Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone, welcome to Cash in the Cyber Sheets, episode 17. Very happy to have you back with us. So last week we were talking about data backups.
This week, going to dive a little bit more into that, but rather than such a high level overview, this week I really wanted to get into some of the different types of data backups and some of the strategies, advantages, disadvantages, as well as just some other considerations to have around your data backups. So before going any farther, hamster fell off the wheel. It's after Labor Day, so it's not really sure should it be running or not.
But before we get started, please click that subscribe button. Leave us some comments. Let us know if there's anything you want to talk about.
And with that, we'll go ahead and jump right into it. So we talked about data backup. Um, quick recap, it is, it is probably one of the most important things that you will do for your business to make sure that you have all of that data.
Should something go sideways, whether that's a natural event, whether that's a cybersecurity impact, whether it's ransomware, whatever it is, your data is really typically the lifeblood of your business and without it, the business can shut down. So it's very, very important to make sure you have the backups and this goes, I don't want to say this goes over a lot of people's heads, but a lot of companies, a lot of IT professionals, all of us, a lot of times believe that we've got the data backed up. It's fine.
I set it up. This isn't, this is an area that I've got covered. It's everybody else that has problems.
And I hope that's the case. However, what we find in our audits is typically when we really start digging in, Hey, let me see the data backups. Let me see where you've recovered some data as part of a test.
Let's look at your retention schedule. How is this being managed? That's where we find a lot of breakdown. And in some companies, we've even found that they're not doing backups at all.
They thought they were, but they're not. So it's very, very important. If you just check this and you know that you're good, go back and check it again to make sure.
It's, it's such a trust, but verify situation. And that's why we're going into it here. So I'm not going to continue to beat that, uh, that dead horse.
We talked about that a lot last week. So this week getting into it, I want to talk about some of the different types of backups and real quickly, some of the pros and cons. We will have this, uh, built out a lot more on our blog.
So you'll be able to go in there, reference it. Um, and I think eventually we'll even put some additional resources on there, like some cool infographics and stuff. Just, uh, I like those for, for easy reference.
It makes it, well, it makes it easy to reference, which I guess is the point of saying that, um, but getting, getting into the different types of backups, um, there's obviously quite a few, some of the core are there's full data backups, incremental, uh, differential, mirror backups, and then a hybrid kind of a mix of those. So going into those, a full backup is just like it sounds. It's the most straightforward.
It's whatever data you have, whatever you're backing up, you take a full copy of it. And that's great. You're getting everything backed up.
You know, it's backed up. Um, and typically those are the easiest to restore. However, doing multiple full backups quickly eats up storage.
If we have, um, a hundred, a hundred gigs of data, 10 full days of full backups is already a thousand gigs worth of storage. And that's just going to, after 30 days, after 60, after 90, how far that goes. So full backups are great to make sure we've got all of the data to make sure everything is fully backed up, but they can quickly eat up all of our storage space.
And for a lot of us, for most of us, we just don't have the resources to be able to continually replicate all of our data on different storage mediums. So full backups are very, very important. They fit very well into the hybrid, which we'll talk about, but the next, uh, core one is incremental backups.
So what those do is those take a full backup. And then every time there's a file change, they're only backing up that change for each of the files. So you'll have a full backup and then you could have multiple days of incremental backups to where if a file hasn't changed, it's not going to take another backup of it.
It's already got it. It's in the full. So that works really well.
As far as it's a lot quicker typically to backup, because with the exception of the full backup, which can take a very long time, the incremental, it's normally only a few files or definitely a subsection of files, not, not everything in the full backup and that, that backs up a lot quicker, it also takes up a lot less storage space, which is really nice to the pocketbook the problem with incremental backups is depending on how far your last full backup was, you have to typically restore that full backup in all of those other backups. So if there's one of those that's corrupted, if you have a problem in one or two of those incrementals, that can sometimes break the whole process. Or God forbid you have a hiccup in the full backup.
Now that incremental backup doesn't work at all. So a lot of great advantages there, but don't overlook the disadvantages of that. Um, there's more opportunities for failure, uh, with incremental backups.
So coming into differential, um, a lot of times they're, they're similar to incremental backups. Sometimes the names are even used interchangeably. It's not actually correct because incremental are different than a differential.
And the big difference is, is that with a differential, you have a full backup, but then the differential makes a copy of all of the data that's changed since the last backup. Probably thinking, well, that's, that's just what, what we said for the incremental, well, with the incremental, it's making a backup of the file. That's changed since the last backup with the differential.
It's since the last full backup. So let's say on day, on day five, we have 10 files that change. Well, now on day six, we're also doing a backup of those files.
And on day seven of all those files, and then let's say on day 10, now we change another 10 files. So now we're backing up 20. And what happens is the differential backups grow in size pretty quickly.
Uh, depending on how quickly you're changing your data and how far, um, it is between your, your last full backup. So if you're doing a full backup, say every month, um, or every couple of months, I wouldn't recommend that. I would do it much more often, but your differential backup between all of that time, you've probably touched all of your files, which means that at some point you're almost essentially doing full backups again.
So there's the nice piece with the differential that it's reducing the, the chance of failure, like with those incremental, because I've got every single change in every differential backup since my last full, so I only need to restore data, uh, typically two, two of the backups, one of the differential and my full backup. The problem is that creates a massive storage issue. Um, and it, it quickly gets out of, out of control.
They can also, depending on how many files have changed and start taking a very long time to perform those backups because it's, it's replicating so much information. So good goods and bads there, um, all depends on how much data you have, how important that data is, um, but the next, uh, core, uh, backup is a mirror backup. And really all this is, is, um, it's really just a full backup, but that's typically, um, performed almost immediately.
So sometimes it's, uh, these are just referred to as, uh, full backups and it's just discussed how they're done. But a mirror backup would be, I've got all of my data, say in data warehouse A and I'm doing a mirror copy to data warehouse B or to another location. So every time there's a change, I've got an immediate change on, on my data, kind of like a, um, a mirror array.
And that offers a lot of benefits to where God forbid, one of the, one of them goes down, I've got the other one. It's a very high availability. Uh, the problems is that can get to be excessively expensive because you're essentially running almost like two production systems.
It can also, uh, create issues to where as soon as the data changes in your primary copy, your, your actual live production data, now your mirror copy is going to have that. So any problems with your live data, say ransomware, encryption, whatever, that's going to immediately propagate to that mirror backup. So I don't really like calling a mirror backup, a backup.
It's more of a high availability tool. Um, it's more really what like, uh, AWS or Microsoft or other storage solution solutions are offering, um, data distribution and data availability, but not so much recoverability. And there's, it seems like those would be the same thing, but that's a pretty important distinction there.
So definitely has its advantages, um, and has its disadvantages. Make sure you use it the right way. Now, those are, those are really the core data backup, uh, types.
What you'll typically find is that you're doing a hybrid between some of them. So in some, um, companies they'll have the mirror, the mirror backup, that high availability setup, and they'll also have at least a one full backup, maybe per month or per week, or, um, in some cases, uh, per day. And then they'll also use incremental backups so that they're, they're getting all of the different changes.
So, and these can be stored in different areas. So that way you're kind of getting, kind of getting your cake and eating it too. Just obviously the more that you put in, uh, the more of these that you put into place, you've got the considerations of cost resources, um, and also complexity.
The more things that you put into place, you know, the more gears that are turning, that's more things that can break. So again, just like everything in security, it's a, it's a seesaw of, uh, return on investment, uh, security and impact versus, uh, or security versus impact of productivity, um, cost versus benefit, and you've just got to weigh all those things to, to make sure you're getting in into a good sweet spot for your company and for your needs. So, um, those are, those are the core types of data backup, uh, data backups.
Now, moving on, I want to talk about some, um, methodologies. Uh, there's, there's really kind of two major ones that, that we typically see, uh, out in the field that, that we use. Um, and really a lot of them are typically some variation of these two, but the two that we're, that we're going to talk about is the, um, GFS, the grandfather, father, son backup, and also the, uh, tower of Hanoi.
Uh, I believe I'm saying that right. If I'm not, I've said it wrong in a lot of, uh, boardrooms and for those that knew, uh, I lost a lot of credibility, but I think I'm saying it right. I should, I should look at, look it up again when I remember when the, when the hamster gets back on the wheel.
So starting off with the grandfather, father, son, this is a strategy of having daily backups, weekly backups, and then monthly backups. So typically, typically the way this works is each week we'll do one full backup, that's going to be our, what we call our father. That's, that's the full backup.
Each day we're going to do incremental data backups. So say on, um, Sundays we'll do our, our, our full backup. And then Monday through Saturday, they're all incremental backups.
And that way we're never going farther than a week out with a full backup. Typically at the end of a month in that process, we'll do another full backup. And that's going to be our grandfather backup.
And normally how that works is that's put to another location. And typically stored for a lot longer. Um, we'll get into it a little bit, uh, and not, and not too much farther here.
We'll get into it a little, a little bit, but the retention schedules. Um, but typically the grandfather accounts are retained, archived. And after a certain point in time, we probably won't need to get to that data quickly.
You know, we still need to retain it maybe for compliance reasons, like HIPAA six years since last use. Um, but we're not needing to get in there a lot so we can put it into like long-term storage, that's very inexpensive. It just takes a while to get it, which normally that's okay.
But the nice thing about the, uh, the GFS grandfather, father, son backup is you're getting the benefits of that full backup, everything there. You're getting the benefits, uh, the cost benefits and storage and speed of the incremental happening daily. And you're getting that long-term retention, which is typically somewhere else with that grandfather, um, backup.
And what you can do is, as well is also increment where you have the data storing. So maybe, um, your most recent father backup, your weekly and your, uh, weekly incremental are local. Maybe your, um, past, uh, weekly accounts or weekly backups are stored, uh, in a, in an offsite location or in a cloud repository.
And, uh, perhaps you have that grandfather, uh, archive backup stored in a different, um, cloud provider, or even, um, some archive storage, you know, something like iron mountain, um, or some other solution, they just, they just got a free little, free little promo there. Um, I really liked the GFS, uh, structure. We just went over the benefits.
I would say really the, uh, downsides to that is you just got to make sure you don't make the structure too complex and also, um, cost cost with everything. It's always a considering factor. So the more that you put into place more costs, uh, more things to consider.
Now the tower of, uh, Hanoi is, uh, quite a bit more, uh, sophisticated. Actually, I don't know if it's more sophisticated. It's just, especially if you haven't done it, uh, quite a bit, it can be a little confusing, but essentially what it has is multiple backup levels.
And if you've ever, uh, done the, I don't know if it's a game or a puzzle, both. Both, you know, we'll call it a game and puzzle. Um, but it has the different discs and you have to move the disc between, uh, the different, um, pillars to get all of the discs from one side, uh, from one pillar all the way to the other one.
And you can't, um, overlap bigger discs on top of smaller discs. Um, so it's a kind of a, almost feels like where's the lady moving, moving pieces around and man, I mean, I'm explaining that game horribly, I'll find a good picture to put online and then you'll see it and go, oh, I know what he is trying to say. He just, he said it bad.
Um, but in any case, the, uh, tower of Hanoi backup, it uses, uh, several backup levels. So a lot of times what you'll see is, um, you'll have the backup on one day. And then it will store to another location every four days.
And then, uh, every eight days it stores to a different location, uh, between those two. And it kind of keeps just rotating around where you have your backup stored. Um, what that allows for is a very good archiving structure.
You can have a very, very deep historical archive. Uh, and also limit the amount of storage space that you're using. So it's definitely got its advantages there.
And as far as if there's a problem with data, a dataset at one, one spot, you've got a lot of backups in other areas. It's pretty resilient. The problem is that it's complex.
So even trying to describe it here, and if we, if we had a lot more time, um, it's a lot easier, but quickly describing it, uh, even writing it down is it can be difficult, especially if you haven't gone through it a lot, the configuration on the systems can even get wonky. So you invite a lot of, um, complexity, which brings all of the troubles that it brings with it. So, um, typically we'll use the grandfather, father, son, easy to understand, pretty easy to implement.
Um, in practice, we're typically doing a kind of a hybrid between that and the towers of, uh, in a way to where we're, uh, throwing backups to different locations at different times. That way I'm a risk guy. Uh, I, I gotta, I gotta spread out, I gotta spread out my eggs.
I can't be all in, all in one spot. Can't have them all in one basket. So those are, uh, obviously there's lots of different strategies out there.
Those I think encapsulate kind of the general thinking of a lot of different, um, types, uh, or backup methodologies. Um, I think just a lot of others have, have kind of their own flavor. So, uh, moving on with a little bit of the time we have left here, um, some other considerations when you're doing your backups, we talked a little bit about it last week, but a big one is regulatory compliance requirements.
So many times with backups, we see that, uh, the retained at least for a year, sometimes a couple of years. Uh, but then there's no way to get data as far back as that, that they really need. This happens a lot of medical practices to where they're under HIPAA.
You have to maintain access to the data for six years since last use. Um, and they can only go back a few years. So that's a major, uh, red flag.
That's a major issue on the compliance side. And something that a lot of companies don't consider is log retention for that long. Now, I'm hoping that this changes.
There's talks about it changing. Um, it's logs are only useful so far back, you know, logs from five, six years ago. I think we could start a whole discussion on it.
I think people would have opinions, but for the most part, those aren't typically useful and even more so they're not typically backed up there. They're scrubbed out. There's only so much, uh, log, uh, log data, log retention.
So when you're thinking about your backups, make sure you consider all of your logging requirements, your audit logs, make sure that those are in there because those are overlooked and that is a major regulatory finding. It's also where I think some insurance companies are going to start trying to hit back and say, well, you, you weren't doing what you were supposed to do. How can we pay this claim when you're not even doing your security requirements? It it's nasty, but I've definitely seen that in a lot of audits and had it come up from other auditors as well.
So it's an issue out there. There's a reason that this is that auditors are catching this. Um, another consideration is, I think this goes more to your supplier choice, but effective storage management.
You want to make sure that whatever platform, however you're storing, that it's going to be there when you need it, that it's going to be secure. And typically for backups that are retained, archived, that's somewhere else. Um, so it's more of a supplier consideration, anything locally, you want to make sure that one, it's secure.
And two, that everybody's going to keep up on it. Uh, a thing that we also see a lot is requiring, um, users to say, swap out the, the backup drive on a system. Well, one that's relying on, on human interaction and human error is the biggest problem in any system.
So when you have any type of manual process like that, something you want to consider, um, indefinitely understand that there are going to be times that it's not executed effectively. If you have some good safety nets in there and kind of built in redundancy, then perfectly fine. Um, just don't build your backup strategy around, you know, Susie has to do this on this day, on this day, exactly this way, otherwise we're not going to have our data backed up and we could be in a, in a serious pickle, no offense against Susie, but eventually that's, that's not going to happen correctly.
So effective storage management, uh, a big thing, which ties into, um, another one of the bullets we have here is automation. Just talked about the importance of it, but as much as you can automate this and make it to where you do not need to be part of the process at all. A solution that, uh, we've, uh, that we use internally that we like, that we get a lot of clients set up with is InfraScale because we can integrate that into the cloud environment.
It's backing up without you doing anything. We can integrate it into different systems, so you're not having to touch it. Um, and it's one of the few that, that we know of, um, or that, that we like how they manage, uh, zero knowledge.
It's really nice with them that we can fully encrypt everything. Client can keep the key. We don't even have access.
Um, so a lot of really cool stuff there, but the big part is automation. Set up your backups in a way that you don't need to touch it, that you don't need to interact to have the backup work like it's supposed to. Obviously you need to engage to test the, test the data, test the backups.
Um, but you, as much as you can want to set it up to be completely hands-off while it's backing up. Um, so some other, other types of things to consider, uh, when considering some, uh, this isn't just offsite backups, just other backup considerations is data encryption. We typically spend all kinds of money protecting the data in our production systems, our backup systems, um, our, our environments, but then we back up all the data and put it on to a completely unencrypted drive that somebody could just walk away with.
So all of this money we're spending on our, on our secure environment, our firewall, our security appliances, our monitoring, our, our tests, our, our pin test, everything. We're fully locked down. Everything's great.
And we're just going to take all of the data out of that secure area and put it over here that somebody can just walk away with. That's what happens with a lot of, a lot of backups, especially local backups. They're not put on encrypted drives.
So make sure that your backup is fully encrypted. You want to make sure as much as possible, it's encrypted, um, in a, in a few ways One, so that unauthorized parties can't get to it. If you can take it a next step to zero knowledge in a, in a case to where not even the provider, say if you're using a cloud storage, not even that provider has access to the data because it's encrypted and they don't have the keys.
That's a, that's another great thing. That way you don't have to worry. If they get a data breach, all they've got of yours is gibberish.
You've got the key to unlock it. However, there's always a big hairy butt around the corner. However, make sure that you've got backups of the encryption keys and test those after doing a few backups to make sure that you can actually restore the data.
You can have all the backup data in the world that you want. If it's encrypted and you don't have the key, it's useless. You can't get to it.
So very good points about encryption. Also the, the worries about losing the key yourself. Um, can't stress this enough regular testing of the backups.
And that's not just going in to make sure that the logs are showing that it's backing up or going into the cloud service providers portal and seeing that everything's working correctly and that you can see when the last backup was. Now checking the data backups is actually attempting to restore some of that data. Can we restore some of those files? If needs be, can I take the image that we have backed up and spool up the system? And can I do it in the amount of time that I expect and need to be able to do that? If it's a server image backup and I'm expecting that I can get it up in 20, 30 minutes, but it actually takes three, four hours that could seriously impact our continuity efforts and could cause some significant impacts to the business.
So we want to make sure that the backup data can be restored as it's needed. And in the timeframe that we expect, uh, let's see. Geographic redundancy.
That's in a lot of cloud service providers, um, making sure that they've got it in multiple locations. So just like you don't have your backups all in one spot, they don't have your data all in one spot. It's redundant.
So if one system goes down or one site, um, the caveat to that is making sure that you know where your data is stored, uh, based on, uh, jurisdiction requirements, depending on where you store your data can affect what regulations, what laws you and your company have to abide by. So you want to make sure that you're putting the data in locations that you understand the regulatory requirements and that you can actually meet those. This also comes down to what your clients need.
Sometimes clients need their data in certain jurisdictions. So this is an area that can sometimes get overlooked with that. You want to make sure that you've taken that into consideration into your backup strategy.
And if you do have to retain backups in a certain jurisdiction that you don't normally utilize, that's where you really want to dig in to see, is there any way we can segregate this backup to where it's only that customer stuff there? Um, so now we're not opening up all of our other clients to these new regulatory requirements or new laws. It's there's a lot of considerations there, but those are things that you want to make sure that you, that you take a look at, um, schedule, schedule, regular testing, simulate real world scenarios, document and review. Um, I think those are the biggest things about the data backups.
Um, I think the, I think to recap for today, uh, the biggest thing that I can stress biggest things is one, make sure you have the data backups. Utilize those different types between the full incremental differential mirrored. Utilize those within your overall strategy.
Make sure you've got the data backed up to redundant locations. So that's available when you need it. Test, test, test.
Please don't assume that that data is viable. Please don't assume that you have the encryption keys and that it'll decrypt the way that you expect it to test that data, try pulling it out and using it in a live environment, um, or test environment, a replicated test environment, um, to make sure it's going to behave the way you expect it to and need it to, and then finally, probably not the last step, but definitely in there is make sure you consider the jurisdictions, not just with, um, initial data storage, but also those backups and weighing that out based on what clients need, what regulatory requirements you're under and how that could affect different parts of the business. With that said, we're more than happy to engage on a one-to-one to help talk to you about your backup strategy.
Uh, we definitely have our tools, our policies that help spell a lot of this out and make it, uh, much easier to set all of this up, make sure that you're considering everything. Um, and we also have phenomenal partners that know way more about this than even we do. So if you're concerned about your data backups, or you just want somebody to take a look at it, you know, make sure you've got it done, right.
Please reach out to us more than happy to get you set up with the right resource. Um, and also check out the, uh, our blog. We will have the link, uh, with this podcast.
Um, but we'll have all the information we talked about today and, uh, have some other resources in there as well. So I think that's all the time that we've got for today. Um, again, reach out with any questions, any comments, more than happy to, to engage with you on it. Thank you so much for listening.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
