We often run into situations where different staff in an institution have different understandings of the goals and operations of their backup system. The IT department tends to think of backups as a recovery tool should servers go down, while others tend to think of a backup system as long-term retention of data. Both goals can only be met simultaneously if the backup system is specifically designed for both recovery and retention. Let’s look at some of the issues that must be considered.
First, we will look at retention times and timing. Most backup systems use a “Grandfather-Father-Son (GFS)” system to age backups. The retention periods vary by organization, but an example would be that “Son” backups are created daily (or more often on modern systems) and retained for a week, after which they are rolled up into weekly “Father” backups which are retained for a month, after which they are rolled up into monthly “Grandfather” backups which are retained for seven years. Sometimes there is an additional “Great-Grandfather” backup annually that is retained “forever”. The GFS aging rotation system originated with tape backups, where the “son”, “father”, and “grandfather” backups were performed separately. Today, most backups are performed incrementally (meaning only changed data is backed up) to disk storage and the aggregation and aging are handled by the backup system behind the scenes.
From a recovery perspective, the GFS rotation described above means that I can restore from a “son” backup to any day in the past week, from a “father” backup to any weekend in the past month, or from a “grandfather” backup to any month-end in the past seven years. This is usually adequate for a DR plan. From a data retention perspective, it gets messier. If I am only saving monthly backups for seven years, what happens to files that may have been created and deleted within the same month? They will not be retained on the backups because they did not exist at either month-end. What about files that are changed multiple times within a month? Only the version that exists at month-end will be retained. Depending on the goals of your retention program, this may not be sufficient.
The other problem we run into with using backup systems to retain data is how decommissioned servers are handled. Many IT departments remove servers from backup systems as part of the decommissioning process, as they will no longer need to recover the servers in DR. This often removes all historical backups for the decommissioned server. If management assumed that the backups were retained, they will find that when they need to access the data it is no longer there.
The final problem we see is that certain types of data (board minutes, financial reports, etc.) must be retained forever by an institution, but backup systems are not forever. Backup technology changes, and most institutions change backup systems every 5 – 10 years. When the new system is introduced, it is common for an institution to have to keep their old backup system, either running or powered off, for a number of years after switching to a new system. The old system is often no longer covered under maintenance and may be on unsupported operating systems, so there is a high likelihood that the old system will not operate if the old data is ever needed.
When planning for data retention we urge institutions to start by determining what data needs to be retained, whether every version of this data needs to be retained, and for how long the documents need to be retained. We then urge the institution to inventory where the data is, and to consolidate it into one system wherever possible. Once the retention needs and data locations are known, management needs to work with IT to determine the best way to make sure the retention requirements are met. This may be through a backup system, but may also utilize a specialized records retention system.
If you have questions regarding data retention or any other areas related to cybersecurity, please do not hesitate to contact us at support@bedelsecurity.com.
Additional Resources:
CISA's Ransomware Guide Takeaways
https://www.bedelsecurity.com/blog/cisas-ransomware-guide-takeaways
Simplifying System Recovery Planning
https://www.bedelsecurity.com/blog/simplifying-system-recovery-planning
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
5 Key Ransomware Controls
https://www.bedelsecurity.com/blog/5-key-ransomware-controls