Encrypt backups in transit using TLS
• Store encryption keys separately from the backups themselves
• If you handle PHI (Protected Health Information), encryption of backups is effectively required under HIPAA, even though HIPAA technically calls it "addressable" rather than "required"
• Document your encryption approach and key management procedures

Retention Policies

How long you keep backups depends on your business needs, regulatory requirements, and storage costs.

• Short-term (daily backups kept for 30 days): Covers accidental deletions, corrupted files, and recent incidents
• Medium-term (weekly backups kept for 90 days): Covers issues discovered after the fact, audit requests, and business needs for historical data
• Long-term (monthly backups kept for 1-7 years): Covers regulatory retention requirements. HIPAA requires six years for certain records. Financial regulations may require seven years.

Use a Grandfather-Father-Son (GFS) rotation scheme to manage retention efficiently without keeping every daily backup forever.

Backup Solutions Worth Evaluating

There is no single best backup tool. The right choice depends on your environment, budget, and requirements.

• Veeam Backup and Replication: Industry leader for virtualized environments (VMware, Hyper-V). Excellent for small to mid-size businesses. Strong Microsoft 365 backup capabilities. Licensing is per-workload.
• AWS Backup: Native backup service for AWS environments. Centralized management for EC2, RDS, EFS, and more. Pay only for storage consumed. Best if you are already in the AWS ecosystem.
• Azure Backup: Native to the Microsoft ecosystem. Integrates with Azure Site Recovery for full DR. Supports on-premises servers, VMs, SQL databases, and file shares. Natural choice for Microsoft-centric organizations.
• Duplicati (open source): Free, open-source backup to local storage or cloud (S3, Azure Blob, Google Drive, and more). Good for small businesses on a tight budget. Supports encryption and scheduling. Community-supported.
• Restic (open source): Fast, efficient, encrypted backups. Excellent deduplication. Supports many cloud storage backends. Command-line oriented, so it requires some technical skill.