10 guidelines to secure your data backup backup

off-site backup

Off-site backup is a method of backing up data to a remote server or to media that is transported off site. The two most common forms of off-site backup are cloud backup and tape backup. During cloud backup, also referred to as online backup, a copy of the data is sent over a network to an off-site server. A third-party cloud service provider typically hosts that server, but an enterprise can also own it.

To start the cloud backup process, an organization can either send its data over a network or use cloud seeding to send a disk drive or tape with data to a cloud service provider. The organization then schedules and runs regular backups, typically through a web browser. The remote files and folders appear as they are stored off site.

During the tape backup process, data is copied from primary storage to a tape cartridge. For off-site data protection, an organization would then transport the tape cartridges to another location.

Disk is a preferred medium for backup because of its greater speed and access than tape. Tapes are now used more often for long-term archiving or DR. Disk could be an option for off-site backup, but it's much less durable than tape and prone to damage in the transport process.

The historical "3-2-1" rule of backup states that an organization should have three copies of data on two different media, with one copy of the media placed off site. Off-site backup is important in the event of a disaster, ransomware attack or other incident at the main data center. When such an incident occurs, an organization will recover by retrieving the backed-up data from the cloud or tape cartridges. Although local backup offers quicker access, off-site backup serves as a critical safety net.

The cloud is a prime target for SMBs to back up data in a cheaper and easier way. An SMB might also use an external HDD for its off-site backup. Although it's easier to back up to an HDD, it's not as portable or durable as tape. Tape is usually more of a target for enterprises and industries such as media, entertainment and life sciences that must store large amounts of data. In addition, an SMB usually has fewer resources than an enterprise to move tapes offsite.

Keys to implementing off-site backups

In implementing off-site backup, an organization must be wary of cost, more so with the cloud than with tapes. Cloud-based backup costs -- which typically involve capacity, frequency, bandwidth and the number of users -- can escalate quickly. Organizations should conduct a long-term cost projection to avoid a surprise down the line when the amount of data stored in the cloud grows.

A retention plan to delete backup data that's no longer needed should also be implemented. For example, pricing for Amazon Glacier, one of the cheapest cloud-based options and a common archiving platform, started at $0.004 per gigabyte, per month as of September 2018. Although that might sound cheap, it will cost nearly $5,000 per year to store 100 TB of data off site. Other costs associated with cloud backup can also be high. Such costs can include data retrieval and the cost of getting data out of the cloud.

Tape backup costs increase over time as well, due to the price of additional media and off-site storage. These costs vary by region, but Amazon's standard rate for retrieving data from Glacier storage is $0.01 per gigabyte. This cost triples for expedited requests.

The costs to transfer data out of Glacier varies based on region, data volume and on where the data is being transferred to. It generally costs less, for example, to transfer the data to an Amazon cloud service than to the internet. Regardless, the data transfer costs can be substantial. Amazon allows one gigabyte per month of free data transfers from Glacier to the internet -- in the US East region. After that, the cost is $0.09 per gigabyte, per month for up to 10 TB of data; additional data transfers are billed at a reduced rate. This means that it would cost over $900 to transfer 10 TB of data from Glacier storage to the internet.

It's worth noting that these charges aren't unique to Amazon. Although the rates vary from one cloud provider to the next, most cloud providers subject their customers to similar charges.

Security is another consideration. For cloud off-site backup, data moving across the public internet to a cloud provider's server should be encrypted at the original location, in transit and at rest on the provider's server. Users must then verify that the data is the same as it was previously and not corrupted, and that it will be available for DR.

Tape security is mainly referred to in terms of the physical. To limit the chance of tapes being stolen, an organization should ship them as soon as they're done writing to them, and then ensure that the off-site storage location is secure. A service-level agreement (SLA) will state who has access to the tapes and how long the recovery time should take. Like with the cloud, encryption is important. Linear Tape-Open 8, released in late 2017, features the 256-bit Advanced Encryption Standard as well as the "write once, read many" capability.

Unlike with the cloud, drive maintenance is a challenge with tapes. An organization using tape for off-site backup must ensure the equipment undergoes proper, consistent maintenance or risk issues with performance.

One common approach to off-site backup is disk-to-disk-to-tape, which writes a backup to disk, copies it to tape and then ships the backup off site. This process ensures a local backup with a quick restore time in the disk, plus a cheaper off-site backup copy on tape.

The distance from the primary data center to the off-site backup data center can vary by region. If an organization is in an area where hurricanes often hit, for example, the off-site storage -- on tape or in the cloud -- should reside outside the hurricane zone. If an organization isn't in an area where natural disasters often occur, the off-site backup location can be closer but still far enough away that any incident at the primary location won't affect the secondary site.

Off-site vs. on-site

On-site backup, or local backup, provides quicker recovery points than off-site backup. If an employee deletes important files, for example, an organization can get them back in moments from a local disk backup. In addition to being on site, disk also offers random access for quicker recovery.

Retrieving data from cloud backups or getting tapes back from an off-site location, on the other hand, can take a long time. Cloud recovery times can be highly variable depending on the organization's available internet bandwidth. Additionally, if numerous organizations are trying to get data from the cloud during a regional disaster and bandwidth is limited, the process slows down dramatically.

The importance of off-site backups

On-site backup won't work for recovery in all scenarios. For example, a natural disaster that destroys a primary data center would likely also destroy the on-site backup. Similarly, a ransomware attack that spreads across a network might render local backups useless. Ransomware authors are increasingly targeting backups to force their victims to pay a ransom. In those cases, off-site backup becomes critical to a business' recovery. However, in the case of a ransomware infection, the business must verify that the backups are clean.

Backup software vendors are also increasingly integrating immutable backup capabilities into their software as a way of protecting against ransomware. This immutability ensures that a ransomware attack won't be able to encrypt the data stored within the on-site backup.

Off-site tape backups are the most secure retrieval option following a ransomware attack because they are offline and are therefore not infected. Some organizations also write backup copies to an external drive rather than using tape. External drives can be detached and stored similarly to tape.

There are also differences in the durability of the various backup mediums. Tape is more durable than disk, and generally lasts longer than disk-based backups so long as the tape is properly stored. The cloud can last the longest of the three, if the service provider remains in business and doesn't suffer an outage during the recovery time.

Common features of off-site backup

There are many cloud backup providers in the market. Feature sets vary, so it's important to carefully analyze products, set up a comprehensive SLA and understand the cost structure. Some of the features that are commonly offered include:

  • Hybrid cloud backup, which includes cloud-based backup and local backup;
  • Disaster recovery as a service that enables an organization to fail over into the cloud;
  • Data lifecycle management, which can help to reduce backup storage costs by automatically expiring outdated backups;
  • File sync and share;
  • Replication of backup copies to other regions or other clouds; and
  • Snapshots.

How off-site backup works

There are a variety of methods for creating off-site backups, each with its pros and cons.

One of the simplest methods involves backing up data directly to a public cloud, such as AWS or Microsoft Azure. This method is easy to implement and tends to be more cost-effective than more elaborate backup architectures but does not allow for the creation of a local backup copy.

A similar method involves backing up data to a service provider's private cloud, with online backup services in a managed data center. The advantage to using this method is that the service provider is typically a backup vendor who specializes in data recovery. The vendor typically has a dedicated backup facility that has been specifically designed to meet their customer's backup needs.

Another method is cloud-to-cloud backup. This method uses one cloud to back up data that is stored in another cloud. The advantage to using this method is that because backups reside in a different cloud from the primary copy of the data, they are insulated against cloud-level data loss events or data security issues.

One more method involves simply transporting physical media off site. The most common option is tape backup, but disk drives are a possibility as well.

Hybrid backups

There are advantages and disadvantages to on-site and off-site backups. Neither option is perfect. Off-site backups keep data securely out of harm's way, but restoring data across the internet can be a prohibitively slow process. Similarly, on-site backups are fast and convenient, but if the primary data center is destroyed by a disaster such as a fire or flood, on-site backups will be destroyed as well.

A hybrid backup approach seeks to capitalize on the advantages of both options, while maximizing data security and reducing risks. It works by creating an on-site backup and then replicating the backup to one or more off-site locations. One of the most common ways of creating a hybrid backup is to use a disk-to-disk-to-cloud architecture. In this approach, backup data is written to an on-premises backup appliance. This appliance not only stores the backup data, but also acts as a cloud storage gateway, and handles the task of replicating backup data to the cloud.

Choosing a backup option

Choosing a backup option is rarely a simple matter. The key to making such a selection is to find a backup approach that maximizes the organization's chances of recovering from a data loss event, while also conforming to the recovery point objective and recovery time objective that are laid out in the organization's disaster recovery plan. A hybrid backup approach is typically the best fit for larger organizations. Conversely, a small business might opt for a simple local backup or a consumer grade cloud backup service.

Off-site backup providers

There are countless vendors who act as off-site backup providers. These vendors generally fall into one of three categories:

  • Hyperscalers: These are the large, general-purpose, public cloud providers such as Microsoft Azure, AWS and the Google Cloud Platform. They provide cloud-based backup storage but offer many other services as well.
  • Traditional backup vendors: These vendors might create their own private cloud environments that are solely dedicated to the task of accommodating backup data.
  • Removable media: The third category of off-site backup providers are those that are dedicated to securely storing removable media, such as backup tapes These providers transport the media to and from a secure backup facility and ensure that the tapes are stored under the proper conditions, while also guaranteeing data security.
This was last updated in July 2020

Continue Reading About off-site backup

Dig Deeper on Remote data protection

Disaster Recovery