Wed Nov 26 09:46:29 PST 2014

Redundancy: Backup retention: How long are backups retained and how are they disposed of?


Options:

Option 1: Retain backups forever.
Option 2: Retain different backups for different fixed periods.
Option 3: Retain backup data, like all content, based on a business value assessment, legal, and contractual requirements.
Option 4: Don't worry about retention periods.

Basis:

Retain backups forever.
The only backup media known to last more than ten to twenty years are acid free paper stored in proper containment and etchings in metallic media or rocks. Etchings last longer if they are at larger granularity, which means that less data can be stored per unit cost for longer retention. Paper is a viable storage and retrieval media but is heavy and expensive to create and maintain, sort through, and track. In practice, retention past seven to ten years requires that backups be restored and recreated periodically, and this results in substantial costs. Unless there is a critical need for long-term retention, indefinite storage is not advised.

Retain different backups for different fixed periods.
Differentiating different sorts of backups based on their retention time is a sound practice. The most common approach is to (a) schedule incremental backups (where only changes are backed up) on a nightly basis and retain these for a month, reusing the same media on the same day each month. (b) schedule full backups on a weekly basis, saving these for a month and reusing the weekly backups every month. (c) retain monthly full backups for two years. (d) use the last monthly backup of each year as the annual backup and retain it indefinitely. This scheme creates overlapping backups so that even if one fails others will be available with much of the same data.

Retain backup data, like all content, based on a business value assessment, legal, and contractual requirements.
Backup retention periods should be based on the business value of the information in the backups, its availability for use, the capacity of the backup solution to retain data for long durations, and legal or regulatory retention requirements. This ultimately requires that a valuation of data relative to its retention value be made. This is strongly advised for any company of substantial size and is often mandatory for any company that has regulatory compliance requirements. In this analysis, results should include retention time requirements as well as business value associated with retention or loss. Based on this assessment, backup retention requirements, data classification, and backup processes can be defined suited to the need. This also implies the need to consider data life cycle considerations, and this is critical for compliance with court orders and other similar legal and regulatory compliance matters. In data life cycle issues should be considered including duration of retention for normal legal purposes and tracking of data on backups so that court orders to retain data can be fulfilled in backup media as well as in primary systems. For more details on retention and disposition issues refer to The Sedona Conference at https://thesedonaconference.org/

Don't worry about retention periods.
This approach historically leads to backup failures and loss of business value. In some cases this results in business failure, while in other cases very expensive forensic processes result from inadequate backup retention.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved