Data Backup and Recovery
In the original post we defined steps to implement a bullet-proof Cloud Infrastructure Security Posture. Now it’s time to dive into the topic of 📦 Data Backup and Recovery.
❓ How would you approach the implementation of the following?
– Establish Data Classification and Data Retention Policies;
– Establish Data Backup and Recovery Procedures.
💪 Here is how, in just a few steps:
1. Think of categories of data that your organization, systems, and applications operate, put them “on paper”, and define sensitivity levels based on your understanding. Use guidance – usually the government agencies (examples: https://lnkd.in/e58zeiaj , https://lnkd.in/eseKYnkW ) and educational institutions (example https://lnkd.in/eJsWBtaU ) are very good at data classification, so use the publicly provided information as your template.
2. For Data Retention Policy, define how long you want to store the following categories of information:
– Data in Cloud Storage (e.g. S3)
– Data in Databases
– Data on Disk Volumes
– Application Logs
– Load Balancer Logs
– Cloud Storage Access Logs
– Database Logs
– Cloud Service Logs(e.g. CloudTrail)
– Host Audit Logs
Some of the above data sources store your customers’ data. Define its retention period taking your contractual responsibilities into account. Also, make sure to specify what you do upon contract termination (options are: delete all data immediately, or delete operational data immediately – keep data in backups, and for how long).
3. Set data lifecycle policies on Cloud Storage, Disk Volumes, and Cloud Log Groups (“Data Storage Points”) in accordance with your Data Retention Policy. It would also be a good idea to come up with data tiering structure, so it moves from _immediate_ to _frequent_ to _infrequent_ access locations during its lifecycle. This will help save some data storage costs and will also show you exactly what data, and how much of it is *really* important.
4. Review your data lifecycle and retention policies regularly as it is good for your company’s Cloud Economics and IT compliance.
5. Based on your knowledge about how data is stored and retained in your cloud environment, document recovery processes for each Data Storage Point. Make sure you can recover data within your RTO (“Recovery Time Objective”) and RPO (“Recovery Point Objective”) commitments.
6. Test data recovery procedures regularly (at least every 6 months). You will be surprised how quickly they get outdated, so it is important to stay on top of it.
See anything missing or wrong?