Introduction
Having a solid backup retention policy is a crucial part of any organization’s data protection strategy. As the sole administrator responsible for my company’s backups, I’ve learned firsthand how important it is to carefully plan and implement backup retention policies. In this article, I’ll share everything you need to know to develop effective backup retention policies for your organization.
What Are Backup Retention Policies?
Backup retention policies determine how long backup data is retained and storage requirements for that data. These policies specify the length of time backup copies are kept before being deleted or moved to lower-cost storage.
Properly designing retention policies involves balancing business needs, compliance regulations, recovery requirements, and storage costs. With thoughtful planning, you can implement retention rules that meet all of these needs efficiently.
Why Are Backup Retention Policies Important?
There are several key reasons why backup retention policies are a critical part of your data protection strategy:
-
Recovery objectives – Retention policies ensure you maintain restore points far back enough to meet your specific recovery goals. These define how much lost data is acceptable in disaster scenarios.
-
Compliance – Regulations often mandate retaining certain data for set time periods. Retention rules help avoid costly non-compliance.
-
Limiting storage – Keeping all backup copies indefinitely is not feasible. Retention policies prevent uncontrolled storage growth and cost.
-
Defense against ransomware – Keeping long-term offline backups provides protection if current data gets encrypted by ransomware.
How Long Should You Retain Backup Data?
Choosing retention periods depends on your specific recovery, compliance and business needs. Some common best practices include:
- Daily backups – 7 to 35 days retention
- Weekly backups – 4 to 52 weeks retention
- Monthly backups – 6 to 60 months retention
- Yearly backups – 7 to 10 years retention
Lengthier retention periods give you more restore points to choose from but cost more in storage capacity over time. I recommend assessing the business value of your data and the likelihood you’ll need to go back months or years to restore.
What Factors Should You Consider?
Some key factors to consider when defining backup retention include:
-
Recovery time objective (RTO) – The time within which systems and data must be restored after an outage. Shorter RTOs require more frequent recovery points.
-
Recovery point objective (RPO) – The maximum permissible period of lost data. Shorter RPOs mean retaining more frequent backups.
-
Compliance regulations – Rules like HIPAA and SOX often mandate specific retention periods.
-
Available storage capacity – Storing incremental backups lets you retain more recovery points with a set storage volume.
-
Cost – Balance retention againt available backup storage budget.
Retention Schemes to Consider
There are a few common backup retention schemes that provide a sound approach:
Grandfather-Father-Son
This uses progressively less frequent backups with longer retention times:
- Daily (Son) – High frequency, short retention
- Weekly (Father) – Medium frequency, medium retention
- Monthly (Grandfather) – Low frequency, long retention
Tower of Hanoi
This staggered scheme retains backups based on binary intervals:
- Every backup = 1 day
- Every 2nd backup = 2 days
- Every 4th backup = 4 days
- Every 8th backup = 8 days
And so on…doubling the retention period each time.
GFS (Grandfather-Father-Son) Rotation
A combination of the above two, with daily, weekly, and monthly retention tiers:
GFS provides daily, weekly, and monthly restore points to fit most needs efficiently. I tend to recommend this balanced approach for most backup environments.
How Should You Test and Verify Retention Policies?
Once implemented, backup retention policies need to be validated regularly:
-
Monitor storage capacity – Make sure used backup storage isn’t exceeding projected volumes based on your policies. Trend out projected future capacity as well.
-
Test restores – Periodically restore from retention points to confirm backups remain viable and recovery SLOs are met.
-
Audit reports – Backup software reporting should allow you to see retention rules are being followed as defined.
-
Adjust as needed – Review storage consumption, compliance needs and other factors yearly to validate policies or adjust as required.
Conclusion
Backup retention policies are a foundational element of your data protection and disaster recovery preparedness. Give careful thought to RTOs, RPOs, compliance needs, available storage capacity and costs when defining backup retention rules. Standard schemes like GFS provide proven templates you can follow for most environments. Just be sure to monitor and test regularly to validate that your retention policies are meeting business requirements. Let me know if you have any other questions!