Getty Images/iStockphoto


Data protection vs. data backup: How are they different?

They might be viewed as separate functions, but data backup should be part of an overall data protection strategy to thwart ransomware and comply with stringent privacy laws.

Too much data in your corporate environment? Don't know where your high-value data is or how to protect it? Without an effective strategy to collect, retain, monetize and eliminate data, information overload can overwhelm every aspect of business operations.

Protecting important data files, such as credit card transactions and personally identifiable information, throughout the data lifecycle underscores the need for governance, risk management and compliance initiatives in finance, healthcare and just about every other industry. Data backup is a key part of that plan. Compliance with data protection regulations, driven by federal law and industry standards (HIPAA, PCI DSS 4.0) as well as state (CCPA) and European Union (GDPR) privacy laws, requires procedures to recover data.

Government, banking and millions of other websites across Europe went down in 2021 when a fire damaged two of global service provider OVHcloud's data centers in Strasbourg, France. Two of their customers -- BluePad and Bati Courtage -- won lawsuits in 2023 partly because the cloud provider falsely claimed its backup and production servers were housed in separate buildings.

As more enterprises move to cloud environments, legacy systems for copying and storing data locally might not support multi-cloud or hybrid cloud scenarios. Many cloud service providers offer backup as a service for remote off-site data storage. But even with ironclad service-level agreements, organizations faced with data protection vs. data backup are responsible for the security of their data.

"Back in the day we looked at speeds and feeds. Do you handle the servers that I have to back up and how fast do you do it," said W. Curtis Preston, technology evangelist at consultancy Sullivan|Strickler and host of the Backup Wrap-up podcast. "Today the single biggest thing that you need to be looking at when you are assessing one of these vendors is how secure are they. How well are they protecting your backups."

It's no surprise that ransomware -- malicious software that encrypts a company's important files and makes them unreadable until the victim pays a ransom for the decryption key -- was the culprit in nearly one-fourth of breaches, according to Verizon's "2023 Data Breach Investigations Report."

While some experts point to a shift away from traditional backup and recovery to data protection, both are needed to keep data safe.

Graphic of a data protection policy components
Data backup procedures are a critical part of a data protection policy to ensure regulatory compliance.

Key differences between data protection and data backup

A data protection strategy is designed to shield data against loss, corruption and unauthorized access and ensure data confidentiality, integrity and availability. Using maturity models and other frameworks, chief information security officers develop data security policies and procedures around usage, monitoring and management for IT teams, employees and third-party compliance.

A data protection officer or someone in a similar position works with company leadership to ensure that data processes meet confidentially, geolocation, retention and other compliance regulations. Technical controls for data protection require a multilayered approach: intrusion detection systems (firewalls), access controls, user and device authentication (multifactor), encryption, data masking and data loss prevention.

Data protection once meant protecting data as opposed to systems and applications, recalled Rebecca Herold, founder and CEO of consultancy Rebecca Herold & Associates. In the rest of the world, she added, it's often used interchangeably with privacy.

"Today most of our laws and regulations and references to data protection have to do with protecting privacy," explained Herold, who played a leading role in the NIST Privacy Framework. "And even though the term 'data' is a generic term, when it is used with the word 'protection,' it is typically talking about protecting personal data and information about individuals." The result is confusion throughout the world and industries, she said, because the term means so many different things depending on a company's structure and geographical location.

Data backup systems enable companies to make copies of critical files, applications, databases and system configurations and store them in different locations. The data can then be recovered and restored to its most recent state if it's corrupted or lost because of human error, system failures, cyberattacks or natural disasters, thereby minimizing downtime. Data backup is a critical component of many organizations' business continuity and disaster recovery programs.

Data protection vs. data backup is getting a closer look as networks change. Legacy backup systems used physical media such as tapes and disks, but today companies are increasingly adopting SaaS-based backup as a service.

"Not everybody can back up to the cloud, but the vast majority of companies can, and the cloud offers significant recovery options from a disaster recovery standpoint," Preston said. "Now, everything is online, so it is technically impossible to get an air gap, but it provides the closest we have these days to what an actual air gap is."

How to use both data protection and data backup

Effective data backup enables enterprises to recover original data and restore it to a location, while data protection controls ensure data integrity and availability to those who need access to it. Using different backup approaches -- full, incremental and differential -- IT can reduce costs, but it might take longer to recover files. Differential backup only copies file changes, which reduces backup time and storage requirements. IT administrators should continuously test backup and recovery procedures and train staff to use best practices.

Data backup and protection "can't be viewed as completely separate because you have to have people working together on the teams that then are also establishing all of the other access controls to the data," Herold explained. "You need strong access controls to the backups, and you need testing, and you need training for those that are going to be restoring them, so it has to be part of the whole program."

Security controls such as immutable backup allow system administrators to preset time periods in which the file and system data can't be changed in any way. "Your backups are under direct attack by the ransomware folks because if they can take that out then they know you have a much higher chance of paying the ransom," Preston said. But since the meaning of "immutable" can vary depending on the vendor, companies need to examine what's really offered.

Why prioritize data protection and data backup

Many people assume automatic backup is part of Microsoft 365, Google Workspace, Salesforce and other SaaS. "It absolutely is not in 99% of the situations," Preston cautioned. "So, there are all these people who think that they have backup as part of their service. I don't know where they got that idea, but they think that data is being backed up and it isn't."

Companies also take for granted that the devices and the computing products they purchase automatically perform backups and have recovery capabilities. "It's like most people with their smartphones," Herold noted. "Well, maybe it is, maybe it isn't, it depends on how you have your settings."

Enterprises need to recognize that disaster recovery must be part of their data protection program. They should perform backups often enough so they will be protected and avoid paying ransomware when they're hit -- provided they're backing up in an effective way. "That needs to be part of their full security program," Herold advised. "It has been for decades. It's still there. They can't make assumptions that others are doing it."

Kathleen Richards is a freelance journalist and industry veteran. She's a former features editor for TechTarget's Information Security magazine.

Next Steps

U.S. data privacy protection laws

How do companies protect customer data?

What is a data protection impact assessment (DPIA)?

How to build a data protection policy, with template

Dig Deeper on Data backup security

Disaster Recovery