What makes a good backup strategy? The World Backup Day 2025

In an age where backing up your own data is a matter of course and the risk potential is constantly increasing, a pure backup only needs to be part of the overall strategy. But what makes a good entry point? Let's look on three basic aspects here - the history, the timeframe and the possible strategy!

History

The former ideal way was defined by the “3–2–1” rule: Three backups on two different media types and one copy off-site - but even that was and (unfortunately) still is far from the rule. The reality is often different - a backup to a network attached storage in the same room may be a backup in principle but there is less of a strategy behind it. This way of thinking can sometimes still be found in smaller companies where a backup together with reliable (and therefore often costly) software is more of a “necessary evil”. Recovery tests are carried out moderately or not at all, the backup is not monitored per se anyway and often there is no real awareness for a dedicated backup concept and self-encrypted backups (you don’t want your cloud provider to theoretically access your unencrypted data!).

The moment a temporary outage occurs (for whatever reason), the clock is clearly ticking against the company and the factors RTO and RPO relentlessly come into focus as it quickly becomes clear that a strategy is also essential and - yes! - vital!

Time, what is time?

To be more precise, the Recovery Point Objective (RPO) generally refers to the calculation of the amount of data loss that a company can suffer within a period of time relevant to its business before significant and lasting damage occurs - from the time of a disruptive event to the last data backup. So when talking about a strategy you inevitably have to talk about this factor which is definitely the first risk classification. The recovery time objective (RTO), in turn, generally refers to the time that an application, system or process can fail without causing significant damage to the company.

It is also linked to the time it takes to restore the application and its data in order to resume normal business operations after a serious incident: From experience, in the worst-case scenario, the clock ticks mercilessly against those affected and the one backup may contain the data but the restore takes an agonizingly long time. So if something has happened, you shouldn’t have to worry about the “time” factor until then!

Defining a strategy

As we have already talked about RTO and RPO, we will inevitably also talk about the backup concept, the resources (hardware and software) and, ultimately, the entire strategy: A backup server does not belong in an Active Directory domain and, ideally, it should not be a virtual server on the environment that is actually to be backed up. Ideally, it should also be physically separated from the production system - just like the other repositories that contain the backups, for example in a different, indispensable fire compartment.

The 3–2–1 rule is also no longer the last word in wisdom as backup-vendor Veeam has been describing for some time. It has been replaced by the 3–2–1–1–0 rule which the manufacturer also calls the “golden rule”: Keeping three copies/backups of the data, securing these backups on two different types of media, creating at least one offsite and one offline copy (keyword “media separation”) and the final “0” in the form of verifying the backups made without any errors: This sounds complex but it is not if you give your data the appropriate priority, classify the obligations, rights and risks in relation to backups and know that you have the right partners and service providers at your side.

A (preliminary) conclusion

Selling and shipping a specific product does not make a solution. A backup does not make a strategy. Backup software that is deployed with the “next-ready-to-go” installation path is far from a watertight concept despite a possible first complete backup. Tape is still not dead (especially in large environments): Just ask IBM! A restore should only take place if the backup is ransomware-free: Veeam shows how this can work! You can also use on-board resources to outsource an encrypted backup (ciphered by yourself, of course) to a trustworthy cloud service provider - and if you also want to take a disaster recovery approach at the end, you will also find what you are looking for here: Together with the Zerto from HPE, backups and DRaaS can be operated wonderfully together and, depending on the requirements, reliability can be driven to a very high percentage, knowing that no product or solution can be waterproof by 100%!

These are just some of the possibilities that are “commemorated” on this annual World Backup Day. There is no general backup strategy that applies to every use case. Primarily, it must be understood that much of what we define as “backup” today is not really a backup strategy. In the end, it comes down to a raised awareness in an age full of digital, physical and political threats paired with the right tools and partners - and a concept that is individually tailored to your own use case.

This concept should not be rigid but should be dynamically adapted to the possibilities of the market and, above all, to your own changing requirements - because just as software components, partner landscapes and hardware change, your own requirements may also change more frequently than you might think yet. All of this counts towards a good backup strategy and also helps you to face future challenges more calmly!

With this in mind, happy World Backup Day 2025 and may all of your (encrypted) backups be with you!