Posey's Tips & Tricks

Does Redundancy Eliminate the Need for Backups?

The cloud era does not mean that we ditch what has worked in the past.

I recently received an email from a podcaster who wanted me to go on his show and debate the relevancy of backup in the cloud era. The podcaster was of the position that hyperscale clouds such as AWS and Azure almost never go down and that if you provision your workloads with sufficient redundancy then cloud backups become obsolete. Unfortunately, a scheduling conflict prevented me from being able to go on the show, but I wanted to use this blog post as an opportunity to explain why I firmly believe that backups remain an absolute must.

The debate over whether or not backups are still necessary is not a new one. Roughly about 10 years ago, following the release of Exchange Server 2013, there were those within Microsoft who were floating the idea of zero backups. The idea behind this concept was that mail server data has such a high change rate (with new messages constantly being sent and received), that it rendered traditional backup and recovery operations impractical, at best. Additionally, Exchange Server could be configured to support multiple mailbox database copies, thereby eliminating the need for backups.

If you were not familiar with the term "zero backups" before reading that last paragraph, there is probably a good reason why. The idea never caught on. Abandoning your backups was a bad idea back then and it remains a bad idea today.

The number one reason why I do not recommend choosing redundancy over backups is simply a matter of self preservation. As an IT pro, you never, ever want to put yourself in the position of having to explain to your boss that there is no way for you to recover data that was lost because you made the decision to stop making backups. Such a situation would almost certainly result in you being fired from your job.

I’m sure that there are those who would counter that point by saying that this is a situation that you will never have to worry about because the cloud is sufficiently reliable to render a restoration unnecessary. However, there are a few other things to think about.

First, no matter how reliable you believe the cloud to be, there may be regulatory requirements that prevent you from walking away from traditional backups. This is especially true for businesses in regulated industries such as healthcare of finance, but such requirements can apply to nearly any business. The PCI DSS regulations apply to any organization that accepts credit card payments. PCI DSS requires all covered entities (businesses that accept credit card payments) to back up their data in a way that adheres to PCI DSS requirements.

Another reason why redundancy alone may prove to be inadequate for protecting your data is that redundant data protection solutions often lack point in time recovery capabilities. In some cases, the need for point in time recovery seems absurd. If for example, you have a database that is being updated with millions of new transactions every hour, then there is seemingly no need for point in time recovery. After all, even a backup that was created half an hour ago would be outdated.

The problem however, is that redundant solutions often fail to protect against ransomware attacks and certain types of data corruption. Imagine that the previously mentioned database were to become encrypted by ransomware. The best option for returning to an operational status would be to perform a point-in-time recovery using a recovery point that was created just prior to the attack. Yes, such a recovery would result in the loss of any transactions that were made after the recovery point was created on up until the point at which the attack happens. Even so, the recovery point would allow you to recover the vast majority of your data.

Redundancy unfortunately does not do much to protect against a ransomware attack because as data is encrypted, the now encrypted data is replicated to your redundant systems, causing them to become encrypted too.

Simply put, the idea that you can give up your backups and rely solely on redundancy for data protection is a pipe dream and doing so would be extremely ill advised. Instead organizations should be using redundancy as a first line of defense against outages and data loss, but they should also be hedging their bets by creating frequent backups.

About the Author

Brien Posey is a 21-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


comments powered by Disqus