What is your backup strategy?
The first thing that you want to hear is that the provider has one! This may seem silly but you might be surprised how poorly many vendors fare on this question. Without backups, your data is at risk for the first fire, earthquake, power failure, or whatever that the provider faces. This is a really dumb way to lose your company’s critical business assets.
Second, find out how often the back up the data and how long it would take to restore data from the backups. The first part is important because it puts a cap on the total amount of data that you could lose in a disaster – in IT security vocabulary, this is known as RPO (recovery point objective); it is given in (usually) minutes or hours. If the RPO is measured in days or weeks, be very concerned; you have a much greater chance of losing a lot of data. The second part is how fast you would be able to get back on your feet – this is known as the RTO (recovery time objective). As with the RPO, it is measured in time units – minutes, hours, or days. Again, it is better to have this as low as possible to ensure that in a disaster, you have your business back up and running as soon as possible.
Last, find out the archive times. This essentially means how long they keep the old and backed up data. This is a little less important – longer is better, but will be more expensive either in direct costs to the vendor or (for in-house) more equipment or on-line storage costs. Keeping data around for a longer allows for evidence in case of any litigation. Also, certain industries (financial, for example) are required to keep information for a defined amount of time based on regulations – three years, seven years, or some other length.
One simple way to both ensure that your provider both has a backup plan and keeps it current and useable is to request the summary for the last backup and recovery exercise. This should show the RTO and most likely the RPO. While this information may have some commercial sensitivity, if a vendor is reluctant to or refuses to share this with you, be warned – they may not have a valid, active, or useful plan in place. Even worse, they may have never tested their plan!
Take this opportunity to confirm that you comply with regulations in your industry with respect to archiving. Make sure that you are storing the data long enough! The fees for non-compliance vary wildly depending on country, region, and even industry; however, it is dumb tax to pay unless the cost of archiving is so high that it is much more than the cost of compliance. There may also be criminal penalties so be very careful about this.
If you have not yet established your business objectives for backups, ensure that you do so now, before you talk to your provider. To establish that your provider is doing what you want, you first have to know what you want! There are resources everywhere to help guide your decision about this – please add a comment to help others know how you solved this issue.
Image courtesy of Raymond Bryson / flickr.com