Posey's Tips & Tricks

How Long Should You Retain Your Backups?

Backup retention length may not be an issue for organizations in regulated industries, but for everyone else, it should be based on both practicality and operational requirements.

• By Brien Posey
• 06/07/2021

Nearly all of the major backup vendors include some sort of retention policy feature in their software. These policies ensure that backups are kept as long as necessary, but they are also sometimes used for expiring old backups that are no longer needed. While it's easy to see how these policies can be helpful, the tricky part is figuring out how long backups need to be retained.

Backup retention length is far less of an issue for organizations in regulated industries, because there are often regulatory requirements stipulating the length of time that backups must be retained. For everyone else, though, backup retention should be based on both practicality and operational requirements.

Let me give you an example of what I mean by practicality. I started out in IT back in the 1990s. One of the first organizations I worked for created nightly backups, and then stored the backup tapes in a fireproof vault. Even though the concept of backup retention policies didn't really exist back then (at least in terms of the backup software we were using), we established our own retention policy. That policy was based on three key things:

1. Once a backup reached a certain age, it was more or less useless to us. There wouldn't be any point in restoring such an old backup.
2. Backup tapes were expensive, and the IT budget (or lack thereof) demanded that we reuse old tapes.
3. Even though the fireproof vault was relatively large, there was a limit to the number of tapes that could be crammed into the vault.

That's what I mean by practicality. The organization decided how long it would keep backups based on cost, the amount of time it would take for a backup to outlive its usefulness, and our ability to securely store the backups in the vault.

Incidentally, that organization's backup retention policy wasn't quite as simple as just overwriting a tape after a couple of weeks. The IT department had a mandate from upper management that in addition to the regular backups, we had to create quarterly backups that were to be stored for a couple of years and a backup at the end of our fiscal year that was to be retained indefinitely.

In some ways, the concepts that I just talked about seem irrelevant to today. After all, at least some of the things that the organization did way back then violate some long established best practices. Similarly, most organizations no longer use tape as their primary backup media. Even so, the issue of backup retention is still worth considering.

One of the main reasons why backup retention is an important consideration, even today, is cost. Whether you are backing up to the cloud or to a disk-based storage appliance residing on-premises, there is a direct cost that must be considered. Cloud providers bill you for the storage space you consume. Similarly, disk-based storage appliances have a limited capacity, and you will have to purchase additional storage once that capacity is exhausted. As such, it makes sense to expire old backups that are no longer needed to reduce storage consumption, thereby helping to reign in costs.

Granted, there are plenty of technologies that can help reduce backup storage costs. Incremental backups help organizations avoid backing up anything that has already been backed up, and storage deduplication can help get rid of any redundancy that does happen to exist within the backup. Even so, there is always a cost associated with backup storage.

Another reason why retention policies are so important is because without them, backups will almost always outlive their usefulness. Let me give you a personal example.

I used to back up my data to DVD media. At the time, I really didn't have all that much data to protect, and backing up to DVD was less expensive than backing up to tape. At any rate, I was cleaning out a storage cabinet in my office last week and stumbled across one of my DVD backups from 2006. There is zero chance I will be restoring that backup.

Back when I was backing up to DVD, I would reuse the disks for as many times as I could and shred them once I could no longer write to them. But imagine if I hadn't disposed of the old disks. I would have a mountain of old DVDs collecting dust in my office.

The same basic principle also applies to disk-based backups and cloud-based backups. Even if you don't have to worry about accumulating a large collection of physical media, you do have to consider the issue of digital clutter. Purging old backups that you will never use reduces clutter and makes it easier to find the backups that you do need.

All of this is to say that even though backups act as a safety net, giving you a way to get your data back following some kind of catastrophic event, there is a limit to how long a backup should be kept. Even so, the maximum age at which a backup may still potentially be useful is going to be different for every organization. As such, it's important to consider what kind of retention policy makes sense for your own unique situation.