[German]March 31st of every year is "World Backup Day", and it's to remind people of the importance of backups. To mark the day, a little kaleidoscope of information around this topic.
Advertising
World Backup Day was created in 2011 by a group of Reddit users who were tired of constantly replying to Reddit threads like "I deleted my database and don't have a backup, please help me!". In addition to backup, the day also focuses on data hygiene – as a measure to better protect data during storage, use and transfer. Basically, it's about anything that reduces the risk of data loss, and increases the likelihood of successful recovery.
Did you backup today?
Unfortunately, many people only realize how important backups are when it is too late. Whether it's a hardware failure, a device loss or a hacker attack – vacation and family pictures on the cell phone or mail traffic and documents on the PC are irretrievably lost. "Regular backups are the only way to reliably protect your own data from various loss scenarios," says Markus Schaffrin, security expert and head of the Member Services division at German eco – Verband der Internetwirtschaft e. V. "The shorter the intervals between backups, the less data is lost if the worst comes to the worst." He recommends backing up important data at least weekly and doing so in two ways if possible, for example in the cloud and an external hard drive. Only a minority in Germany adhere to the above recommendations.
- Only one in five (20 percent) update their most important data weekly or more often.
- Only one in three in Germany (33.8 percent) updates at least monthly.
This is the result of a representative survey conducted by the opinion research company Civey on behalf of the eco association. For this purpose, the opinion research company Civey surveyed 2500 people between Feb. 15 and Feb. 16, 2023, on behalf of eco. There is also good news: 17.5 percent back up their data at least once or twice a year. Less frequently than once a year, 20.9 percent back up their data, and 15.7 percent even say they never back up. That's even more than four years ago. In 2019, in a similar survey, 10.6 percent said they never back up.
eco expert Markus Schaffrin gives the following tips for automated backup, which I consider to be mostly truisms – the normal user does not have these options. Here are the expert's theses – check for yourself whether they are viable for you on an ad-hoc basis.
- Cloud backup solution allow you to back up data automatically. Some popular options are Google Drive, iCloud, Dropbox and OneDrive. Many cell phone manufacturers also offer their own apps to store the data of one's smartphone or pictures online encrypted in the cloud.
- Those who prefer to back up data locally can use an external hard drive. Data can be backed up manually or automatically at least once a week using Windows Backup (PC) or Time Machine (Mac). There is also a wide range of backup software that can create and manage backups automatically.
- If there is a NAS (Network Attached Storage) system in the household, then data can also be backed up there automatically. A NAS is a device that is connected to the network and serves as a central storage location for data.
The eco association recommends the safest option, a combination of cloud backup and external hard drive or NAS, to back up data to multiple locations. Go for this double backup option for important data and ensure updates at least once a week via both methods. The points read a bit like cloud cuckoo land to me – quickly back up everything to the cloud, smartphone via app, or fire up Windows Backup (where can I find this feature).
Advertising
If you have lost access to your cloud storage (I'll throw account blocks from vendors like Mikrosoft into the debate), the backup stored there is no longer of any use. And the more backups there are, the greater the risk of data leaks via these backups. Backups would therefore have to be created and stored in encrypted form. But then it is important to store the recovery keys securely and in a way that they can be found. After all, what good is an encrypted backup if it cannot be read back because the key is missing?
You can also put it in a nutshell: The industry has screwed up – there is no build-in backup function in the typical systems. And it's not easy to handle and foolproof either – as anyone who has ever had to read back a backup and realized "unfortunately it doesn't work" will confirm.
Backups are worthless without recovery
The idea "I need a backup!" is obvious and possibly quickly implemented. But the whole thing is worthless if the backup cannot be read back or its contents are worthless because it does not contain the data you need. It's a mistake to create a backup plan when you don't yet have a recovery plan. In turn, you can't create the data recovery plan until you've first familiarized yourself with some basic concepts, writes SolarWinds (the one that was the victim of a supply chain attack in 2020, where customers' systems could be hacked).
Nevertheless, the general considerations of Thomas LaRock, Head Geek at Solarwinds, cannot be dismissed. In the following points, he explains what matters when it comes to data protection.
- Get an overview of business requirementsDie Grundlage für einen guten The foundation of a good recovery plan is a solid understanding of business requirements. You should know the meaning of some common acronyms, such as SLA (service level agreement), RTO (recovery time objective) and RPO (recovery point objective). RTO refers to the maximum time that recovery may take, and RPO is the point in time in the past when the system will be recovered. These two factors are used to determine the SLA. For example, one might have a requirement to restore a database to 15 minutes ago (RPO), with full recovery allowed to take 10 minutes (RTO). If the volume of data is so high that restoring to yesterday may take an hour, but the business wants an SLA of 15 minutes, expectations and reality clearly don't match.
- The 3-2-1-1 strategy
The following key strategy applies to backups: at least three copies in at least two different formats, one of which is immutable and the other of which is stored in an off-site location. This may seem a bit excessive for a personal laptop, but it's essential in an enterprise environment. For businesses, regular backups are absolutely critical because they often handle sensitive data and face serious consequences if data is lost or stolen. It's still all about minimizing the risk of data loss and increasing the likelihood of successful recovery. For example, an annual backup is nowhere near as helpful as more frequent backups. In addition, it makes much more sense to store the backup on an external drive or in the cloud than on the same hard drive as the underlying data.
- HA != DR
Two other acronyms to be aware of are HA (High Availability) and DR (Disaster Recovery or disaster recovery). You always hear things like, "Once we take care of High Availability, we don't need the disaster recovery stuff." This line of thinking is not only wrong, it's dangerous, because HA and DR are two fundamentally different things. It's natural to think you can use technical methods like data replication to access data for recovery purposes as well, but unfortunately the reality is different. As an example, errors are also replicated. If a file is omitted here, it will be omitted there as well – and the only way to recover is to back it up. HA is about availability, not recovery. As a DBA, you know: If I can't restore data, I'm out of a job.
- Test your own recovery process
There is only one way to check if you have a good backup: You test the process for restoring. It's good to have backup files, but if they can't be used for recovery, they're of little use. Some companies do DR planning annually or semi-annually. This is to ensure that in the event of a disaster, they have the expertise to restore their systems and operations can continue. But you don't have to wait for that date: you can test backups at any time with a small sample. To do this, one selects a server or a few databases and tests whether the data can be restored and whether the process meets the established SLAs. Typically, data only increases over time, not decreases, so it becomes progressively more difficult to keep the RTO and RPO in line with the SLAs. Accordingly, when it comes to the topic of data growth, the phrase "too big to failover" always easily comes to mind.
he bottom line from the above points: Backing up data is often a tedious process that is often put off or forgotten until it is too late. Regular backups are important. When in doubt, they make the difference between valuable information being well backed up and it all being lost. Especially now that ransomware and cyberattacks are becoming more common, a robust backup strategy for databases is absolutely essential. World Backup Day is an opportunity for companies and database managers to critically review their own backup strategy and ensure they are implementing best practices.
What strikes me is that these considerations, which I believe are important, are in stark contrast to the "cloud cuckoo land" of eco, where everything can be done easily and at the push of a button.
Backups are not the universal solution
In terms of malware infestation, there is also the question of whether a backup really helps. There are cases where the infection occurs weeks or months before the discovery or escalation through encryption of the files by ransomware. Then backups only help if they capture the point in time that was before the compromise. Determining this point in time, but at the same time being able to quickly restore the IT infrastructure in terms of data and software status to the current state before the GAU, is more or less like squaring the circle. Without backup, everything is crap – with backup, it's "depends".
In a statement, the security researchers at Palo Alto Networks point out that backups are still important in the context of malware. But the concept also has clear limitations in the context of malware. Sergej Epp, chief security officer (CSO) at Palo Alto Networks in Central Europe, writes: "Anyone who still relies on backup as the sole strategy against ransomware and cybercriminals is not up-to-date. Recently, in 70% of ransomware cases, data is stolen and not encrypted. This gives cyber criminals much more leeway to put more pressure on companies, for example, via additional notification to those affected by the data leak. This is known as double extortion. Nevertheless, we can't do without the backup, because in the current geopolitical situation, the danger of so-called wiper malware and other sabotage tactics is omnipresent."
Johannes Streibich, Regional Director CEMEA at Zerto, argues that backups are just the beginning – and that what matters in practice is fast recovery. According to him, most companies in the professional environment have been using backups for a long time. Backups are the standard solution for data protection in general, but the technology at its core has not evolved in 25 years.
The 3-2-1 backup strategy guarantees that companies can restore just about any data sooner or later. For less important data, this is perfectly adequate. The problem lies more in the "sooner or later". Because longer downtimes are no longer acceptable for most organizations today. The problem is that backups have the weakness that they only protect individual servers but not complete applications. After restoring data from a backup, applications must first be manually reassembled from their individual components. This costs time and is responsible for restoration times that can last for days or even weeks.
Johannes Streibich, Senior Director Sales CEMEA says: "Backing up data is just the beginning: it's fast recovery that counts! Backing up data is only the beginning: once you have developed a strategy for backing up data, you also need to think about restoring that data and the affected applications in the event of disruptions, outages or cyberattacks. Particularly in the case of ransomware attacks, speed of recovery is critical: How quickly can you restore IT operations to a similar state as before the attack and continue without losing critical data or paying a ransom? Resilient organizations test these K-cases regularly to ensure that, in the event of an emergency, all key steps are then performed correctly, keeping downtime and data loss to seconds or minutes."
I found the comments from Charles Smith, Consultant Solution Engineer, Data Protection, Barracuda, very intriguing. He wrote to tell me that only 52 percent of ransomware victims were able to recover encrypted data through backups last year. The data is based on recent research by Barracuda. One backup strategy popular with attackers allows them broad access to backup software, as well as network-connected backup systems, remote access to backup systems, irregular and unverified backups. In case of doubt, the backup systems are also infiltrated and infected.
Martin Zugec, Technical Solutions Director at Bitdefender, writes "Professional extortionist hackers go to great lengths to prevent their victims from recovering encrypted data. They do this, for example, by routinely attacking shadow volume copies. Alternatively, they infect backups: when importing such a backup, IT administrators then also restore the hackers' access to previously attacked systems. IT security managers therefore need to detect complex attacks early to fend off hackers before they access the backup."
So again, a sophisticated system needs to be in place to ensure that the backup strategy is secure and will help if the worst happens. In this text, I have now traced the arc from the "cloud cuckoo land" of eco to essential questions of data security in companies – also in relation to ransomware attacks. The outline shows that World Backup Day is important, but is not limited to "I press the backup button and all is well". It's time to (re)think about a backup strategy and recovery.
