Data protection is not one of the most interesting topics in the information technology field, however, it is definitely a critical one that every organization has to have a good handle on. Ask yourself, can you guarantee your organization that their data is properly protected today?
How many copies do you keep?
Is the 3-2-1 rule still good enough for your organization? What about the 3-2-1-1-0 rule?
3-2-1 rule recommends 3 copies of your data, in 2 different storage providers/media, and 1 should be kept offsite.
3-2-1-1-0 follows the same principle, but add an offline copy (immutable, cloud, etc) and 0 errors on the backup jobs too.
How often do you test your restores?
Most data protection software offers automated restore tests nowadays.
What is stopping you from taking advantage of these features to make sure that you can consistently restore your backups Monthly? Weekly? Daily?
How do you protect your backups against Ransomware?
Do you have alerts set in place in case the growth spikes out of nowhere (possible ransomware encryption)? Are your repositories hardened and immutable? Or can you simply delete any data from them on-demand?
I truly hope it is not the latter.
Are your backups Encrypted?
How do you protect the data within the backups in case they land in the wrong hands? Some solutions designs may not be ideal for this feature, but definitely worth considering otherwise.
Do you have an Offsite strategy in place?
Are you shipping your backups data somewhere else? Is this happening physically (tape) or digitally (another cloud)?
Is this offsite location managed by your organization, or somebody else? Is this location physically separated or logically air gapped? All of these are good questions to consider when deciding what a suitable offline location for your backups is.
Have you spent the time to Harden your systems?
Are your data protection components part of the domain (AD authentication or local credentials only)? Are you following the best practices for each component? Are the systems patches up to date? Do you have a proper patching cycle in place? Are they isolated to their own network? Are they behind a firewall? There is no universal rule here, but these are all discussion points that need to take place when designing the solution.
What are your advertised RTO and RPO?
Who put those policies in place? Is your organization comfortable with these numbers? Is there an updated report to tie how many dollars are being lost per minute/hour of downtime? Is the possibility of that revenue loss worth the RTO? Most companies have a great handle backing up their data, but very few can restore most of their data in a reasonable amount of time. Nowadays, the important part is to be able to restore as possible, not to backup the data as fast as possible.
How up-to-date is your Documentation?
When was the last time the data protection documentation was updated? Your RTO/RPO Policies? The backup jobs and rules? Standard Operating Procedures? Are there properly documented SOX/PCI/HIPAA/etc compliance requirements? Not the most interesting job in the world, but somebody has to do it.
