The 3-2-1 Backup Guide

Three common backup mistakes, two recommendations and one must for protecting your clients' data.

Law enforcement’s duty is to protect and serve its citizens.  I have the same belief that our duty as MSPs and IT professionals is to protect and serve our customer’s data. I have seen too many scenarios, including:

  • Backups that have not been completed in months
  • Backups stored on external USB drives connected to the production server
  • Backups stored on the same volume as production data
  • Backups stored on flash drives
  • Backups not being monitored or configured properly
  • Outdated hardware and/or software issues not being addressed
  • Some organizations without any backups at all

Most business owners I meet with do not understand the role that technology plays in their business and the kind of negative impact it will have if technology starts to go awry. I tell them to close their eyes and to imagine that their business just got hit with ransomware, that their server caught on fire, or their server room just got flooded.  “How confident are you at this moment right now that you can restore your data and continue to service your clients and generate revenue?” Most of them need a moment to digest the information and mutter, “I really don’t know.”

I’m sure everyone is familiar with the 3-2-1 backup strategy (3 data copies, 2 media types, 1 off-site), I decided to use a similar strategy for my 3-2-1 Backup Guide.

3 Common Mistakes

  1. Putting All Your Eggs in One Basket. A key misstep is storing your backup data on the same server as your production data. I see this method on a weekly basis. Backup data should never be stored on any internal or external drives connected to the production server. Many scenarios such as hardware failures, ransomware, and viruses will make the backups inaccessible or very difficult to restore.
  2. Set it and Forget It. Technology has made tremendous improvements in reliability, compatibility, self-healing and automation over the years. However, if backups are not continuously monitored, it is a matter of time before they fail. Eventually, you will find yourself in a world of pain. Your team must implement alerts that are configured correctly and a monitoring system that will notify you of critical issues with a backup that your team can address right away.
  3. Optional Line Item. Some IT Providers do not include backups in their service plans, making it an optional line item and some that do include them make the off-site backups optional. However, most do include all types of bells and whistles and various types of support for end users. A good question to ask is, “How that is that going to help the users if their data or servers are lost?” Whenever I see a proposal without a backup plan included, I always think would a car manufacturer sell a car without brakes and why would someone buy it, unless they plan on crashing and potentially fatally injuring themselves and others. I structure my offering around backups, security, and mission-critical infrastructure maintenance and monitoring first, and then we discuss options for end-user support. It is our duty and responsibility as IT providers and advisors to protect our clients and give them the best service possible.

2 Recommendations

  1. Protect your backup data with a strategy that include the following:
    • Local backup data must be segmented on to its own dedicated VLAN with restricted access.
    • Create unique username and password for your storage — never use an existing username and password.
    • Never join the storage appliance and/or server to the domain.
    • Make sure you have at least two or three copies of your backup data in at least two physical locations, preferably one off-site.
  1. Picking the right partner. It is important to set up the backup infrastructure to be correct and secure. You must also pick the right vendor or partner for your backup solution. There are many solutions available within the marketplace.  Some partners provide an all-inclusive package where they take care of everything, while others offer flexibility for you to choose how you want to run your backups. If you are going to use an all-inclusive partner, you want to make sure to review their policies and procedures on how they store data, who has access to it, what kind of infrastructure are they using, do they meet all of your client’s compliance requirements, and ask your peers about their track record. Always double check to make sure the solution is compatible with your version of operating systems, virtualized hosts, and storage.  When deciding on a backup partner, consider the following (pricing should be considered, but should not be a deciding factor):
    • Support Hours (24/7 production phone support is a must)
    • Contract Term
    • Pricing
    • Off-site storage location

1 Must

Verification and Testing. If you are not verifying and testing your backups on a regular basis, you are playing with fire. Make sure you are executing manual test restores of files, booting backup images (boot from backup) at least on a monthly basis and having a scheduled plan in place.  This will limit the probability of your backups failing during a recovery. There are many backup solutions that provide automated integrity checks, files, image, and boot up verifications, however, even after those tests, some backups still cannot be restored. Sometimes it can be the server or media where you are trying to restore to, and sometimes it’s something in the backup files, that is why we always recommend performing monthly manual restores. Although it is a time and resource consuming task, having that peace of mind and confidence in your client’s backup is priceless.

It is our duty and responsibility as IT providers and advisors to protect our client’s data and to give them the best service and peace of mind. Having the confidence in your ability to restore your client’s data at any time is a great feeling. I challenge you to plan and periodically test your clients’ backups so that we never fail and stand by the trust that they put in us! 

About The ASCII Group, Inc.

The ASCII Group is the premier community of North American MSPs, VARs and solution providers. The group has over 1,300 members located throughout the U.S. and Canada, and membership encompasses everyone from credentialed MSPs serving the SMB community to multi-location solution providers with a national reach. Founded in 1984, ASCII provides services to members including leveraged purchasing programs, education and training, marketing assistance, extensive peer interaction and more.  ASCII works with a vibrant ecosystem of major technology vendors that complement the ASCII community and support the mission of helping MSPs and VARs to grow their businesses. For more information, please visit www.ascii.com.