Backup Strategies and Disaster Recovery

Security+ Domain 3 — Security Architecture B — Data Protection and Resilience 14–17 minutes

What the Exam Is Really Testing

How many organizations have discovered their backups were useless only after a disaster struck? More than you would think. The backup ran every night. The logs said "success." But nobody ever tried to restore from it — and when they finally had to, the data was corrupted, incomplete, or months out of date.

A backup that has never been tested is not a backup — it is a hope. Recovery confidence comes from regular testing, not from the existence of backup files.

The exam expects you to know the practical tradeoffs between backup types, understand how recovery works for each one, and recognize that testing is not optional — it is what separates a real backup strategy from a false sense of security.

Backup Types

The exam tests four backup strategies. Understanding the tradeoffs between backup speed, restore speed, and storage requirements is essential.

Full Backup

Copies all data regardless of whether it has changed since the last backup.

Backup speed: Slowest (copies everything)
Restore speed: Fastest (single backup set to restore)
Storage: Most storage required
Best for: Baseline backups, small data sets, situations where restore speed is critical

Incremental Backup

Copies only data that has changed since the last backup of any type (full or incremental).

Backup speed: Fastest (only changes since last backup)
Restore speed: Slowest (requires the last full backup plus every incremental backup since)
Storage: Least storage required
Best for: Environments with limited backup windows and tight storage budgets

Differential Backup

Copies all data that has changed since the last full backup.

Backup speed: Moderate (grows larger each day as more changes accumulate)
Restore speed: Moderate (requires the last full backup plus only the most recent differential)
Storage: Moderate
Best for: Balancing backup speed and restore speed

The critical distinction for the exam:

Incremental backs up changes since the last backup of any type. Differential backs up changes since the last full backup. This difference determines how many backup sets you need to restore.

Snapshot

A point-in-time copy of a system's state. Snapshots capture the entire state of a virtual machine, storage volume, or file system at a specific moment.

Created almost instantly
Often stored on the same storage system (not a true offsite backup)
Useful for quick rollback before changes (patching, upgrades)
Should not be used as the sole backup strategy — they are not a substitute for proper backups stored separately

Replication

Replication copies data to another location in real-time or near-real-time. Unlike backups that create periodic copies, replication maintains a continuously updated copy.

Synchronous Replication

Data is written to both the primary and replica simultaneously. The write is not confirmed until both locations acknowledge it.

Advantage: zero data loss (RPO of zero). Disadvantage: increased latency because every write waits for two confirmations. Limited by network distance.

Asynchronous Replication

Data is written to the primary first, then replicated to the secondary with a slight delay.

Advantage: no latency impact on primary operations. Works over long distances. Disadvantage: the delay means some recent data may be lost if the primary fails (RPO greater than zero).

Journaling

Journaling records every change made to data in a transaction log (journal) before the change is applied. If a system crashes during a write operation, the journal enables recovery to a consistent state.

Used in: file systems (NTFS, ext4), databases (transaction logs).

Security benefit: prevents data corruption from incomplete writes. The system can replay the journal to complete or roll back interrupted transactions.

Disaster Recovery Testing

Backups and recovery plans are worthless if they do not work when needed. The exam tests four types of DR testing, ranging from least disruptive to most realistic:

Tabletop Exercise

A discussion-based exercise where participants walk through a disaster scenario verbally. No actual systems are affected.

Least disruptive and least expensive
Tests the logic and completeness of the plan
Identifies gaps in roles, responsibilities, and procedures
Does not validate technical recovery capabilities

Simulation

A more detailed exercise that simulates a disaster scenario without actually disrupting production systems. Participants perform their assigned tasks but in a controlled environment.

Tests individual team members' knowledge of their roles
More realistic than a tabletop but still does not affect production
May use sandbox or test environments

Parallel Processing

Recovery systems are brought online and tested alongside production systems. Production remains unaffected while the recovery environment is validated.

Verifies that backup data can be restored to a functional state
Tests recovery procedures without risking production downtime
More expensive and resource-intensive than simulations

Failover Testing

Production workloads are actually switched to the recovery site. This is the most realistic test because it validates the entire recovery process under real conditions.

Most disruptive and most expensive
Highest confidence that recovery will work during an actual disaster
Risk of causing actual downtime if the failover fails
Typically scheduled during maintenance windows

The exam often presents scenarios asking which test type is most appropriate based on the organization's risk tolerance, budget, and desired confidence level.

Power Resilience

Power failures are one of the most common causes of system outages. Power resilience protects against outages at multiple levels:

Uninterruptible Power Supply (UPS)

Battery-powered device that provides immediate backup power when the primary power source fails. A UPS provides minutes of power — enough to complete a graceful shutdown or bridge the gap until generators start.

Types:

Online (double-conversion) — Continuously runs from battery power while charging. Zero transfer time. Best protection.
Line-interactive — Adjusts voltage fluctuations and switches to battery during outages. Brief transfer time.
Standby (offline) — Switches to battery when power fails. Slight delay during transfer. Least expensive.

Generators

Provide extended power during prolonged outages. Generators run on diesel, natural gas, or propane and can power a facility for hours or days.

The UPS bridges the gap (seconds to minutes) while the generator starts up (typically 10-30 seconds).

Power Distribution Units (PDUs)

Distribute electrical power to equipment in data centers. Managed PDUs provide monitoring, remote power cycling, and load balancing across circuits.

Security function: PDUs with monitoring can alert administrators to power anomalies before they cause outages.

Onsite vs Offsite and the 3-2-1 Rule

Onsite Backups

Stored at the same location as the primary data. Fast restoration but vulnerable to the same physical threats (fire, flood, theft) as the primary data.

Offsite Backups

Stored at a different geographic location. Protected from local disasters but slower to restore due to data transfer requirements.

The 3-2-1 Rule

An industry-standard backup strategy:

3 copies of your data (the original plus two backups)
2 different types of storage media (disk, tape, cloud)
1 copy stored offsite (different geographic location)

This strategy protects against: hardware failure (multiple copies), media failure (different media types), and site-level disasters (offsite copy).

The exam may present the 3-2-1 rule as the answer when a scenario describes a backup strategy that fails because all copies were stored in the same location or on the same media type.

Pattern Recognition

When you see backup and DR scenarios on the exam:

Fastest restore needed — The answer involves full backups
Minimal storage and backup time — The answer involves incremental backups
Balance of backup and restore speed — The answer involves differential backups
Zero data loss requirement — The answer involves synchronous replication
Testing without disrupting production — The answer involves tabletop, simulation, or parallel processing
Highest confidence in recovery — The answer involves failover testing
All backups lost in same disaster — The answer involves offsite storage or the 3-2-1 rule

Trap Patterns

Watch for these common traps:

Confusing incremental and differential — Incremental backs up since the last backup of any type. Differential backs up since the last full backup. The restore process is different for each.
"Snapshots are backups" — Snapshots are point-in-time copies often stored on the same system. They are not a substitute for proper backups stored on separate media or offsite.
"We have backups so we are prepared" — Untested backups provide false confidence. The correct answer involves regular testing and validation.
"Failover testing is always best" — Failover testing is the most realistic but also the most disruptive and expensive. Tabletop exercises or parallel processing may be more appropriate depending on the scenario.

Scenario Practice

Question 1

An organization performs a full backup on Sunday and incremental backups Monday through Saturday. The system fails on Thursday afternoon.

What is needed to restore the data?

A. Only Thursday's incremental backup
B. Sunday's full backup and Thursday's incremental backup only
C. Sunday's full backup plus Monday, Tuesday, Wednesday, and Thursday incremental backups
D. Sunday's full backup plus the most recent differential backup

Answer & reasoning

Correct: C

Incremental backups capture only changes since the last backup of any type. To restore, you need the last full backup (Sunday) plus every incremental backup in sequence (Monday through Thursday). Each incremental contains only that day's changes.

This is the tradeoff of incremental backups: fast to create, slow to restore.

Question 2

A company stores all three backup copies on the same NAS device in the server room. A fire destroys the server room, including the NAS.

What backup principle was violated?

A. The backups should have been encrypted for confidentiality
B. The 3-2-1 rule was not followed because all copies were in the same location
C. Incremental backups should have been used instead of full backups
D. The backup schedule was not frequent enough for the data volume

Answer & reasoning

Correct: B

The 3-2-1 rule requires at least one copy offsite and two different media types. All three copies on the same NAS in the same room violates both requirements. A site-level disaster (fire) destroyed all copies because there was no geographic separation.

Question 3

A company wants to verify its disaster recovery plan but cannot afford any production downtime during the test. They want reasonable confidence that recovery procedures work.

What testing method is MOST appropriate?

A. Failover testing with full production cutover
B. Tabletop exercise with discussion-based walkthrough
C. Parallel processing with recovery systems running alongside production
D. Unannounced emergency shutdown of the primary data center

Answer & reasoning

Correct: C

Parallel processing brings recovery systems online and tests them without disrupting production. It provides technical validation that backups can be restored and systems can function, while keeping production running.

Tabletop exercises test the plan's logic but do not validate technical recovery. Failover testing disrupts production.

Key Takeaway

Remember this for exam day:

Backups protect against data loss. Testing protects against false confidence. Power resilience protects against the most common cause of downtime. All three are required.

Before answering any backup or DR question, ask:

What backup type matches the RPO and restore requirements?
Are backups stored on different media and offsite?
Has the recovery plan been tested?
What happens when the power fails?

A backup strategy is only as good as the last successful restore test.