Best Practices for Backup Plans
Always Encrypt Backups
It is recommended to encrypt all backups. Enable 256-bit AES encryption and set a strong password for every backup plan. It is also good practice to use different passwords for each customer and more than once within a single customer when needed. Encrypting the backup is easy and a strong password protects the backup data against brute force decryption techniques and may also be required for regulatory compliance. Regardless, it’s best to encrypt always for the best protection.
If your cloud storage offers a server-side encryption option, you should use it. Server-side encryption adds an additional layer of encryption on top of client-side encryption and helps protect your data in the rare case where someone steals a hard drive from the cloud vendor.
Make sure all network traffic is encrypted. If a storage option is available with an SSL / TLS option, then you should use it to ensure all traffic between the agent and the storage account is fully encrypted. Lastly, if your storage account supports File-Name Encryption, you can enable it in your backup plans to scramble the names of the files in backup storage to ensure that any identifiable text in the file names is obfuscated.
Fully Document and Test your Backups and Disaster Recovery Plans
Make sure to fully document and test your Backup-and-Disaster Recovery plans. Test recovery scenarios to make sure you can adhere to your committed restore time objectives. This will help you to avoid mistakes and extended restore times. When required, you restore critical customer data as soon as possible.
Apply a 3-2-1 Backup Rule to your Backup Strategy
The 3-2-1 backup rule requires you to keep 3 copies of your data (live data and two backups), you use two different storage media, and you have one copy offsite. An easy way to accomplish this is with hybrid backup types to local and cloud destinations at the same time. Alternatively, you can perform separate local and cloud backups. Local backups can be used for faster restores. The cloud backups provide disaster recovery protection from natural disasters and malware attacks.
Adjust Your Retention Policies Accordingly
Retention policies determine how long backups are kept and how many backup versions you want to keep.
In most cases, it is recommended that you keep 2 or more versions to avoid any malware attacks or overwriting backup data with corrupted/encrypted file versions.
Use Hybrid and Non-Hybrid Plans Carefully
Avoid using non-hybrid (local or cloud) and hybrid backup plans with the same or similar backup dataset. Note that simultaneous hybrid and non-hybrid backup plan usage may cause several errors (possible error codes: 1524, 1525, 1526, 1527, 2600, or 2601).
Avoid Manual File Operations of Backup Storage Outside Managed Backup
Managed Backup automatically tracks all files sent to backup storage and stores this information in a local repository on each client. The repository is used to easily detect changes in files and improve backup speed.
All backup plan executions and any modifications made in the Storage tab in the agents are automatically tracked in the local repository. However, if you make changes to files in backup storage outside of the Managed Backup interface, the repository and backup storage will be unsynchronized and require to run a Consistency Check. Consistency Check brings the repository in a synchronized state again with backup storage. However, it’s best to avoid this process altogether by making sure any changes to backup storage are performed in Managed Backup.
Lock Out Files Deletion on The Backup Agent
The Storage tab of a Backup Agent is the place where most of the metadata is being stored. You can restore files from it with a few clicks. You can also delete data from this tab.
To disable the option, open the Advanced Rebranding options page of the Management Console, then deselect the Manual Files Delete check box.