Lesson 10 B Implement Backup and Recovery

Question 1

Backups and Recovery

Answer 1

Data backup is a system maintenance task that enables you to store copies of critical data for safekeeping. Backups protect against loss of data due to disasters such as file corruption or hardware failure. Data recovery is a task that enables you to restore user access to lost or corrupt data via the backup.

Question 2

Most large organizations will implement

Answer 2

a structured backup scheme that includes a backup schedule and specifications for which files are backed up, where the backup is stored, and how it can be recovered.

Question 3

Personal backups

Answer 3

are necessary for home users or on workgroups, where no central file server is available. In this scenario, the backup software supplied with Windows is serviceable. Most home users will back up to external hard drives or use some sort of cloud-based storage.

Question 4

In Windows, user data backup options are implemented via

Answer 4

the File History feature, which is accessed through Settings > Update & Security > Backup . You can configure a local drive or network folder as the target for storing backup files. You can choose which folders and files to include or exclude from the backup job plus a schedule for running the job.
If you need to restore a file or folder, you can either use the Previous Versions tab in the object’s Properties dialog box or use the File History applet to restore multiple files.

The Backup and Restore Center control panel tool provides an alternative backup manager. It can also be used to make image backups of the entire operating system, rather than just data file backups.

Question 5

When considering a file server or database server, the execution and frequency of backups must be

Answer 5

carefully planned and guided by policies. Each backup job records data as it was at a certain point in time. As each backup job might take up a lot of space and there is never limitless storage capacity, there must be some system to minimize the amount of data occupying backup storage media while still giving adequate coverage of the required recovery window.

Question 6

Two main factors govern backup operations:

Answer 6

• Frequency is the period between backup jobs. The frequency configuration reflects how much lost work can be tolerated. For example, if employees can recall and input the previous day’s work on document files, a daily backup will meet the requirement. If the edits are much more difficult to reconstruct, backup frequency might need to be measured in hours, minutes, or seconds.
• Retention is the period that any given backup job is kept for. Short-term retention is important for version control and for recovering from malware infection. Consider the scenario where a backup is made on Monday, a file is infected with a virus on Tuesday, and when that file is backed up later on Tuesday, the copy made on Monday is overwritten. This means that there is no good means of restoring the uninfected file. In the long term, data may need to be stored to meet legal requirements or to comply with company policies or industry standards. Conversely, regulations might require that data not be kept for longer than necessary.

Question 7

Backup Chains

Answer 7

The requirements for backup frequency and retention must be managed against the capacity of the backup media and the time it takes to complete a backup job. These requirements are managed by using different types of jobs in a backup chain.

Question 8

The main types of backups are

Answer 8

full only, full with incremental, and full with differential:

Question 9

“Full only”

Answer 9

means that the backup job produces a file that contains all the data from the source. This means that the backup file is nominally the same size as the source, though it can be reduced via compression. A full backup has the highest storage and time requirements but has the least recovery complexity as only a single file is required.

Question 10

“Full with incremental”

Answer 10

means that the chain starts with a full backup and then runs incremental jobs that select only new files and files modified since the previous job. An incremental job has the lowest time and storage requirement. However, this type of chain has the most recovery complexity as it can involve two or more jobs, each of which might be stored on different media.

Question 11

“Full with differential”

Answer 11

means that the chain starts with a full backup and then runs differential jobs that select new files and files modified since the original full job. A differential chain has moderate time and storage requirements and slightly less recovery complexity than incremental as it requires a maximum of two jobs (the full backup plus the differential job).

Question 12

Synthetic Backup

Answer 12

A synthetic backup is an option for creating full backups with lower data transfer requirements. A synthetic full backup is not generated directly from the original data but instead assembled from other backup jobs. It works as follows:

1. The chain starts with an initial full backup as normal and subsequently makes a series of incremental backups.
2. When the next full backup is scheduled, the backup software makes one more incremental backup. It then synthesizes a new full backup from the previous full and incremental backups.

Question 13

A backup rotation scheme allows some media to be

Answer 13

reused once the retention period of the job stored on it has expired.

Question 14

Rotation is most closely associated with

Answer 14

the use of tape media but can be applied to disk devices too. There are many backup rotation schemes, but the most widely used is grandfather-father-son (GFS.) The GFS scheme labels the backup tapes in generations. Son tapes store the most recent data and have the shortest retention period (one week, for example). Grandfather tapes are the oldest and have the longest retention period (one year, for example).

Question 15

Assuming a single tape has sufficient capacity for each job and no weekend backups, a GFS scheme could be implemented as follows:

Answer 15

1. A full backup is performed each week on Friday night to one of the tapes marked “Father.” As some months will have five Fridays, this requires five tapes labeled and dedicated to the father role.
2. Incremental backups are made during each day to a tape marked “Son,” using whatever frequency is required (every 15 minutes or every hour, for instance). The five son tapes are reused each week in the same order.
3. A full backup is performed at the end of the last working day of the month on a tape marked “Grandfather.” Twelve grandfather tapes are required.
4. The father tapes are then reused for the next month in the same order, and the cycle continues. At the end of the year, the first grandfather tape is overwritten.

A longer version-control window could be achieved by doubling the number of son tapes and reusing them on a bi-weekly schedule. Note that the father tapes could use synthetic backups.

Question 16

On Site versus Off Site Storage

Answer 16

On site backup storage means that the production system and backup media are in the same location. This means that if a disaster strikes the facility, there is the risk of losing both the production and backup copies of the data.

A media rotation scheme such as GFS means that at least some of the backup media can be taken for storage off site once the backup job has run. For example, in the GFS scheme outlined above, four of the father tapes could be kept off site at any one time. Grandfather tapes can all routinely be kept off site with only one needing to be brought on site at the time of the backup job.

Transporting media off site is an onerous task, however. High-bandwidth Internet and high-capacity cloud storage providers have made off-site backup solutions more affordable and easier to implement.

Question 17

Online versus Offline Backups

Answer 17

As well as the on-site/off-site consideration, you should also be aware of a distinction between online and offline backup media. Online backup media is instantly available to perform a backup or restore operation without an administrator having to transport and connect a device or load a tape. An offline backup device is kept disconnected from the host and must be connected manually to run a backup job.

An online system is faster, but keeping some backup media offline offers better security. Consider the case of crypto-ransomware, for instance. If the backup drive is connected to the infected host, the ransomware will encrypt the backup, rendering it useless. Some crypto-ransomware is configured to try to access cloud accounts and encrypt the cloud storage (f-secure.com/v-descs/articles/crypto-ransomware.shtml). The media rotation scheme should allow at least one backup copy to be kept offline. For example, in the GFS scheme discussed above, four of the son tapes can be kept offline.

Question 18

3-2-1 Backup Rule

Answer 18

The 3-2-1 backup rule is a best-practice maxim that you can apply to your backup procedures to verify that you are implementing a solution that can mitigate the widest possible range of disaster scenarios. It states that you should have three copies of your data (including the production copy), across two media types, with one copy held offline and off site.

Question 19

When you design a backup scheme, test it to make sure it’s reliable. To test the backup:

Answer 19

• Try restoring some of the backed-up data into a test directory, making sure you don’t overwrite any data when doing so. Alternatively, use a virtual machine to test recovery procedures without affecting the production host.
• Configure the backup software to verify after it writes. Most backup software can use hashing to verify that each job is a valid copy of the source data. It is also important to verify media integrity regularly, such as by running chkdsk on hard drives used for backup.
• Verify that the backup contains all the required files.

You should re-test recovery procedures whenever there is a change to the backup schedule or requirements. It is also best practice to perform routine tests periodically—every week or every month, depending on criticality. Frequent testing mitigates risks from media failure and configuration oversights.