In the digital age, where data serves as the backbone of almost every operation, devising a reliable backup retention policy is paramount. A backup retention policy outlines the guidelines for how long various data backups should be preserved, ensuring a delicate balance between data availability, compliance, and storage efficiency. In this article, we’ll delve into the significance of a well-crafted backup retention policy and explore the key factors to consider when designing one for your business’s data management strategy.
Introduction to Backup Retention
The power of ransomware gangs lies in holding your data hostage. Either they shut down your operations by encrypting critical files, or they threaten you with sensitive data like private customer data. Both of these attack vectors can be minimized by good backup retention.
Backup retention is much more complex than just saving data in a secure location. A large organization deals with many types of data. Some are mission critical, others are easily replaceable, and others represent a legal liability.
Backup retention means having an intelligent plan for:
- what to save
- when to save it
- where to keep it
- and how long to retain it.
More than just protecting against ransomware attacks, good backup retention practices, like a 3-2-1 Backup Rule and Strategy can save a lot of money, especially in larger organizations.
Data Retention Policy Best Practices
A good data retention policy will minimize costs while maximizing security. There are several elements important to achieving this.
Distinguishing Data Types
Different data types have different levels of priority for backups. Data retention policies should identify all data types such as operating system files, user files, and databases, and handle each according to specific rules.
Depending on the needs of your organization, some types of data may need to be backed up more often than others. Others may not need to be saved at all, which can save time and storage space.
Organizing by Data Lifecycle
Data can also be divided according to how long it will be stored. For example, some data changes frequently and may need to be accessed quickly, while other data might be stored as part of annual or monthly backups.
Easier access usually means lower security, so the ideal is to try to find the “sweet spot” between security and operational efficiency.
Creating backup plan
Keeping in mind a ransomware scenario, plan for which data types will be retained for how long. Compliance is one of the main concerns— certain kinds of data need to be stored for certain periods of time to meet insurance requirements. You can also face fines for not deleting sensitive customer data within a certain period of time, not to mention potentially losing the trust of your customers.
You also need to decide which data will get backed up in different types of backups. For example, an annual backup will usually cover more data and different kinds of data than a daily backup.
There are three main types of backup— full backup, differential backup (a backup of all changes since the last full backup), and incremental backup (a copy of all backups since the last full backup or differential backup).
Configuring data retention settings
Based on the above defined data structure, you can design your backup retention plan. Some backup retention parameters include:
- Length of retention. How long will you keep each data type for?
- Number of versions. How many versions of the data will you keep?
- Deletion settings. How long will you keep different data types before deleting?
- Archiving settings. Some data may be stored for a period in an easy to access place, and then moved to archives for compliance purposes.
Backup retention standards
If you’ve never made a backup retention plan before, this might sound kind of intimidating. Industry backup standards can be a good starting point for designing your plan. Then you can modify them according to your needs.
Some standards include:
- FISMA. The Federal Information Security Management Act was developed by the US government and establishes standard procedures for data protection, including backup retention policies.
- PCI. The Payment Card Industry compliance standard is typically used by those who store bank card data. It also covers data retention and deletion policies for invoices, transaction data, card data, and other data related to card payments.
- HIPAA. The Health Insurance Portability and Accountability Act was developed by the US government and provides guidelines for handling patient data .
- SOX. The Sarbanes-Oxley Act set the standards for handling financial information for publicly traded companies.
- GLBA. The Gramm-Leach-Bliley Act lays down standards for financial institutions like banks, insurance companies, and investment firms for dealing with customer data.
- Looking at industry standards for your field of work is one of the best places to start designing a backup retention policy.
Ransomware awareness in backup retention
Backup retention policies are an important part of ransomware defenses for multiple reasons. For one, good backups can reduce the damage done by hackers encrypting your data, since you can recover your work. Careful handling of sensitive data can also reduce the risk of double extortion attacks and triple extortion attacks.
When designing a backup retention policy, it’s worth keeping in mind the possibility of all or part of a network getting locked down by hackers. One way of reducing risk may be conducting more frequent or larger air-gapped backups.
Backup retention can’t do everything, but it’s a powerful and essential element of integrated cybersecurity defenses.A good backup retention policy can not only reduce the risk of a ransomware attack succeeding; it can also reduce the damage hackers can do by reducing downtime and minimizing data exfiltration.
