On-premises infrastructure

On-premises backup was the dominant enterprise approach for many years. In this model, the entire organization owns and manages the entire backup infrastructure -- software, servers and storage media -- on site.

Pros

• Complete control over data and infrastructure.
• No third-party access to backup data.
• Meets strict data residency requirements.
• No egress fees for data retrieval.
• Predictable long-term costs.

Cons

• High upfront capital investment.
• Ongoing maintenance costs.
• Requires skilled internal staff.
• Limited scalability without additional hardware purchases.
• Organization responsible for all capacity planning.
• Hardware refresh cycles add recurring costs.

Best for: Heavily regulated industries with strict data residency requirements, organizations managing multi-petabyte data volumes where cloud economics become unfavorable and those with existing data center infrastructure and available capacity.

Cloud-based BaaS

Cloud-based BaaS shifts hardware and its upkeep to the provider and uses pay-as-you-go pricing.

Pros

• Minimal upfront costs.
• No hardware to maintain or refresh.
• Instant scalability without capacity planning.
• Geographic redundancy.
• Vendor manages all infrastructure and updates.

 Cons

• Data resides in provider infrastructure across multiple locations.
• Subject to provider access policies and foreign legal frameworks.
• Egress fees for data retrieval can be substantial.
• Higher long-term costs for large data volumes.
• Dependent on vendor for access and availability.
• Limited control over data location and sovereignty.

Best for: Organizations with distributed workforces, those prioritizing operational expenses over capital investment, companies with rapid growth trajectories, and environments where data sovereignty concerns are manageable.

Hybrid

Hybrid combines on-premises storage with cloud-based backup. The typical pattern maintains local backup for fast recovery while replicating to the cloud for off-site resilience.

Pros

• Balances local control with cloud scalability.
• Fast recovery from local copies.
• Cloud provides off-site disaster recovery.
• Flexibility to optimize each workload independently.
• Provides a gradual migration path from on-premises to cloud.

Cons

• Requires skills across both environments.
• Integration complexity between platforms.
• Managing two distinct operational models.
• Potential for higher total cost than a single approach.
• More complex policy and governance requirements.
• Increased testing and validation needs.

Best for: Organizations balancing strict compliance requirements with cloud benefits, those managing diverse workload recovery requirements, and companies transitioning from on-premises to cloud infrastructure.

The decision framework is a balancing act

Backup decisions involve multiple stakeholders, including IT operations, security, legal, finance and business units. A further challenge to the decision-making process is the risk that C-level executives will override the buying committee's recommendations. The surest way to prevent that is to align technical recommendations with strategic business priorities.

A practical evaluation framework for most enterprises consists of five categories based on typical priorities. Organizations should adjust these weights based on risk profile, regulations and strategy.

• Technical capability (25%). Evaluate workload coverage across VMs, containers, SaaS, databases and cloud-native workloads. Ensure recovery time objectives (RTO) and recovery point objectives (RPO) align with business requirements.
• Security and compliance (25%). Check cyber-resilience features. Validate encryption at rest and in transit to ensure it complies with organizational standards. Verify that recovery testing protects against attacks that target backup repositories. Confirm the technology meets required regulations and is certified for HIPAA, SOC 2 and ISO 27001.
• Total cost of ownership (20%). Model three to five years of usage to understand the total cost of ownership (TCO). Calculate storage growth at the organization's historical rate and add egress fees for large-scale disaster recovery scenarios. Include API transaction charges for frequent backups and professional services for deployment and ongoing optimization. Request competitor quotes to compare pricing.
• Strategic alignment (15%). Assess whether the vendor's roadmap aligns with the organization's cloud strategy and AI plans. Enterprises with multi-cloud strategies need tools that work consistently across AWS, Azure and Google Cloud Platform. Review the vendor's 18-month roadmap and confirm investment in areas tied to the organization's strategy, such as AI integration, cloud-native features or SaaS coverage.
• Support and operations (15%). Backup tools require ongoing support. Test support responsiveness during the proof-of-concept with actual technical questions. Verify that teams operate in the same time zone and have acceptable response windows. Evaluate automation that eliminates repetitive tasks rather than shifting manual work to other tools. Confirm recovery assistance during disasters is included, not sold as a premium add-on.

How buying teams should choose backups

Cost modeling and vendor strategy directly determine an organization's ability to adapt its backup infrastructure as needs evolve.

Long-term flexibility requires accurate cost projections. Organizations that focus only on initial pricing miss hidden costs that limit future choices. Egress charges for large-scale recovery can exceed annual backup costs, making it prohibitively expensive to switch providers or move data. Frequent operations can drive up API transaction fees, locking organizations into usage patterns that become expensive to change. Underestimating these costs forces organizations to keep inadequate products rather than absorb migration expenses.

Vendor lock-in narrows options. Vendor-specific compression, deduplication or storage formats make switching providers costly and technically complex. Organizations trapped by proprietary formats cannot adopt new technologies, negotiate better pricing or meet changing compliance needs without massive re-platforming. As data grows, a migration becomes less realistic.

Protecting exit options preserves strategic flexibility. Negotiate data portability terms in the initial contract and verify the product supports industry-standard export formats. Test exports during proof-of-concept with production-scale samples. Specify data-format requirements and transition assistance commitments in the contract. Organizations that secure exit provisions maintain leverage to renegotiate pricing, adopt new technologies or switch vendors as needs change.

Compliance now drives backup strategy

Regulatory frameworks now influence backup architecture decisions as much as technical requirements or cost.

Regulatory compliance. The EU's NIS2 Directive, effective October 2024, mandates backup management as one of ten minimum security measures, requires documented RTO/RPO and holds management personally liable for failures. HIPAA's proposed 2024 security rule update would include a 72-hour data restoration requirement for essential systems. GDPR's right to erasure adds technical challenges for backup systems, requiring granular indexing capabilities and deletion tracking across backup sets.

Data sovereignty. Data sovereignty requirements drive backup architectural decisions. Countries such as China, Russia and Saudi Arabia enforce data localization rules that dictate where backups and disaster recovery data are stored. The Schrems II decision, which invalidated the EU-US Privacy Shield, forced organizations to reassess cross-border backup strategies. The Clarifying Lawful Overseas Use of Data (CLOUD) Act grants U.S. authorities access to data controlled by American cloud providers even when it's stored overseas.

For highly regulated industries, compliance requirements often determine architecture before technical evaluation begins. Financial services firms navigating SOX's seven-year audit log retention rules and PCI DSS 4.0's access-tracking requirements often adopt tiered hybrid architectures that balance compliance with operational efficiency.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.