"In an increasingly digital economy, IT security and the protection of corporate data are major challenges," explains Raphaël Henry. "Businesses today are faced with internal and external threats that are polymorphous, highly dynamic and constantly increasing in complexity. A simple oversight on the part of an employee can jeopardise the entire infrastructure in the same way as an act of sabotage or a cyber-attack. What is more, the growing importance of APIs is having a phenomenal impact on the digital industry. Information systems have entered an era of ultra-connectivity, where every one depends on different components processed or hosted by third parties".
"These factors demonstrate the importance of having a backup information system in the event of an incident, because the slightest problem in the supply chain can jeopardise a company's entire business", he adds. "The basis of this backup strategy is data copying. This principle is nothing new, since it dates back to the beginning of the digitisation of our world, when people immediately began to store data on various external physical media, such as tapes or CDs, before putting them in a safe. However, we now have to take into account the issues inherent in the Cloud and the need for companies to comply with the various regulations in force in Europe and Luxembourg".
Understanding business needs and backup issues
"Luxembourg has a different context to its European neighbours," explains Franck Lartigue. "Obviously, every company has to comply with European regulations such as the GDPR or the DORA regulation, the countdown to which has already started. However, the Grand Duchy does not limit itself to applying EU regulations on its soil, as the country has its own regulatory bodies. The CSSF, for example, imposes a certain degree of vigilance in terms of resilience and backup, which includes measures to protect personal data. Any company, whatever its size, must have in its possession the necessary means to continue its business and be able to guarantee to its customers that it has the capacity to do so".
"It is vital for a company to understand where its MVC, or Minimum Viable Company, lies", Franck Lartigue goes on to say. "What are the most crucial elements? What is the scope of the business needs that will enable the organisation to be quickly re-established after a cyber-attack or other incident with a similar impact? Not all data is created equal, which is why it is essential to classify the company's data and applications. To do this, we can rely on a service that can provide advice and build a BIA - or Business Impact Analysis".
"When restoring data, the notions of RPO - Recovery Point Objective - and RTO - Recovery Time Objective - are the main factors behind the actions, as you need to define how far back you need to go and how quickly. It is essential to understand these parameters to be able to restore company data effectively and minimise the impact of data loss," he adds.
The right backup for the right use case
"Backups are an essential aspect of any data protection strategy. However, they are not omnipotent and have their limitations. A backup cannot cover every type of incident. Knowing the different sources of data in an organisation, such as the Cloud, SaaS services like Microsoft 365 or even the back office, makes it possible to adapt the backup strategy to the requirements of these sources", says Franck Lartigue.
"It is important to emphasise that the backup paradigm has evolved considerably in recent years," adds Alain Eloy. "Previously, we were content to set up a backup of servers and attached disks. Today, that is no longer enough. By adopting a multi-cloud strategy with SaaS, IaaS or PaaS, the implementation of backup solutions logically becomes much more complex since there are more technologies and products to master."
"As storage technologies and media evolve rapidly, we also have to constantly reassess our solutions to keep costs under control, particularly with deduplication to compress back-ups as efficiently as possible. We can also note the use of immutability technologies to make data impervious to any action during a certain period of time and to protect against cyber-attacks." he goes on to say.
According to Alain Eloy: “In the case of the Cloud, the simplest solution is to use an affiliated backup. This backup will also be on the Cloud, but you need to be aware that in the event of a major incident, you will not be the only one wanting to restart your information system. It is therefore wiser to outsource the backup to this Cloud and to have systems capable of reassembling the infrastructure elsewhere. Having an additional external storage space to back up data can provide an extra layer of security in the event of data loss".
"In the past", Franck Lartigue continues, "we used to discuss backup strategies with our customers, focusing on full backups or differential and incremental backups. Nowadays, these discussions are less common and backup tools and policies have evolved. It is essential to back up personal, corporate and other data on reliable backup media to facilitate effective data recovery in the event of data loss."
"However, there is a historical approach - known as the '3-2-1' approach - that should be applied to ensure good management of the data itself. This approach consists of having 3 complete sets of data on 2 different media, one of which is on an outsourced medium or site. It has since evolved into a '3-2-1-0' approach, with the added bonus of ensuring that backups are present and viable, by carrying out regular restore tests. This is a critical and important stage for all the company's stakeholders, from data sets to an employee's individual mailbox."
"It is important to look beyond the purely technological approach," concludes Raphaël Henry, "we need to take an overall view of the company's strategy in terms of the business impact in the event of a crisis, for example. The choice of technological solution comes second. EBRC can support you from start to finish, from strategic thinking to the choice of technology."
