Key Takeaways
- Follow the 3-2-1 rule: 3 copies, 2 media types, 1 offsite.
- Backups you haven't tested aren't backups.
- Define RPO and RTO before disaster strikes.
- Protect backups from ransomware (immutable/air-gapped).
- Include system configs, not just data.
- Document recovery procedures.
Table of Contents
1. Why Backups Matter
Data loss happens: ransomware attacks, hardware failures, accidental deletion, disasters. Backups are your last line of defense when everything else fails. Many organizations have learned this lesson the hard way—don't be one of them.
The 3-2-1 Rule
3 copies of your data
2 different media types
1 copy offsite (or cloud)
This ensures resilience against various failure modes.
2. Backup Strategy
2.1 Key Metrics
| Metric | Definition | Example |
|---|---|---|
| RPO | Recovery Point Objective—max acceptable data loss | 4 hours = lose at most 4 hours of data |
| RTO | Recovery Time Objective—max acceptable downtime | 1 hour = systems back in 1 hour |
2.2 What to Backup
- User data and documents
- Databases (with transaction logs)
- Application configurations
- System configurations and settings
- Virtual machine images
- Secrets/certificates (securely)
3. Backup Types
| Type | Description | When to Use |
|---|---|---|
| Full | Complete copy of all data | Weekly baseline |
| Incremental | Changes since last backup | Daily between fulls |
| Differential | Changes since last full | Alternative to incremental |
| Snapshot | Point-in-time copy | VMs, databases |
4. Cloud Backup
- AWS S3: With versioning and lifecycle policies
- Azure Blob: With immutable storage
- Google Cloud Storage: Multi-region durability
- Specialized services: Veeam, Druva, Rubrik
# AWS S3 backup with versioning and MFA delete
aws s3api put-bucket-versioning \
--bucket my-backup-bucket \
--versioning-configuration Status=Enabled
# Enable object lock for immutability
aws s3api put-object-lock-configuration \
--bucket my-backup-bucket \
--object-lock-configuration ...Ransomware Targets Backups
Modern ransomware actively seeks and destroys backups. Protect with: air-gapped copies (no network connection), immutable storage, separate credentials, and offline copies that can't be reached by attackers on your network.
5. Ransomware Protection
- Immutable backups: Cannot be modified or deleted for set period
- Air-gapped: Physically disconnected from network
- Separate credentials: Backup admin different from domain admin
- Offline copies: Tape or removable media stored securely
- Cloud with MFA delete: Requires second auth to delete
6. Testing & Verification
# Regular testing schedule:
- Monthly: Restore sample files
- Quarterly: Full system recovery test
- Annually: DR tabletop exercise
# Verify:
- Backups complete without errors
- Data is recoverable and usable
- Recovery meets RTO targets
- Documentation is accurate7. Recovery Procedures
- Identify what data/systems need recovery
- Select appropriate backup point (RPO consideration)
- Prepare recovery environment
- Restore data following documented procedure
- Verify data integrity
- Test application functionality
- Document any issues for procedure improvement
Document Everything
Recovery during an incident is high-stress. Detailed, tested documentation enables anyone to perform recovery—not just the person who set it up. Include step-by-step procedures, credentials location, and contact information.
8. Frequently Asked Questions
Conclusion
Backups are essential—but only if they work when needed. Follow the 3-2-1 rule, protect against ransomware with immutable/air-gapped copies, test regularly, and document procedures. Define your RPO and RTO to align backup strategy with business needs. When disaster strikes, good backups are the difference between inconvenience and catastrophe.
Continue Learning:
Ransomware Defense
Incident Response