TechTargets
Chat

SECURITY

Backup hygiene the auditors won't ask about (but should).

Most backup audits check that backups exist. Real backup hygiene is the set of questions that determine whether you'll actually recover.

By Paul DiMaggioFebruary 20265 min read

Backups give a false sense of security. The dashboard says "last backup: 2 hours ago, status: success" and everyone moves on. The first time anyone discovers the backup was useless is during the recovery, which is the worst possible time.

Test restores, on a schedule, end to end

An untested backup is a hypothesis. The only proof is a full restore into a clean environment, performed by someone who didn't take the backup, with the resulting system actually used to do work. Quarterly is a reasonable cadence for critical systems. Annually is the bare minimum.

Most teams that start doing this discover within the first cycle that something is broken — credentials expired, schema drifted, an undocumented dependency moved. Better to find out now.

Immutability is the answer to ransomware

If your backup system uses the same credentials as your production system, ransomware will encrypt the backups too. The fix is immutable storage: object lock on S3-compatible storage, retention locks, or true offline copies on rotated media.

The test: can a domain admin, today, delete or encrypt last month's backups? If yes, you don't have backups, you have a snapshot of a thing about to be destroyed.

RPO and RTO are decisions, not discoveries

Recovery Point Objective (how much data you're willing to lose) and Recovery Time Objective (how long you're willing to be down) should be set per system before the incident, by the business, in writing. Then engineering builds backwards from those numbers.

If those numbers don't exist, every recovery becomes an emergency negotiation between IT and the business at the worst possible moment.

The questions to ask quarterly

When did we last restore this system from backup, end to end, and how long did it take? Where do the backups live, and who has the credentials to delete them? What's the documented RPO and RTO, and does the current configuration meet them? What changed in the last quarter that would invalidate any of the above?

If you can't answer all four for your top five systems, the auditor's checklist is hiding more risk than it's measuring.

← All insights

KEEP READING