Federal agencies are increasingly moving their mission-critical systems and solutions to the the cloud: More than 65 percent report that some or all of their data is in the cloud, and the percentage is rising every year.
While the cloud can provide cost-effectiveness, scalability and agility, agencies must take steps to ensure their data and applications will be readily available in the event of a disaster.
In the past, planning for disaster recovery focused on rare occurrences: floods, power outages and the like. Today, the need for quick recovery is far more common, given the prevalence of ransomware attacks. Backup as a Service provides reassurance that data is protected in these cases.
Here are some best practices for implementing and integrating Backup as a Service:
The Most Crucial Element of Disaster Recovery
Backup plans spell out exactly what should be backed up, how often, where backups should be stored and for how long. Often overlooked, however, is a detailed recovery plan, the most crucial element of disaster and recovery planning.
Based on a risk assessment for critical functions that prioritizes the risk posed by cyberattacks, human error, software bugs, natural disasters and the like, the recovery plan should be developed long before disaster strikes.
Such plans should spell out the policies and procedures that must be taken before, during and after a disaster, and must specify recovery point objectives (how much data loss is acceptable) and recovery time objectives (how quickly systems can be up and running).
A critical step in recovery planning is checking the backups. Many organizations check backup quality and integrity early on, but then may go months without verifying that subsequent backup jobs — which run to completion — have backed up anything successfully.
Click the banner below to learn how Backup as a Service boosts data protection.
Adhere to the 3-2-1 Rule
To ensure speedy recovery, multiple copies of data and applications are needed, both locally and remotely. The 3-2-1 rule states that you should have three copies of your data (your production data and two backup copies) on two different types of media (such as disk and tape), with one copy kept offsite for disaster recovery.
Even if you use the cloud for backup, you should consider mirroring crucial data, just to be safe. Consider a situation where the cloud provider is inaccessible, when you are unable to access your network or when you lose internet access altogether.
Another reason to choose an extra backup-and-restore method is that it takes a lot of bandwidth to restore entire systems, so full data recovery could take a long time. Having an alternative method could speed up recovery.
Finally, cybercriminals often spend time inside the network elevating privileges and actively seeking out backups — including cloud backups — so they can delete them before launching a ransomware attack. They might even delete shadow copies stored locally, which would lengthen time to recovery or in some cases make it all but impossible.
46%
The percentage of organizations that plan to recover data from the cloud rather than from on-premises storage
Source: Veeam, Data Protection Trends Report 2023, January 2023
Apply Patches and Run Simulations to Avoid Devastating Downtime
Disaster recovery often focuses on dealing with lost or inaccessible data but should also consider unplanned downtime. While planned downtime for such things as maintenance or updates can be disruptive, unplanned downtime can be devastating.
The recovery plan plays a key role here. The person or role accountable for recovery must make sure the contact list is always up to date, and should have a plan for notifying affected parties as quickly as possible and keeping them updated with status reports.
Preparing for unplanned downtime also means considering additional costs, not just for IT but also for the entire agency. Incremental technology purchases may be called for. Vendor support costs may increase, as well as staff overtime to resolve the incident.
How to reduce the chances of unplanned downtime? Preventive measures such as updating and patching critical systems and applications are key.
A vital component of planning for the unexpected involves running tabletop tests, simulations or active trials of the recovery plan. This helps uncover gaps in planning or overlooked issues such as recovery sequences to restore multitier applications or those dependent on Domain Name System or authentication services.
Ask the Right Questions Before Investing in Backup Services
Managed backup, or Backup as a Service, can help agencies with a variety of services ranging from assessing backup needs and overseeing backup jobs to helping with recovery when needed. When selecting cloud-based backup services, agencies should ask potential vendors these questions:
Does the solution integrate well with your own backup solution? Does it include archiving, mirroring or other options?
Where is the data stored? In general, the further away, the longer the recovery will take. Find out how fast backups will transfer in the event of unplanned downtime.
What data security methods are used? Look for, at a minimum, AES 256-bit encryption. Find out who has access to the private decryption key.
Is the vendor compliant with privacy and security regulations? This is especially important where regulatory requirements come into play.
What recovery methods does the vendor use? Is it possible to recover directly from the cloud, operate remotely or fail over a system without the vendor’s assistance?
MORE FROM FEDTECH: This process helps agencies protect email backups.
The Bottom Line for Backups
Cloud-based Backup as a Service solutions can give you peace of mind that critical data and applications are backed up and will be available when needed. This can be a cost-effective solution to ensure your agency does not lose data or suffer from unplanned downtime.
Follow best practices to make sure that your plans are solid and tested frequently, you have sufficient redundancy in your backups, you know what to do when you experience downtime, and that your vendor is providing the depth and breadth of services you need.