Implement effective backup strategies

This article details recommended methods to implement the 3-2-1-1-0 backup strategy, helping you secure your data and ensure reliable recovery.

Evaluate the importance of all systems and data

Prioritize your digital assets based on their importance to your organization. To establish an effective backup strategy, evaluate each system and data using these metrics:

Recovery Time Objective (RTO): Determines the acceptable downtime for data recovery after a disruption. A shorter RTO requires faster recovery methods.
Recovery Point Objective (RPO): Defines the maximum amount of data loss that can be tolerated without significant business impact. A lower RPO needs more frequent backups. In ActiveProtect Manager, you can adjust backup frequency in a protection plan to meet your RPO requirements.

Create backup copies for your data

Create copies for your backup data and store them in offsite locations, adding an extra layer of protection. This provides redundancy and makes sure that your data is always recoverable. To enable backup copies of your data, refer to this article.

Auto-protect new workloads

Set up automated backup rules to protect your organization's virtual machines and SaaS accounts. This function ensures that any new resources added to your production environment will be automatically backed up, minimizing security gaps associated with digital expansion.

To create auto-backup rules for virtual machines and Microsoft 365, refer to the following articles:

Configure immutable backups

Immutable backups protect your data by making it unalterable and undeletable once written. This guarantees data accuracy and helps meet regulatory compliance requirements. ActiveProtect appliances employ a multi-pronged approach to protect your backup data against ransomware:

Native operating system: ActiveProtect Manager (APM) embedded in every ActiveProtect appliance allows you to safeguard data from unauthorized or accidental modifications.
Protection with Object Lock and WORM: When backing up data to remote storage (such as Amazon S3), ActiveProtect appliances leverage the storage's Object Lock or WORM (write once, read many) functionalities, ensuring data integrity and preventing compromise on remote storage.
Automated retention locks: ActiveProtect appliances automatically adjust immutable or WORM lock periods according to your data retention policies. This approach optimizes your storage usage and simplifies configurations.

Create an immutable protection plan to achieve immutable backups. Refer to Manage your protection plans.

Deploy an air-gapped environment

To bolster ransomware defenses, we recommend setting up an air-gapped environment for your ActiveProtect site. Unlike traditional air gaps that rely on tapes for zero connectivity, ActiveProtect Manager lets you schedule the isolation of secondary backup servers (i.e., backup copy servers).¹ This restricts network connectivity to essential data transfer periods, while ensuring that your backup data can be easily accessed and managed by IT administrators.

Use the following methods to set up an air-gapped environment while maintaining efficient site management.

Set up an isolated zone

Deploy your backup copy server in a zone physically and logically isolated from the production environment. This zone should have minimal connectivity to other environments, with only the following two Ethernet links:

Link	Description
Data transmission	This link transfers backup data using data interfaces between: Backup servers in your production environment The backup copy server in the isolated zone Apply one of the following air-gap approaches to your backup copy server in the isolated zone. The data transmission link's connection will only be available during non-isolation periods: Deny inbound traffic via firewall rules Deactivate Ethernet interfaces The server in the isolated zone controls air-gap functions. For optimal performance, use high-speed Ethernet between servers to transfer backup copies, preferably 10 GbE.
Site management	This link synchronizes site events using management interfaces between: The management server in your production environment The backup copy server in the isolated zone To fortify the security of your site management, make sure to deploy this link to an isolated network segment. Learn more

Link

Description

Data transmission

This link transfers backup data using data interfaces between:
- Backup servers in your production environment
- The backup copy server in the isolated zone
Apply one of the following air-gap approaches to your backup copy server in the isolated zone. The data transmission link's connection will only be available during non-isolation periods:
- Deny inbound traffic via firewall rules
- Deactivate Ethernet interfaces
The server in the isolated zone controls air-gap functions.
For optimal performance, use high-speed Ethernet between servers to transfer backup copies, preferably 10 GbE.

Site management

This link synchronizes site events using management interfaces between:
- The management server in your production environment
- The backup copy server in the isolated zone
To fortify the security of your site management, make sure to deploy this link to an isolated network segment. Learn more

Secure networks via firewall or VPN

To further secure connections to the isolated zone, we recommend applying a firewall or VPN tunnel to the network links mentioned above. Besides, only allow the required ports and protocols for external connections while blocking unnecessary access.

Set up a recovery host in the isolated zone

Deploying a recovery host in the isolated zone lets you regularly perform instant restorations, ensuring that your backup data can be correctly recovered when needed.

Regular restoration drills

Schedule restoration drills to assess the effectiveness of your backup and recovery processes. ActiveProtect appliances offer flexible restoration features that help you conduct these drills, ensuring that your IT team is well-prepared to respond to any critical situations.

Verify backups

To verify the bootability of backed-up workloads, you can enable backup verification, allowing your ActiveProtect appliance to record a video during a trial restoration for physical servers and virtual machines.

Instantly restore data to hypervisors

Instant restoration is ideal for implementing restoration drills. It allows you to bring back your physical servers and virtual machines within minutes using compressed and deduplicated backup files. In ActiveProtect Manager, you can instantly restore backup images to the built-in hypervisor, or your own ones. Refer to the following articles to learn more about instant restore configurations:

Restore SaaS data to test accounts

Conduct restoration drills for your SaaS services using test user accounts. For example, create several accounts on Microsoft 365 and make sure they have no data or customizations. Then, restore your backup versions to these test accounts to verify data recovery.

Note:

Primary backup servers should not be configured with air gaps because these servers require constant communication with protected machines and services. Their exposure to the production environment makes them more vulnerable to cyberattacks, and air gaps may hinder backup activities.

Was this article helpful?

Yes ／ No

Download PDF