Fri Apr 8 06:47:17 PDT 2016
Redundancy: Backup retention: How long are backups retained and how are they disposed of?
Option 1: Retain backups forever.
Option 2: Retain different backups for different fixed periods.
Option 3: Retain backup data, like all content, based on a business value assessment, legal, and contractual requirements.
Option 4: Don't worry about retention periods.
Retain backups forever.
The only backup media known to last more than ten to twenty years
are acid free paper stored in proper containment and etchings in
metallic media or rocks. Etchings last longer if they are at larger
granularity, which means that less data can be stored per unit cost
for longer retention. Paper is a viable storage and retrieval media
but is heavy and expensive to create and maintain, sort through, and
track. In practice, retention past seven to ten years requires that
backups be restored and recreated periodically, and this results in
substantial costs. Unless there is a critical need for long-term
retention, indefinite storage is not advised.
Retain different backups for different fixed periods.
Differentiating different sorts of backups based on their
retention time is a sound practice. The most common approach is to (a)
schedule incremental backups (where only changes are backed up) on a
nightly basis and retain these for a month, reusing the same media on
the same day each month. (b) schedule full backups on a weekly basis,
saving these for a month and reusing the weekly backups every
month. (c) retain monthly full backups for two years. (d) use the last
monthly backup of each year as the annual backup and retain it
indefinitely. This scheme creates overlapping backups so that even if
one fails others will be available with much of the same data.
Retain backup data, like all content, based on a
business value assessment, legal, and contractual requirements.
Backup retention periods should be based on the business value of
the information in the backups, its availability for use, the capacity
of the backup solution to retain data for long durations, and legal or
regulatory retention requirements. This ultimately requires that a
valuation of data relative to its retention value be made. This is
strongly advised for any company of substantial size and is often
mandatory for any company that has regulatory compliance
requirements. In this analysis, results should include retention time
requirements as well as business value associated with retention or
loss. Based on this assessment, backup retention requirements, data
classification, and backup processes can be defined suited to the
need. This also implies the need to consider data life cycle
considerations, and this is critical for compliance with court orders
and other similar legal and regulatory compliance matters. In data
life cycle issues should be considered including duration of retention
for normal legal purposes and tracking of data on backups so that
court orders to retain data can be fulfilled in backup media as well
as in primary systems. For more details on retention and disposition
issues refer to The Sedona Conference at
Don't worry about retention periods.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
This approach historically leads to backup failures and loss of
business value. In some cases this results in business failure, while
in other cases very expensive forensic processes result from
inadequate backup retention.