In this article, I’ll pull back the curtain and explore how to make a business-savvy decision about cloud BDR. You may be surprised to find that by avoiding over-optimization (i.e., spending on “nice to have” features), you drastically reduce your cloud BDR costs while remaining resilient to disaster and cyberattacks.
- Cloud BDR is fundamentally about balancing risk/reward to meet your business requirements.
- Certain features — like end-to-end encryption and ransomware prevention — are table stakes for cloud BDR.
- Realistic RTOs and RPOs are an essential part of making an intelligent business decision about cloud BDR. For most SMEs, the cost of instant recovery with DRaaS isn’t worth it.
- Being efficient with your approach to cloud storage and making the right choice for your backup and recovery solution can drastically reduce your BDR costs while still meeting SLAs. Case-in-point: Using Wasabi and BackupAssist ER provides the features and benefits of popular DRaaS platforms at a cost of ~80% less.
The threat model: lost original data and local backups
Before we start talking about solutions, it’s important to define our threat model. After all, we can’t do any risk/reward calculations without quantifying the risk. With cloud BDR, we’re focused on the loss of original copies of data and local backups.
Today, there are plenty of threats a BDR strategy must account for, including:
- Ransomware and other malware
- Natural disasters
- Human error
Traditionally, businesses would use offline and offsite backups stored at a separate physical location(s) to address these threats. Today, cloud backups — when implemented securely (more on that in a bit) — provide a more affordable and agile storage mechanism.
Important considerations for a cloud BDR solution
At a basic level, a cloud BDR solution is pretty simple. You need the tooling to create backups and initiate recovery, and a cloud storage provider to host the backups. Of course, the details are what determine whether or not a given solution is viable. So, let’s break down the key points to consider when comparing cloud BDR solutions.
#1 Encryption of data at rest and data in transit
From a data privacy perspective, encryption of data in transit and data at rest is a must. Encrypting data in transit helps to prevent eavesdropping and man-in-the-middle (MITM) attackers from reading data transmitted to and from the cloud. Similarly, encryption of data at rest helps ensure only you can decrypt and read your backup data even if the storage provider is compromised. Of course, the strength of encryption algorithms matters. Make sure to use secure, modern encryption like AES-256.
#2 Use a different storage platform for offline backups
While it’s okay to have a set of backups on the same platform as your production workloads, make sure that it’s not your only cloud backup. The more you can spread your risk, the more likely your business will survive a catastrophic event. Therefore, you should always use a different cloud storage platform for production and disaster recovery. For example, if all your workloads are on AWS, backups in Azure allow you to get back up and running in the event your AWS infrastructure is compromised.
#3 Don’t use file sync for offline backups
File sync is an excellent tool for convenience and collaboration. That’s why tools like OneDrive and DropBox are so popular. However, file sync is also a great way for malware to proliferate across all sync’d systems. For example, the infamous Virlock ransomware used cloud sync to spread throughout networks. Because our goal is “offline” cloud backups, file sync is a non-starter.
#4 Logically isolate “offline” cloud backups
Of course, technically, “offline” cloud is an oxymoron. However, for practical purposes, cloud backups can meet the business requirements of an offline backup. Offline cloud backups simply need to be logically isolated from the rest of your infrastructure. That means cloud backups should be protected by strict security policies. Additionally, offline cloud backups should NOT be on the same security domains as production workloads, SSO (single-sign-on) shouldn’t enable access to your backups, and the APIs and user interfaces used for production shouldn’t have access to your offline backups.
#5 Multi-factor authentication
MFA (multi-factor authentication) is simply a must for cloud backups in the 2020s. Compromised accounts are one of the most frequent attack vectors hackers use, and MFA is one of the best ways to limit risk. Consider solutions without MFA a non-starter.
#6 Protect your access key pairs
Access keys to your cloud storage account are analogous to root or admin accounts on a traditional system. If your keys are compromised, an attacker can gain admin-level access to your backups. Therefore, it’s important to securely store your key pairs and follow best practices like not saving them in plaintext where other users can access them, and not hardcoding them in scripts.
#7 Ransomware protection
Ransomware is one of the most prevailing threats to data security today. Modern backup solutions need features that help mitigate the risk of ransomware. For example, our own CryptoSafeGuard
proactively prevents ransomware-infected files from being backed up.
#8 Cloud immutability
If you can change your backups, so can malware that breaches your account or compromises cloud access key pairs. Cloud immutability is a cloud storage feature that creates independently tracked, immutable, and versioned backup files. Each version is individually tracked and cannot be actively deleted from cloud storage. Enabling cloud immutability not only has compliance benefits (e.g. for HIPAA and GDPR), it also helps limit the risk of malware infecting your backups.
#9 Full recovery
In the event of a disaster, you can’t be sure the same platforms and servers will be available for the restoration of your workloads. Support for backup from and restoration to “any” (cloud, bare metal, or virtual) platform is important. For example, BackupAssist ER enables fast, simple, and complete recovery of Windows servers to any environment regardless of where the original backup was taken.
#10 Balancing cost, RTO, and RPO
The business side of cloud BDR comes down to a balancing act between cost, recovery time objective (RTO), and recovery point objective (RPO). What mix of tools, storage, and processes maximize your business benefit? Every business will have a slightly different answer, so let’s jump into figuring that out.
Managing costs, RTO, and RPO in the cloud
All else being equal, costs go up as your requirements for RTO and RPO get faster and more recent. On the most expensive end of the spectrum, you have “instant recovery” that restores a very recent backup in minutes. There are DRaaS solutions that can and do provide that functionality, but it comes with a steep price premium. For many SMEs, a recovery time measured in minutes or hours from a recent backup using tooling like BackupAssist ER more than meets SLAs and makes more business sense.
Let’s take a closer look at RPO and RTO in the context of cloud BDR to understand why.
RPO considerations for cloud BDR
Your RPO will dictate how frequently you need to create backups and influence how many backups you need to store. Because cloud storage costs can add up fast, efficiency in where and how you store your backups can make a big difference.
From a backup perspective, you’ll need to have:
- Image backup – For true resilience, you must have recent image backups which enables you to perform full recovery in the event of a disaster. Exactly how recent will vary depending on your RPO, but somewhere between daily and weekly is reasonable for most SMEs.
- Granular restore – Granular restore adds agility to your BDR strategy and gives you the ability to recover specific files, folders, and databases from your image backups. For example, BackupAssist ER’s granular recovery lets you selectively recover Exchange or SQL databases to their original location or an alternate location.
Once you find the backup frequency that meets your RPO requirements, you’ll need to pick a cloud storage platform. This choice can have a big influence on your backup costs. In addition to more backups requiring more storage space, you’re often billed for egress data when downloading your backups. Even for SMBs, these costs can add up fast. Azure Blob Storage and AWS S3 buckets (both of which BackupAssist ER supports) are popular choices, but Wasabi object storage is proving to be a game-changer for many SMEs. Wasabi costs 80% less than AWS and does not charge for data egress.
Additionally, how your backup tooling creates backups will have a huge impact on how much storage you pay for. BackupAssist ER’s compression and deduplication features go a long way here and typically reduce storage requirements by 50%-75%.
RTO considerations for cloud BDR
The ideal RTO is, of course, zero seconds. That’s why the promise of DRaaS solutions that deliver “instant recovery” is so alluring. It’s also the only notable functional difference between DRaaS and tools like BackupAssist ER. However, with BackupAssist ER features like VM Instant Boot, RTOs measured in minutes or hours are achievable. While the exact amount of time for recovery will vary depending on variables like backup size and network speed, recovery with BackupAssist ER can meet the RTO requirements of many businesses at a fraction of the cost of DRaaS instant recovery.
In practice, that means SMEs are faced with this choice: Is “instant recovery” worth ~80% of your BDR budget?
If not, the business case for DRaaS is no longer compelling.
Final thoughts: Finding a balanced cloud BDR solution
Backup and disaster recovery (BDR) strategies are ultimately all about risk/reward. We’d all love RPOs and RTOs measured in milliseconds, but like anything else, there’s a point of diminishing returns. With cloud BDR, a wrong choice in tooling or storage platform can get expensive fast.
With many DRaaS products, businesses can get reliable backups with instant recovery to address their BDR requirements. However, the cost of those solutions is often unreasonably high unless you need instant recovery. Worded differently: if you can meet your SLAs with recovery times measured in minutes to hours, the additional cost of DRaaS simply isn’t worth it.
Sure, in some industries, seconds matter when it comes to RTO, and spending thousands to make sure you can recover as quickly as possible makes sense. However, for most SMEs, choosing a cloud BDR solution like BackupAssist ER that enables fast, reliable, and secure recovery – and investing those thousands of dollars elsewhere in your organization – is the right move.
BackupAssist + Wasabi: 100% of the cyber resilience at 20% of the cost
For a practical example of how you can simply and affordably implement cloud BDR, check out the BackupAssist + Wasabi Joint Webinar. There, you’ll learn:
- How BackupAssist and Wasabi create a cyber-resilient backup solution that is 80% cheaper than comparable DRaaS solutions
- How Wasabi storage is different than first-gen cloud storage
- How to get started with Wasabi and BackupAssist
To get started with BackupAssist ER, sign up to claim your free 30-day trial license.