Database Security: Costs, Benefits and Risks of Database Backups

In the modern workplace, data is the lifeblood for businesses and protecting it is correspondingly important. And database backups are one of the common methods database administrators (DBAs) use to ensure the continued availability of data: This involves copying data and schemas from a database and storing them in another location from which they can be retrieved later. But like any other IT process, database backups come with benefits as well as costs and risks.

Why is backing up databases so important?

The answer lies in the term “data recovery.” Without a database backup, it is impossible to recover the data. Not being able to recover data can be disastrous, but the problem is still not uncommon. Therefore, robust data backup strategies are also essential for data security. For example, if an organization falls victim to a ransomware attack, it needs to clearly distinguish important data from before and after the attack. Recovery makes it possible to return to the point in time before the attack and, at best, continue as if it had not happened.

If a ransomware attack has encrypted a company’s data and the screen is locked, the company can restore a backup to a brand new system and bypass the attack. Without a backup, this is not possible and thus, operations cannot be maintained.

Recovery Time and Maximum Tolerable Data Loss

Of course, a database backup cannot be created with a simple snap of the fingers, and businesses have different backup and recovery requirements. Two key business objectives can be an important guide:

  1. Recovery time objectives (RTOs) or recovery time: RTO refers to the amount of time an organization must be able to recover its data.
  2. Recovery point objectives (RPOs) or maximum tolerable data loss: RTO refers to the time by which recovery must be possible.
READ:  What Is Endpoint Security?

For example, a possible requirement for DBAs is to recover data from a backup created the previous day (the RPO) within one hour of an incident (the RTO). The RPO is the point to which they must return, and the RTO specifies how long that process takes. These requirements are set by the business and DBAs must implement them. Often, however, companies face the problem of losing track of the growing volumes of data in their databases.

If DBAs don’t continuously test recoveries, they may find that in the event of a disaster, they can’t recover databases in a timely manner because recovery takes longer due to the now larger volume of data. For organizations to set realistic RPOs and RTOs and for DBAs to meet them, DBAs must recover databases regularly. Otherwise, they risk missing the organization’s RTO and RPO targets, which can lead to critical data loss and business disruption.

What Role Does Cost Play?

Different people involved may mean different things by the cost of database backups. Let’s say the DBA responsible for a system learns that he has no backups for the first three weeks of the year. If something goes wrong, he must explain to management why three weeks’ worth of transactions must be re-entered – after all, they can only go back to December 31. Management needs to consider the cost of re-entering potentially huge amounts of data if DBAs don’t have backups for emergencies.

The same incident also comes at a cost to the DBA. If regular database backup is his or her responsibility, failure to do so can impact his or her career. Whether in the form of unflattering conversations with angry superiors or even the loss of his job, the personal cost of missing database backup processes can be high. Another cost is the cost of data storage, or the medium a company uses for database backups. Offsite and cloud storage are equally associated with costs.

READ:  Open Source vs. Closed Source: Which Is More Secure?

Database Security Costs, Benefits and Risks of Database Backups

A company also needs to consider the costs associated with its RTO goals: how much does it cost the company if a central business unit is not operational for an hour? How many sales will they miss out on during that time? These questions are a tricky balancing act.

If the company pays more for better storage and performs more frequent database backups, recovery losses will be lower, but is the initial cost worth it? These are considerations that every company should take a close look at, especially as their database grows.

Restore Backed up Databases

DBAs should restore databases on a regular basis to make sure everything works in an emergency. But what if a DBA is responsible for thousands of databases? In that case, it’s not feasible or cost-effective to restore every database all the time. DBAs should therefore determine how many databases they need to recover on a regular basis to minimize costs and maximize the chance of successfully recovering all databases in the event of a disaster. If DBAs use a statistical sampling method to restore a few randomly selected databases each day (perhaps only a few dozen), they can be 95 percent sure that all backups can be restored.

There is a cost associated with this as well: It takes time to develop the process and test the random restores regularly. But what would be the cost to the business if the DBA did not implement this process? If something goes wrong and backups are not in place, the cost to the business can be immense.

READ:  Phishing Has Become Professionalized and Is Part of Everyday Corporate Life

Database Backup: Common Methods vs. Best Practices

The most commonly used methods for database backups are not necessarily the best. Some use shortcuts, others don’t even know exactly where to start. While some are not commonplace, the following best practices are recommended for organizations:

Encryption/Password Protection

Ideally, DBAs should encrypt and/or password protect their database backup files. Unfortunately, this best practice is often not applied. However, data encryption is very important because otherwise, anyone who gains access to a backup can take all the data and restore it to another system. As a minimum, the file should be password protected. Encrypting backup files, of course, comes at a cost. Organizations must decide if this cost is worth it to avoid any potential problems later due to a stolen backup.

Balancing workloads

DBAs should ensure backups don’t get in the way of other workloads. In theory, backups shouldn’t affect other processes on the system. But they are being written to a file that may be in a shared storage system, and the writing activity can cause a massive bottleneck.

Avoid bandwidth throttling

Backups can consume network bandwidth. If DBAs perform a backup at the same time every day, it can cause slowdowns for everyone else. Therefore, staggered backups (e.g., some servers at 1 a.m., others at 2 a.m., etc.) are recommended to avoid network throttling and problems for other systems.

Weigh the benefits, costs, and risks of backups

It costs money to create backups and restore them regularly. But the lack of backups has all the greater financial and reputational consequences for the company. If the worst happens, DBAs certainly don’t want to be left without a backup and risk data loss. Weighing the benefits, costs, and risks of data backup solutions is a balancing act, but they are too important for a company to do without.