26 April, 2023
Reasons to back up your software seem pretty obvious, however as it can be a tedious task, it is something that takes the backseat.
If you rely on digital data, whether you are an organisation or an individual, it is essential you understand the types of software backups there are.
Backups are copies of your data that can be used to restore your system in a case of data loss, corruption, or catastrophic events. There are several types of backup, including full backups, incremental backups, and differential backups. More on these below.
Software backups not only protect against data loss, but also help against financial loss, reputational damage and legal liability, these applying mostly in organisations. Data backups allow for disaster recovery, enabling a business to quickly recover from unexpected events.
What to backup?
This blog is related to types of software backups, however, it is important to note it is less common to backup the actual software, but more so, backup the data from the software. Although this does depend on the customisation of a piece of software, if it is highly customised, you may want to backup the software with an image. “System image backup is a backup technique that allows to copy all drives of the computer and the state of its operating system at a given point in time and allows it to recover that computer to this state.”
In the modern cloud environment software usually runs in containers. These are virtual computers in the cloud. The images of these containers are called dockers. These docker images can be used to redeploy the container should something happen to the original one or to spin up new instances of the system. However this does not replace independent data backups which would only pull data from the databases and can be restored without redeploying the docker image and can be restored selectivly.
If we are dealing with ‘off the shelf’ software, then it is more likely for an organisation to just backup the data, and if anything happens, they are able to re-deploy the software.
How often should you backup your data?
Keep in mind, that when choosing how to backup, where, what type and so on, everything depends on the specific risk profile of the application and the data.
Backing up data frequently is crucial for business, but how often should the backup take place? Generally, it should be as often as possible. However, it does depend on the amount of data that is changing throughout an hour, day or week. Hourly backups would be the ideal scenario, but businesses more typically opt for daily backups. (1) This depends extremely on the choice of the business. Some factors to consider when deciding how often a business should backup data are (2):
- How important is the data?
- How often does the data change?
- How sensitive is the information?
- Where should this backup data be saved?
- Who is responsible for this backup?
- When is a safe time to back up this data?
Having a clear understanding and response to all the questions allows a business to properly determine the safest and most suitable option to how often a backup should take place.
There are two elements that are important to consider which are not typically thought of. Firstly, the time of a backup. Overnight is a good time as activity is typically at its lowest, servers are not trying to do other things while being back up. Secondly, there is such a thing as backing up data too often. The more a business backs up their data, the more they are exposing this backup server to the world, and this connection may be hijacked in a ransomware attack.
Where should you keep the software backups?
3-2-1 backup rule is simply a strategy where you should keep 3 copies of your data. One being the original and two backups. These two backups should be different types, e.g. one on the cloud and another on an external drive, both backups should be encrypted. (3)
Two very common and good examples of backup services are, iCloud and Amazon Web Services. If you wish to keep a backup of your data on the iCloud, ideally, another backup should be kept on Amazon Web Services. Kept in a secure location and not connected to the network ensures there’s no way ransomware can gain access.
What happens if you don’t backup your data?
We use a lot of data.
It is difficult to calculate the exact amount of data we use everyday, but I can tell you that it is A LOT. Here’s some statistics:
- In 2022, 333.2 billion emails were sent every day. (4)
- In 2021, the world population created 2.5 exabytes of data every day. One exabyte is the equivalent of one billion gigabytes. (5)
- 41,666,000+ million messages are sent daily on Whatsapp. (4)
Once our data is online, do we know exactly what is done with it? Or where it goes? Unfortunately, by putting the majority of our data online, we can put ourselves at risk and vulnerability to massive data loss, which, depending on its scope, can be fatal for a business. (6)
Data loss is very commonly a human error, rather than technical; by not correctly saving files, losing laptops, hard drives, or theft. There are many real-life consequences of data loss through not properly protecting or backing up data.
Real life examples…
In March 2023, the healthcare services of The Hospital Clinic de Barcelona were severely disrupted due to a ransomware attack. The attackers targeted the institution virtual machines, leaving over 800 urgent cases admitted into the hospital to be dealt with manually. 150 non-urgent operations and over 3,000 appointments had to be canceled as staff were unable to access patients clinical records. The attack shut down computers in clinics, labs, emergency room’s and the hospital website. Forcing the staff to write everything on paper and without being able to give predictions to when the system would be back up. (7)
This example shows the importance of keeping a backup of all data in a different location, if your software is compromised, you have access to the data through another source.
In 2021, the largest cyberattack on oil infrastructure in US history took place. May 7, a ransomware attack hit Colonial Pipeline, the American oil pipeline system, which transports gasoline and jet fuel to the Southeastern US. This forced the company to shut down its entire fuel distribution, declaring emergency situations for 17 states to keep fuel supply lines open. Overseen by the FBI, the company paid the ransomware group $4.4 million to restore the data and systems. It is believed the group stole 100 gigabytes of data from the servers. (8)
These are just a few examples of the consequences of not properly storing and backing up your data. It is extremely important to establish a backup strategy that fits your needs and ensure that your data is protected.
Are you ready for such an attack? Do you have a recovery plan? Read about your disaster recovery plan and other incident plans here.
What types of software backups are there?
How are you meant to know what software backup suits your organisation’s needs? There are three main types of backup, full, differential and incremental. (9)
The most comprehensive backup is a full backup, which copies all the chosen data. This includes documents, directories, Sass applications, hard drives and more. A complete backup’s best feature is how quickly data can be restored. However, it is also one of the longer ways to backup data as everything is done at once. Full backups on a regular basis require the most storage out of each type. (10)
Full backups are straightforward to manage and restore. Nonetheless, it is recommended to encrypt your backups independent of the type of software backup you choose. If a hacker or unauthorised user accesses your backup, without any encryption, they have access to everything. However, with encryption backups, they can steal the entire backup drive and still be unable to access the data without the key.
- You always have a complete copy of all your data
- Hardest to corrupt/access (granted it is safely stored and encrypted)
- Takes time
- Requires the most storage space
- If stolen and unencrypted, the user has access to everything
To use the incremental backup method, it is necessary to create a full backup initially. Then, subsequent backups will only contain the data that has changed since the last backup. This approach takes up less storage space and requires less time than differential or full backups. (10)
However, restoring a complete system with incremental backups is the most time-consuming method. The process involves restoring the most recent full backup set, followed by each incremental backup set in sequence. If any of these sets are missing or damaged, a full restoration will not be possible.
Businesses dealing with significant amounts of data can benefit from using incremental backups over full backups alone as they take up less space. With that being said, if there is little tolerance for data inaccessibility before facing business or financial losses, and the recovery time objective is short, it may be more practical to go for differential backups instead.
- Requires less time and storage to backup, once the first backup is done
- Takes much more time to recover the data
- If you are missing any data, all the data following cannot be recovered
- Easiest to corrupt
Differential backups offer a middle ground between conducting frequent full backups and regular incremental backups. They store the changes made since the last full backup, compared to incremental backups, which restore and rely on the data from the previous incremental backup. Differential backups are quicker to restore than an incremental backup, but longer than a full backup. And takes less space than a full backup, but more than incremental backups.
With a differential backup, duplicate files are stored as it backs up all data from the first backup, rather than from the changes in data.
- Requires less time to restore compared to incremental backups
- Takes slightly less space than full backups
- Consumes more storage space in comparison to incremental backups
- compared to full backups, restoration is slow and complex
|Full Backup||Incremental Backup||Differential Backup|
What backup type best fits you?
It is important to have a backup strategy that fits your needs. For example, if you are an individual user, you may only need to back up your personal documents and files. In this case, you may want to do a full backup every so often, however, if these documents are files that are likely not to change for a few years/never (e.i. Passport, residence, birth certificate etc.). Then after a full backup, incremental backups or differential backups should be sufficient.
On the other hand, specifically for businesses, the choice made between the types of software backups is based on the needs and preferences of the business. But it is important to consider how much new data is created daily, how confidential is this data, and how long are you able to not have access to this data? If you are not able to go without your data before financial or reputational consequences, incremental backups may be too high risk.
Having a backup strategy is necessary, but it is equally essential to test your backups regularly to ensure they are working correctly. Other than storing backup files in a secure location, it is good practice to encrypt your backups to protect your data from unauthorised access.
What data protection strategy can you use?
When it comes to software security and data protection, OWASP SAMM is Codific’s favourite guide. By leveraging the OWASP Software Assurance Maturity Model, you are able to improve your security posture in all sections of your business.
The model is made up of 15 security practices, with 3 maturity levels. It is designed to assist organisations in evaluating, measuring and enhancing their software security position and strategy.
Data Protection is outlined in the Operational Management side of security practices and guides you through questions and criteria in order to properly store and process data. This includes starting from Level 1 which consists of understanding the different types of software backups, types of data, their sensitivity and protection requirements. Continuing to Maturity Level 3 which includes activities such as automating data protection, reducing the reliance on human effort to access, managing data and regular audit compliance and reviews to maintain data integrity.
We believe SAMM is the best security assurance model to follow, so much so that we made a management tool, called SAMMY. We developed the tool to reduce the complexity of SAMM implementation in organisations. SAMMY adopts an approach that starts with small and quick wins, gradually expanding to streamline proactivity of implementation.
After reading this blog, I hope you realise the importance of data protection and management, and specifically what should be done in times of crisis. Which takes us into the final topic of this, Disaster Recovery Plan.
Having a disaster recovery plan in place is essential for businesses for several key reasons. Firstly, it enables the business to minimise downtime during major disruptions such as cyberattacks, data breaches or data loss, natural disasters and more. By having a plan ready, the business can respond swiftly and recover quickly, ensuring continuity of operations.
If you aren’t sure how to get started on this plan, we’ve got your back, read more on SAMMY’s disaster recovery plan model here. This model is based on many of the NIST 800-34 Rev 1 standards. And is an easy step-by-step guide on how to build a disaster recovery plan that is tailored for your business.
The NIST 800-34 Rev 1 standard refers to a security standard published by the National Institute of Standards and Technology, U.S. It provides guidance on developing and implementing effective contingency planning (specify for IT systems within an organisation).
The standard contains many steps, but when looking into businesses processes and recovery we will only be going through the following as they are the most relevant in terms of backup strategy. (Source – PDF linked here)
The Maximum Tolerable Downtime (MTD)
This represents the total time that the system owner/authorising official is willing to accept for a process disruptions, taking all impact considerations into account. Determining MTD is the most important as it guides the selection of a suitable recovery methods and determines the level of detail needed when developing recovery procedures.
The Recovery Time Objective (RTO)
This defines the maximum duration that a system can remain unavailable before it has an unrecoverable impact on other resources in the business. Determining the RTO helps in selecting the appropriate technologies to support MTD.
The Recovery Point Objective (RPO)
The business must decide the Recovery Point Objective (RPO) prior to a disruption as it sets the standard for the amount of data loss the business can tolerate during the recovery process. This decision determines the frequency of backups.
Establishing these three points is of utmost importance in the Disaster Recovery/Business Continuity Plan. They need to be assessed together to understand the business’s ability and limitations when recovering from a crisis.