We recently looked at how backup can be a key component to help organisations protect against ransomware attacks. But we also discussed the idea that all backup systems need to be audited to ensure they will do what they are built to do.
Backup is vital to an organisation. All areas of activity can be severely compromised without the ability to roll back to previous versions of files, directories, servers and so on. That can include mission critical operations, vital data in business terms, and that for which regulatory compliance is an important concern.
It’s therefore vital to know that your data protection measures work, and that you can recover the data you need should something go wrong.
That’s where the backup audit comes in. More correctly, it should be called a backup and recovery audit, or even a data protection audit.
But whatever we call it, the basic function of such an audit is to get an accurate picture of what data is being protected, how it is being protected, how it can be recovered, and whether all this is verified by testing and secured by ongoing policies and procedures that ensure it’s efficiently working.
These findings can then be reviewed and any shortcomings addressed.
The job of a backup audit is to accurately record the entire process of backup, data protection and recovery.
What should a backup audit examine?
The first area the audit needs to cover are the sources of data. Namely, where is data held? This can be categorised by location and storage, the type of data, the applications it relates to, whether system data, test data and so on. Automated means of doing this are available, and are more reliable than writing a list. We’ll glance at them below.
Second is to record the way in which these types of data are protected. That means, by what backup application most likely. But this could also cover snapshots and replication, and CDP, and whether they run from the application, storage array or backup software, for example.
Third, what is the target for backups? Where do backups go? Where is data replicated to, where are snapshots retained? Answers to these questions should cover the type of media that data is backed up to, as well as its physical location. That may include whether there is or needs to be geographical separation or air-gapping (such as with tape) that can be important in a number of recovery scenarios.
When examining source and target in terms of data and its protection, it will also be necessary to look at use of the cloud from these angles. There may be data generated on-site that transitions to the cloud, or is protected in the cloud, or data that lives and is protected entirely in the cloud.
From these first three categories of enquiry it will be possible to assess how well protected different types of data are and how that fits with the value the organisation places on it.
Fourth, the audit should look at data recovery. Key questions here are how long does it take to recover each type of data and have those recovery processes been tested and validated?
Once again, answers to these questions should be matched to an understanding of the value of the data to the organisation and its processes.
Fifth, the audit should report on the policies and procedures the organisation has in place.
These should outline the main contours of the backup and data protection provision that is in place. They should also specify the nature and frequency of testing and validation of backup and data protection, as well as listing those responsible.
Finally, the findings should be reviewed and any necessary actions planned. After all, the key reason for the audit is to identify weaknesses, inefficiencies and possible points of failure in the backup and data protection regime.
This would also include setting out a schedule for regular reviews and updates to procedure, as well as identifying any triggers that can bring this about, such as changes to infrastructure.
A number of products can help with backup reporting. While backup software products can report on their own activities, backup reporting products aim at multi-vendor environments. Basic functionality provides reporting and monitoring of backup and recovery processes, at least across on-site locations. It’s not clear that any of these can extend their view to the cloud.
Those products all come from companies that range from clear enterprise capability down towards SME level. From the storage big boys there is Data Protection Advisor, which appears to be an extant product from Dell EMC and claims cloud compatibility.