Backing up cloud data should be a priority for any modern business. But if you rely on the Microsoft Azure cloud, as do 95% of the Fortune 500, backup needs to be at the top of your to-do list. There are several reasons for this:
Being thorough and secure in backing up Azure, especially virtual machines (VMs) on Azure, can be a challenging proposition. This Azure VM backup guide offers best practices and suggestions on how to leverage third-party backup solutions to achieve the best outcomes. It discusses how to backup Azure VMs, along with how to backup Azure in general.
Azure VM backups are the subject of a growing, evolving set of best practices. Some of these focus on security, which makes sense given how inviting a target backed up data can be for attackers. Use of a third-party backup tool is also recommended.
In the old days, backing up data meant putting it on tape and stashing those tapes in a salt mine. Unless someone brought in a tractor trailer, your data was pretty well air gapped against malicious actors.
The cloud is different, to put it mildly. The cloud is sprawling, in comparison to conventional storage environments. Your organization might have multiple accounts spanning different geographics and cloud platforms. As a result, your data is exposed through a wide attack surface that requires more resources and expertise to defend. (And, due to the shared security model, those resources and expertise must be from your side, not the cloud provider’s)
Backed-up data in the cloud is also at risk for breach and exfiltration. Unless you protect it well, you are exposed to breach risk. It’s a best practice to apply the same level of security rigor to backups on Azure as you bring to your other critical IT systems.
What does this look like? At a high level, security for Azure backups is part of the overall cloud data protection picture. One factor to pay attention to in securing cloud backups is credential management. Stolen or accidentally revealed credentials are a leading exploit for ransomware attacks. Enabling MFA also helps, as it reduces the possibility that malicious actors can log in from unknown devices. Role-Based Access Control (RBAC) helps, too, by simplifying the process of assigning and revoking access privileges by basing access on organizational roles.
Additionally, data encryption is strongly recommended for all tiers of storage on Azure. The best practice is to leverage the built-in Azure Key Vault tool to safeguard your cryptographic keys and other secrets you might use as countermeasures to a data breach.
Effective backup and restore requires constant awareness of the state of backup jobs. It also requires awareness of potential problems (such as missed workflow steps, outages, or cyberattacks). It is a best practice, therefore, to engage in continuous, thorough monitoring of all affected systems. Monitoring must then follow through with alerts and reports as needed to ensure rapid, appropriate action if the monitoring process picks up a problem.
There are multiple ways to monitor your systems for backup and recovery, and you’re not limited to just one. It may make sense to set up Azure Monitor to stay on top of system usage and backup jobs. Azure Monitor is a multi-faceted solution that collects, analyzes, and responds to monitoring data from cloud and on-premises environments. It collects and aggregates data relevant to backup and recovery. With Azure Monitor, you can be instantly aware of potential issues affecting the state of your backed-up VMs and data.
By reviewing reports and analyzing the monitoring data stream, it is possible to validate user behavior—while also potentially spotting anomalous activity that could suggest a threat or attack in progress. A ransomware attack, for example, might be preceded by users logging in from unusual places or at off-hours. If a monitoring solution catches these suspicious signals quickly enough, it can avert the attack or limit its blast radius.
Azure has its own backup functions, but a third-party backup solution may be preferable. While Azure’s built-in backup offers some advantages (breadth of workload coverage, relative ease of use, and the simplicity of a single vendor relationship), it comes with some inherent limitations.
Native backup tools, such as Azure’s can make it difficult to get a baseline backup. It can be operationally complex to set policies across multiple accounts. These tools tend to lack centralized visibility for multi-cloud architectures, and may lead to inconsistent policy definitions and enforcement. At a higher level, native backup tools may be less than economical, with poor storage tiering and inefficient deduplication, among other sub-optimal cost factors.
A third-party backup solution fills in many of these gaps. They generally enable lower total cost of ownership (TCO), partly as the result of simplified administration of multiple Azure accounts and regions—as well as unified management and pervasive visibility of backups across multiple cloud and on-premises VMs. A third-party solution reduces TCO by storing backup data in cold storage on day 1, which is cheaper. In contrast, Azure Backup requires you store in hot storage for 30 days, which is twice as expensive as cold storage.
A third-party backup solution, such as Rubrik Security Cloud, also includes security features like data threat analytics and immutable backups that comprise a countermeasure against ransomware. Rubrik’s Azure backup solution offers distinct advantages for the Azure environment, e.g., purpose-built backup functionality for Azure SQL, Azure VMs, Azure NetApp files, and more.
The right Azure backup vendor will be one that offers specific features for Azure VMs and related Microsoft workloads, but also enables you to work across multiple clouds and on-premises infrastructure through a “single pane of glass” management interface. It should enhance backup security through immutability, Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA), ransomware detection, and air-gapped backups, along with fast restore and fast RTOs and RPOs. Having a “cold storage” option is also essential for keeping total cost of ownership (TCO) as low as possible.
A suitable Azure backup solution should keep backup management simple through automation. The solution should be able to automate processes like tiering Azure VMs and Managed Disks, for example. Automated discovery of Azure VMs is also a plus, especially if the solution can deliver policy-driven automation. An example might be automated tagging of resources in a resource group.
Additionally, the ability to create service level agreements (SLAs) using declarative statements is a big plus for an Azure backup vendor. As exemplified by Rubrik’s SLA Domain construct, the declarative statement stands in contrast to the conventional “imperative” mode of adhering to SLAs. Unlike an imperative approach, which outlines a series of steps that admins must follow to meet a backup SLA, a process that inevitably becomes cumbersome and inefficient, a declarative statement sets a goal, such as an RTO. It’s a “set it and forget it” way to do backups that meet SLAs. Compliance becomes much simpler as a result.
When there is a data loss event of any kind on Azure, rapid recovery is an absolute imperative. The best Azure backup vendor will be one that can selectively restore the most-needed Azure VMs and other data at scale. This way, critical data is prioritized for the fastest restoration—which speeds up a return to normal operations.
Specifically, this means executing the fastest possible Recovery Time Objective (RTO), which is the time that elapses between the start of an event and the recovery of affected Azure VMs and related files. In addition, the solution needs to enable the narrowest possible Recovery Point Objective (RPO). The RPO is the point at which data becomes lost in an outage, such as the most recent transaction in a series. An effective Azure backup solution will deliver near-zero time RTOs and RPOs.
If your goal is long-term retention and application recovery, it pays to work with an Azure backup vendor that offers application mobility. You might want, for example, to move a VM from Azure to Amazon Web Services (AWS)--or move an app from dev to test to production. This process may involve quickly replicating data between the clouds. The vendor should support that process. Simple, unified management across clouds is essential for success.
Are attackers going after your backed up Azure VMs? The right Azure backup vendor will help you figure that out—before it’s too late—by providing data threat analytics capabilities. Data security requires nonstop vigilance. For example, your backup solution should continuously scan backed up data for threat signatures. It would be good if it could also engage in threat hunting, which means looking for specific threats and not waiting for them to manifest as attacks. If the solution discovers a threat, it should send alerts to people who are tasked with threat mitigation.
A third-party Azure backup solution should ideally cover Software-as-a-Service (SaaS) applications such as Microsoft 365. This means SaaS data protection at scale, including safeguarding SaaS data with logically air-gapped, access-controlled backups and rapid restoration. Centralized backup/restore management functionality, complete with an intuitive dashboard, helps realize this capability.