Backup and Disaster Recovery (BCP/DRP)

Backup and Recovery Fundamentals

Backup and disaster recovery are critical components of any cybersecurity strategy. With the rise of ransomware attacks and disasters (natural or technological), having robust BCP (Business Continuity Planning) and DRP (Disaster Recovery Planning) plans is essential.

RTO and RPO: Fundamental Concepts

RTO (Recovery Time Objective)

Definition: Maximum acceptable downtime following a disaster

Example: An RTO of 4 hours means systems must be restored within 4h

Impact: Defines the urgency and investment required in solutions

RPO (Recovery Point Objective)

Definition: Maximum amount of data that can be lost, measured in time

Example: An RPO of 1 hour means backups must occur every hour

Impact: Defines backup frequency and replication technologies

Criticality Tier:

  • Tier 1 (Critical): RTO < 1h, RPO < 15min - Synchronous replication
  • Tier 2 (Important): RTO 4-8h, RPO 1h - Frequent incremental backup
  • Tier 3 (Normal): RTO 24h, RPO 24h - Daily backup

The 3-2-1 Backup Rule

The gold standard strategy for data protection:

  • 3 Three copies of the data: production + 2 backups
  • 2 Two different media types: disk, tape, cloud
  • 1 One off-site copy: geographically separated

Modern evolution: 3-2-1-1-0
+ 1 immutable copy (ransomware-proof)
+ 0 errors on restore (regular testing)

Types of Backup

1. Full Backup

  • Advantage: Simple and fast restoration
  • Disadvantage: Slow, consumes a lot of space
  • Use: Weekly or monthly as a baseline

2. Incremental Backup

  • Advantage: Fast, saves space
  • Disadvantage: Restoration requires the full plus all increments
  • Use: Daily or hourly between fulls

3. Differential Backup

  • Advantage: Simpler restoration than incremental
  • Disadvantage: Grows until the next full
  • Use: Daily when restore simplicity is critical

4. Snapshot and Replication

  • Snapshots: Point-in-time copies, instant restoration
  • Synchronous Replication: Zero data loss (RPO=0)
  • Asynchronous Replication: Geographically distributed

Technologies and Solutions

On-Premises

  • Veeam Backup & Replication: Leader for virtualized environments
  • Commvault, Veritas NetBackup: Enterprise backup platforms
  • Acronis Cyber Protect: Backup + integrated antimalware
  • Dell EMC Data Domain: Deduplicated backup appliances

Cloud-Based

  • AWS Backup: Centralized backup for AWS services
  • Azure Backup: Integrated with Azure services
  • Google Cloud Backup: Automated GCP backups
  • Druva, Backblaze B2: Cloud-native backup solutions

Databases

  • MySQL/PostgreSQL: pg_dump, mysqldump + point-in-time recovery
  • MongoDB: mongodump, Ops Manager backup
  • SQL Server: Native backup + Always On Availability Groups
  • Oracle RMAN: Recovery Manager for Oracle environments

Ransomware Protection

Ransomware-proof backups:

  • Immutability: Object lock (S3), WORM storage, immutable backups
  • Air-gapping: Offline backups disconnected from the network
  • Credential Separation: Backup admins ≠ domain admins
  • MFA: Multi-factor authentication for backup access
  • Versioning: Multiple versions for pre-infection recovery
  • Scanning: Antimalware on backups before restoration
  • Alerts: Detection of mass modifications (possible crypto)

Disaster Recovery Planning

  • DR Site: Secondary datacenter or cloud region
  • Failover Automation: Scripts or automatic orchestration
  • Runbooks: Step-by-step recovery documentation
  • Prioritization: Recovery order based on criticality
  • Dependencies: Map of interdependencies between systems
  • Network Configuration: DNS, VPN, firewall rules for DR
  • Communication Plan: Stakeholders, customers, team

Recovery Testing

Types of tests (perform at least annually):

  • Tabletop Exercise: Theoretical discussion of the plan without execution
  • Restore Testing: Restoring samples in an isolated environment
  • Partial Failover: Failover of non-critical systems
  • Full DR Test: Complete failover (usually in a maintenance window)
  • Chaos Engineering: Intentionally injected failures

Important: An untested backup is not a backup. Failures are discovered at the moment of need if there are no regular tests.

Best Practices

  • [OK] Implement the 3-2-1-1-0 rule
  • [OK] Define clear RTO/RPO per system
  • [OK] Immutable backups for ransomware protection
  • [OK] Quarterly restoration tests
  • [OK] Monitoring and alerting for backup failures
  • [OK] Backup encryption (at rest and in transit)
  • [OK] Up-to-date runbook documentation
  • [OK] Privilege separation (backup admin ≠ domain admin)
  • [OK] Retention in line with compliance (LGPD, SOX, etc.)
  • [OK] Geographically distributed DR site