Backup Best Practices

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Backup Best Practices

by James G. Barr

Docid: 00018020

Publication Date: 2204

Publication Type: TUTORIAL


Once considered a routine and fairly straightforward systems
management discipline, data backup has become much more complicated with
more data to manage (including Big Data); more types of data (including
audio, video, and unstructured data); more types of data collectors
(including smartphones and other edge devices); and more types of backup
collectors (including USB drives and the cloud). But just as backup has
gotten more complex, our attention to backup (never the most fascinating
topic) has not kept pace. Consequently, it’s important for enterprise
officials to create, cultivate, and enforce a new generation of backup
best practices.

Report Contents:

Executive Summary

[return to top of this

Data is the currency of modern commerce and, like conventional currency,
must be protected and safeguarded against:

  • Loss, usually through media failure or accidental or intentional media
  • Unauthorized erasure, either accidental or intentional; and
  • Unauthorized modification, again, either accidental or intentional.


Faulkner Reports
Dropbox Product
Information Archiving Best
Practices Tutorial

Although cybersecurity plays a major role in data protection owing to
the non-stop efforts of hackers and other cyber criminals to penetrate
enterprise networks, the responsibility for ensuring data
availability has traditionally belonged to backup management, one of the foundational
systems management disciplines along with change, problem, and
configuration management.

Backup management – or, more familiarly, "backup and recovery" or just
"backup" – has been practiced since the mainframe era when the contents of
mainframe disc packs were regularly transferred to magnetic tape. A common data
center protocol was to record each day’s new or changed data from Monday through Friday (a “partial” or “incremental” backup), and
all data over the weekend (a “full" backup). The full backups,
incidentally, were often utilized semi-annually to conduct disaster recovery

Figure 1. Mainframe Backup Featured Magnetic Tape

Figure 1. Mainframe Backup Featured Magnetic Tape

Source: NARA & DVIDS Public Domain Archive

Today, of course, backup is much more complicated, with “more” being the
crucial adjective:

  • More data to manage (including Big Data)
  • More types of data (including audio, video, and unstructured data)
  • More types of data collectors (including smartphones and other edge
  • More types of backup collectors (including USB drives and the cloud)

But just as backup has gotten more complex, our attention to backup
(never the most fascinating topic) has not kept pace. Consequently, it’s
important for enterprise officials to create, cultivate, and enforce a new
generation of backup best practices.

To ensure their consistent application, these best practices should be
integrated into an overall backup governance scheme. Specifically:

  • The Chief Information Officer (CIO) shall appoint a Backup Manager, or
    individual responsible and accountable for all enterprise backup
    operations and management.
  • The Backup Manager shall appoint a cross-functional and
    cross-departmental Backup Team.
  • The Backup Team shall examine the enterprise’s information infrastructure
    and identify all backup requirements.
  • The Backup Team shall cooperate with the IT and Security departments
    to identify, procure as necessary, and implement any hardware or
    software systems or devices required to perform backup operations.
  • With a backup infrastructure in place, the Backup Team shall establish
    an Enterprise Backup Policy, along with related backup standards,
    guidelines, protocols, and procedures, as appropriate.

Backup Best Practices

[return to top of this

In instituting a set of backup standards, guidelines, protocols, and
procedures, the Backup Team should adopt and incorporate the following
backup best practices.

Align Backup Period or Frequency with Enterprise Tempo

As recommended by the US National Institute of Standards and Technology
(NIST), the period or frequency of data backups “needs to align with the
‘tempo’ of the enterprise. For example, if an enterprise performs
thousands of transactions per hour per day, then a backup solution that
performs a backup only once a day would not adequately provide for the
enterprise. This type of configuration would allow a potentially large
data loss. If backups occur every morning and a loss of [digital
information] happened at the end of the day, then a full day’s worth of
transactions would be lost. The decision for the correct configuration of
backups is determined by an organization’s risk tolerance.”1

Backup the Backup

Remember, backups can fail too. Accordingly:

  • Maintain three copies of all enterprise data: the original plus two
  • Employ a different storage type for each backup (e.g., external drive,
    cloud, etc.).
  • Store one backup offsite.2

Encrypt Data Files Prior to Backup

As a general rule, all enterprise data should be encrypted while at rest
or in transit. Where practical – performance, for example, may be an issue
– this encryption standard should applied to data backup operations.

Do Not Rely on Data Backups for Data Archiving

Data archiving is often confused with data backup.3 While both
operations are essential, they are fundamentally different in purpose and
practice. As we have seen, backup provides short-term protection
of data, usually digital data, offering insurance against data corruption,
accidental or deliberate erasure, or media failure. In contrast, archiving provides long-term protection
of digital and non-digital data, preserving data that must be retained for
long periods of time due to business, legal, or regulatory requirements.

Importantly for the Backup Team, archiving can help limit the scope of
backup operations; once records are archived, there is no necessity to
back them up on a regular basis.

Note: For more information on archiving, see the FACCTs report entitled
“Information Archiving Best Practices.”

Provide for Smartphone Backup

For many employees, smartphones have become the new PCs, where both
personal and business data are stored and processed. Just as the
enterprise backup environment was expanded to capture PC data, it must be
further enlarged to encompass mission-critical smartphone data, using
Acronis Cyber Protect or other similar solutions.

Conduct Regular Retrieve and Restore Exercises

Historically, backup and recovery operations – especially automated
operations – are notoriously unreliable, often ending prematurely and
with no indications of errors or omissions. To help ensure the integrity
of backup operations, the IT operations staff should routinely review all
backup logs for signs of trouble.

In addition, the Backup Team should conduct regular “retrieve and
restore” exercises:

  • Select five to ten “control files” at random. Control files are static
    (or unchanging) files that contain multiple data types.
  • Retrieve the files from several generations of backup media.
  • Restore the files to local disk.
  • Compare the restored files against their pristine (or
    originally-recorded) versions. Look for missing or modified records,
    which could be indicative of backup problems.
  • Investigate and resolve any data discrepancies.

Establish and Enforce Backup Retention Cycles

To help reduce storage expenses, consider keeping:

  • Daily backups for a week
  • Weekly backups for a month
  • Monthly backups for a quarter

Importantly, when retiring backup media due to age, anticipated
lifespan, or evidence of physical deterioration, follow the NIST
guidelines for media sanitization.4

Engage Capacity Planning Specialists

Analyst Gijsbert Janssen van Doorn warns that “[as] the [enterprise
information infrastructure] gets larger, more [backup] components must be
added and configured – and often scaled up as well. Managing and sizing
the backup infrastructure becomes a complex process that requires
dedicated specialists within the IT team.”5

Disaster Recovery as a Service

[return to top of this

Data backup serves three primary purposes; it enables:

  • The on-demand restoration of individual files, where such files have
    been deleted or corrupted;
  • The restoration of an individual server or storage unit, usually due to
    equipment failure; and, perhaps most importantly,
  • Disaster recovery, or the restoration of a data center in the wake of
    a physical or technological disaster (e.g., fire, flood, ransomware, etc.).

While traditionally separate activities, a number of enterprising
vendors including Microsoft and IBM are packaging data backup and
disaster recovery services as a unified cloud offering, Disaster Recovery
as a Service (DRaaS). With Disaster Recovery as a Service, an enterprise client replicates its
physical servers or virtual machines to a third-party DRaaS provider,
which then hosts the client’s information infrastructure and IT operations
in the event of a disaster.6 When the enterprise is ready to
resume normal IT operations, full control is returned to the enterprise
data center, thus completing the recovery.

For many clients, particularly small-to-medium-sized enterprises
(SMEs), DRaaS offers a compelling combination of convenience,
performance, and scalability:

  • Convenience – DRaaS expedites enterprise
    recovery planning and, importantly, does not rely on local, i.e.,
    client, disaster recovery expertise.
  • Performance – As observed by analyst John Moore,
    “The replication methods of DRaaS … offer a performance boost over
    other DR media – tape storage, for example. Those methods include
    synchronous replication, which writes data to the primary and backup
    site simultaneously.”7
  • Scalability – Clients can increase – or decrease
    – their recovery investment according to their immediate needs. They are
    not locked into a physical recovery site, but rather a virtual site
    sized to their current IT configuration.

The Future of Backup

[return to top of this

In an industry that historically cycles from data centralization
(mainframes) to decentralization (client-server) to re-centralization
(cloud computing), the present trajectory of information technology – now,
and for the foreseeable future – is data decentralization.

Influencing this trend are:

  • The phenomenal proliferation in smartphones, smart watches, and other
    smart devices.
  • The popularity of Software as a Service (SaaS) and other specialty-cloud
  • The Internet of Things (IoT), which favors the formation of distributed
    single-purpose, micro-data centers.
  • The rise of edge AI, in which machine learning algorithms process data
    generated by edge devices locally.

Collectively, these developments promise an exponential increase in the total volume of data generated
and the number of discrete locations from which it is generated

These dynamics create a considerable challenge for enterprise backup
planners. The standard enterprise backup doctrine, which might be
summarized as “backup all data, regardless of value,” cannot be readily
sustained. As a result, a more nuanced backup philosophy is needed. Among the
potential provisions:

  • Backup high-value data only (employee, customer, financial, operational,
  • Delegate some backup duties to primary data owners (like smartphone users).
  • Pursue strategies that reduce total data volume (rethink the Big Data

No matter how enterprise backup might evolve, enterprise planners should act
now to ensure essential data is protected, and backup costs are contained.

[return to top of this


About the Author

[return to top of this

James G. Barr is a leading business continuity analyst
and business writer with more than 40 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at

[return to top of this