N-able

Solutions for MSPs and IT Teams

Blog > Backup & Disaster Recovery

A Guide to Backup Retention Policy Best Practices

By Carrie Reber
21st February, 2023
Backup & Disaster Recovery

When thinking about your strategy around backups, recovery, availability, and business continuity, one part of the plan tends to fall by the wayside: backup retention. We focus so much on things like recovery objectives, SLAs, and tiers of data, that our thinking revolves around the need to potentially recover the backup that we just made a matter of minutes afterward.

Related Product

Cove

Get cloud-first backup and disaster recovery for servers, workstations, and Microsoft 365 data.

Find out more

But there are data sets that need to be available weeks, months—even years—after they are made. And, while, your backup certainly doesn’t replace an archive (in the case of email), it does serve as a means to retain easily accessible data for extended periods of time.

What is a backup retention policy?

A backup retention policy is a rule, or group of rules, that a company sets to specify what data it needs to store, where it should be stored, and for how long in order to comply with both legal and business requirements. On top of this, it should also set guidelines on archiving, storage formats, and how the data is accessed and encrypted over its lifecycle. Different industries will face very different legal guidelines, with some also requiring that data must be deleted after a set period of time. Having a solid data retention policy in place not only ensures a business complies with any legal requirements, but also allows it to balance its data retention needs against the resulting additional cost of data storage.

Set your sights on the future of the MSP industry with the first ever MSP Horizons Report, jointly produced by N‑able and international MSP-focused research firm, Canalys…

Defining your backup retention policies

There are a few initial considerations in the mix when you begin down the path of establishing retention policies.

  • The Data
    Not all data is “retention worthy.” Take this blog, for instance. It’s not likely that it will be needed five years from now. But much of your corporate data—intellectual property, email/correspondence, financials—may be necessary for tax/legal or even advanced analytics.
  • Compliance Mandates
    Many mandates establish the need for retention periods for certain kinds of data. For example, the general recommendation for covered entities under HIPAA is to retain healthcare records for 10 years. While most don’t specify certain durations, there are widely accepted timeframes for most mandates.
  • Legal
    Some companies only want to retain data for short durations (e.g. 90 days) to maintain an ability to recover, but not longer—as it may increase their liability.
  • Local Storage
    While we live in a world where storage is a cheap commodity, it isn’t without any cost. Beyond the price, there is the time required to procure, configure, manage, update and retire storage. Managed IT service providers that are trying to run profitable businesses may find themselves faced with hard choices: either limit backup retention which can introduce unseen security risks or spend more and more money on storage.
  • Cloud storage
    Storing backup copies in the cloud puts them out of the reach of ransomware that may attack your local network. Whether your cloud storage is primary or secondary, it’s important to factor in this cost as well. For real savings, choose a cloud-first data protection solution that doesn’t charge extra for longer cloud retention.

The outcome of all these considerations is a list of identified data sets—each with their own retention periods—that now need to be protected.

Best practices for backup retention policies

When it comes to creating a backup retention policy, MSPs and IT admins should take a number of key factors into consideration. This is not an exhaustive list of best practices, but your policy should include the following steps:

  1. Analyze the regulations around data storage and retention in your industry and ensure you comply.
  2. Classify your data properly: You need to fully understand your data in order to store it correctly and plan effectively. Your data will likely breakdown into three areas: data you need to store for compliance; data you need to store because it’s valuable for your business; data that is public and/or confidential. Each one will likely need to be treated slightly differently.
  3. Understand your data lifecycles: Not all data should be stored for the same period, so once you’ve classified your data, make sure you set out how this affects each category in your retention policy
  4. Make sure you know what type of backup you are going to do: Full backups (all existing files) are extremely time consuming and ideally should only need to be done once; Incremental backups (all changes since the last backup) are less so, but still need to be kept to a sensible size so as to not eat up your bandwidth. 
  5. Decide when and how often you’re going to back up: This will depend on your Recovery Point Objectives (RPO), but if you are using traditional image-based backup tools, you may need to schedule backups for when the organization has the most available bandwidth. If you’ve modernized to a cloud-first backup architecture, this will be much less of an issue.
  6. Make sure you build in a plan to test your backups. A backup is worthless if you can’t restore from it. Modern tools include automated recovery testing and screenshot verification features that can save time. 

Implementing your backup retention policies

Most backup solutions have an ability to retain specific backups with the simple check of a box. The challenge here is that you must look at your current backup strategy, identifying whether you need to modify it to align with your retention strategy in two ways:

  1. Backup Data Sets
    Since you only want to retain specific data, you need to see if your backup definitions are much broader (e.g. you may have an entire file server backed up at once, when all that needs to be retained is one folder). You may need to either modify the backup job definition or create an additional job just for retention.
  2. Backup Type
    The current backup may be image based, and you need it to be file based. Additionally, you may have relied on a chain-based backup storage method, which can lead to big problems down the road if a failed or corrupted backup breaks a link in the chain. Chain-free journal-based backup structures tend to be more reliable over the long term.   
  3. Backup Frequency
    Since the data requiring retention tends to be pretty important, you may have it backed up every hour (or even more frequently). But for long-term retention, you may want to designate a graduated schedule of backups to keep, deleting the others. For example, you may want to keep daily backups for the current month, weekly backups for the current quarter, and monthly backups for the current year.     For those using Cove Data Protection, the backup retention period can be modified at a profile or device level.

Keep in mind that not all data identified for retention will have the same backup retention policy. Retention duration and backup frequency may differ from set to set. The important work will be done in identifying what’s going to be needed by the organization years from now, and planning your backup strategy (and investment) to facilitate a smooth and full recovery when the time comes. 

Want to learn more about a cloud-first data protection solution that doesn’t charge extra for archiving? Take a look at Cove Data Protection.

Carrie Reber is senior product marketing manager for N‑able.

© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

If this issue persists, please visit our Contact Sales page for local phone numbers.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site