Designing Backup and Disaster-Recovery Systems
A backup is a copy. Disaster recovery is the complete process of using copies, documentation, credentials, people, replacement capacity, and communication to restore a service after a serious failure.
Start with RPO and RTO
Recovery Point Objective
RPO is the maximum acceptable amount of data loss measured in time. An RPO of four hours means the recovery process may legitimately restore data that is up to four hours old.
Recovery Time Objective
RTO is the target time to restore the service after the decision to recover. It must include hardware, transfer, restore, configuration, validation, and customer-facing work.
These objectives should be set per service, not per company. A billing database, a public website, a large archive, and a customer VPS may all need different recovery designs.
| Service | Example RPO | Example RTO | Design implication |
|---|---|---|---|
| Static marketing site | 24 hours | 8 hours | Daily backup and simple redeployment may be sufficient. |
| Shared-hosting server | 24 hours or better | Several hours | Full server rebuild, account restores, DNS, mail, and validation must be rehearsed. |
| Transactional database | Minutes | 1 hour | Requires frequent log shipping, replication, or database-aware backups. |
| Large storage service | Depends on data class | Possibly days | Restore bandwidth and replacement capacity dominate the design. |
Build Multiple Layers
A useful backup architecture separates fast operational recovery from disaster recovery.
Production workload
|
+---- Local snapshot or short-retention copy
| Fast restore from common mistakes
|
+---- Primary backup repository
| Historical backups and routine restores
|
+---- Secondary or off-site copy
Facility loss, ransomware, or repository failure
The 3-2-1-1-0 idea
- 3 copies: Production plus at least two additional copies.
- 2 media or systems: Avoid one technology or administrative failure taking every copy.
- 1 off-site: Protect against facility-scale events.
- 1 offline, immutable, or strongly isolated: Limit destructive access from production credentials.
- 0 unverified errors: Monitor backup jobs and test restores.
The labels are less important than the independence. A production server and a backup VM on the same storage array are two copies but one failure domain.
Back up more than data
- Customer files, databases, mailboxes, and VM disks
- DNS zones and IP assignments
- Hypervisor, switch, firewall, and load-balancer configurations
- Application secrets and encryption keys, stored through an appropriate secure process
- License information and vendor access
- Monitoring rules, alert routes, and dashboards
- Runbooks, diagrams, and inventory
- Billing, support, and customer-contact data
Retention Is a Recovery Feature
Retention should match the ways problems are discovered. A seven-day retention cannot help with quiet corruption found after two weeks, an unnoticed deleted mailbox found after a month, or financial data needed at year end.
Grandfather-father-son style example
| Frequency | Example retention | Use |
|---|---|---|
| Hourly | 24 to 48 copies | Recent application or user errors |
| Daily | 7 to 30 copies | Routine operational recovery |
| Weekly | 4 to 12 copies | Problems discovered after several weeks |
| Monthly | 12 or more copies | Longer-term history and business requirements |
| Annual | Policy-dependent | Legal, financial, or archival requirements |
More retention is not always safer. It increases storage, privacy exposure, and the amount of old compromised or regulated data retained. Define expiration deliberately.
Pruning and garbage collection
Deduplicated systems may separate the removal of backup references from reclamation of underlying storage. Monitor both operations. A prune job can succeed while disk use remains high until garbage collection runs.
Protect the Backup System from Production
Ransomware and administrator mistakes often use legitimate credentials. A backup repository that trusts the same directory, root passwords, and management network as production may be deleted during the same incident.
Independence controls
Identity
Use separate backup credentials, limited service accounts, multi-factor authentication, and an emergency-access process.
Network
Restrict management access, separate data and control paths, and permit only required source-to-repository flows.
Retention protection
Use object lock, immutable snapshots, write-once policies, offline copies, or another control appropriate to the platform.
Administrative separation
Do not let ordinary production automation delete historical backups without an additional boundary.
Encryption changes the recovery plan
Encryption protects backup content, but losing the key converts a healthy backup into unusable data. Keep keys, recovery codes, passwords, and documentation in at least two secure locations. Test recovery using a clean system and the stored materials.
Restore Testing
A successful backup job proves only that a process wrote something to a destination. Restore testing proves that the data is understandable and that the organization can use it.
Test at multiple levels
- File-level restore. Recover a specific customer file to an alternate location and compare it with the expected content.
- Application-level restore. Restore files and database together, then test login, background jobs, and integrations.
- Full VM restore. Boot the VM on an isolated network, validate services, and measure time.
- Bare-metal or platform rebuild. Install a replacement host and restore enough configuration to accept workloads.
- Site-recovery exercise. Assume the primary facility and normal administrative systems are unavailable.
Record evidence
| Field | Example |
|---|---|
| Backup selected | VM 105, nightly snapshot from 2026-07-10 |
| Restore destination | Isolated test cluster, VLAN 390 |
| Start and completion | 01:10 to 02:03 |
| Validation | Boot, database integrity, web login, scheduled-task check |
| Problems | External API credential was not in the application backup |
| Corrective action | Add secret-store recovery to runbook and quarterly test |
Write the Recovery Runbook Before the Disaster
A recovery runbook should be usable by someone who did not design the system. It should identify decisions, not only commands.
Runbook structure
- Incident criteria and who may declare disaster recovery
- Priority order for services
- Required credentials, keys, and vendor contacts
- Replacement compute, storage, network, and IP capacity
- Exact restore sources and retention expectations
- DNS, BGP, NAT, firewall, or proxy changes
- Application validation steps
- Customer and internal communication templates
- Rollback or return-to-primary process
- Post-recovery backup and monitoring steps
Prioritize dependencies
1. Administrative access and communications
2. Core network, DNS, identity, and monitoring
3. Backup catalog / keys / repository access
4. Shared databases and storage services
5. Customer-facing compute and applications
6. Noncritical internal tools
Restoring an application before its DNS, database, secrets, or storage dependencies wastes time. Dependency order should be explicit.
Real-World Recovery Scenarios
Deleted customer account
Restore to a temporary account or alternate directory first. Verify domains, databases, mail, permissions, and ownership before replacing live data.
Failed hypervisor boot disk
Reinstall the host, reconnect storage and networks, restore platform configuration, then restore or re-register guests. Measure how much of the process is documented.
Backup server compromised
Do not trust the repository until the incident scope is known. Use an isolated or secondary copy and rotate credentials before reconnecting production.
Database corruption
Determine when corruption began. A recent backup may contain the same problem. Test older restore points and transaction logs where available.
Facility outage
Decide whether to wait, fail over, or rebuild elsewhere. Consider network routing, public IP portability, DNS TTLs, licensing, and customer communication.
Administrator error
Preserve current state, stop automated changes, identify the last known-good configuration, and use the smallest restore scope that safely resolves the problem.
Backup Program Review
At least quarterly, answer these questions:
- Which backups failed, and were failures acted upon?
- Which systems have never been restored in a test?
- Are backup credentials independent from production?
- Can the largest workload meet its RTO at measured restore speed?
- Are encryption keys and recovery documents accessible during a primary-site outage?
- Have new systems been added without backup policy?
- Has retention grown beyond legal or business need?
- Does the off-site copy share a hidden provider, account, or network dependency?