Chapter 74 Β· Examples

Backups β€” Worked Examples

Stolen backup tapes and why encryption matters, snapshot incremental progression, replication vs. backup in a ransomware scenario, journaling preventing corruption, and a comprehensive backup strategy design.

Example 1: The Stolen Backup Tapes β€” Why Encryption Matters

A law firm backs up client files, financial records, and case documents to LTO tape nightly. Tapes are transported weekly to a third-party off-site storage facility in a nearby city. An employee places Friday's backup tapes in their car trunk for transport Monday morning. Over the weekend, the car is broken into. The tapes are stolen.

Scenario A β€” Unencrypted Tapes
The stolen tapes contain plaintext copies of all client files, case notes, financial records, billing data, and authentication credential databases from the past week. Any person or organization with a compatible tape drive can read the data immediately. The law firm has experienced a reportable data breach affecting hundreds of clients. They must notify affected parties, engage legal counsel, potentially face bar association disciplinary action, and may face civil liability. Cost: estimated $2M+ in breach response, legal fees, and reputational damage.
Scenario B β€” Encrypted Tapes
The stolen tapes contain only encrypted ciphertext. Without the recovery key (which is stored separately in the firm's key management system, not on the tapes themselves), the data is completely unreadable. The firm has lost physical media β€” a nuisance and a cost β€” but has experienced no data breach. No client notification is required. The IT team orders replacement tapes and re-runs the backup. Total impact: one week's worth of tape media, $400.
The Key Management Detail
Encryption only helps if the recovery key is stored separately from the media. Storing the decryption key in a file on the same tape that's encrypted is no protection. The firm stores recovery keys in an HSM (Hardware Security Module) at the primary office and a copy in a password manager accessible to the CISO. The key is never transported with the tape media.
Backup encryption converts a media theft event from a data breach (legal liability, notification costs, reputational damage) into a media replacement event (cost of the tapes). The same logic applies to cloud backups: encryption ensures that even if the cloud provider is breached or an insider accesses the storage, the data remains unreadable.
Example 2: Snapshot Incremental Progression β€” Monday Through Wednesday

A web server VM is configured with 1 TB of allocated storage. Initially, 100 GB of data is in use. Daily snapshots are automated.

Daily Snapshot Contents
Monday Snapshot
100 GB
All Data
Storage used: 100 GB
Full initial capture
Tuesday Snapshot
60 GB
Unchanged
40 GB
Changed
Storage used: 40 GB
Delta only
Wednesday Snapshot
60 GB Unchanged
40 GB Changed
20 GB New
Storage used: 20 GB
Delta only

Total storage across all three snapshots: 160 GB (100 + 40 + 20) vs. 320 GB if full copies were taken every day. To restore to Tuesday's state: apply the Monday snapshot, then apply Tuesday's delta. To restore to Wednesday's state: apply Monday + Tuesday + Wednesday. To restore to Monday's state: apply Monday only.

Incremental snapshots capture only the changes since the previous snapshot, making daily backups of large VMs practical. The storage efficiency is significant β€” but the restore process must apply each delta in sequence, so the initial full snapshot must be preserved.
Example 3: Replication vs. Backup β€” Ransomware Exposes the Difference

Two identical retail companies are hit by ransomware at 9 AM on a Tuesday. Company A relies exclusively on replication for data protection. Company B uses both replication and nightly backups.

Company A β€” Replication Only
Ransomware begins encrypting files on the file server at 9:00 AM. Replication is running continuously. By 9:04 AM, the replicated site has received and applied all 4 minutes of encrypted files β€” overwriting the good unencrypted versions. By 9:12 AM when the security team detects the attack and isolates the systems, the replicated site contains the same encrypted garbage as the primary. Both locations are equally destroyed. Company A has no good copy of the data anywhere. They must pay the ransom or accept total data loss. Estimated recovery cost: $3.5M.
Company B β€” Replication + Nightly Backups
The same ransomware attack begins at 9:00 AM. The replicated site also receives encrypted files within minutes. However, Company B's nightly backup at 1:00 AM captured the file server in a clean, unencrypted state. The backup is stored off-site and was not reached by the ransomware (which was isolated to the primary network). By 11:30 AM, Company B has isolated the infected systems, identified the 1:00 AM backup as the last known-good copy, and begun restoring to a clean environment. Data loss: approximately 8 hours (1 AM to 9 AM). Recovery cost: $180,000 in incident response and staff time.

The lesson: Replication and backup serve different purposes. Replication provides fast recovery from infrastructure failures (server dies, datacenter loses power). Periodic backups provide recovery points that predate a corruption event (ransomware, accidental mass deletion). Neither alone is sufficient; both together cover the full threat landscape.

Replication propagates all changes β€” including malicious ones β€” in near-real-time. This is its strength for infrastructure recovery and its weakness against data corruption attacks. Point-in-time periodic backups are the defense against ransomware; replication cannot replace them.
Example 4: Journaling Preventing a Backup Restore

A hospital database server is writing a batch of 2,000 lab result records when the building experiences a brief power outage. The UPS keeps the server running long enough to spin down gracefully β€” or so the team hopes. In the morning, the database application fails to start.

Without Journaling (Legacy Scenario)
The database was writing record #1,847 when power failed. The data blocks for records 1-1,846 were written; record 1,847 is half-written; records 1,848-2,000 were never written. The database index now references records that do not exist, and the file system metadata is inconsistent. The database refuses to start. The DBA must restore from the previous night's backup. Records from all patient lab results entered since 10 PM are lost. Clinical staff must re-enter 6 hours of data from paper records β€” a 4-hour manual process with risk of transcription errors. Patient care decisions may have been made on incomplete data.
With Journaling (Modern Database)
The database was writing record #1,847 when power failed. The journaling system had already written the intended operation for this batch to the transaction log. At startup, the database engine checks the journal log, finds the incomplete operation, and replays it β€” completing records 1,847 through 2,000 automatically as part of the startup sequence. The database starts normally. All 2,000 records are present and correct. Clinical staff begins their morning shift with complete data. No restore from backup required. No data loss.
Journaling eliminates backup restores for interrupted write scenarios β€” the most common cause of database corruption. Modern databases and file systems include journaling as a standard feature precisely because power interruptions are common and restore-based recovery from them is expensive and lossy.
Example 5: Comprehensive Backup Strategy β€” Financial Services Firm

A mid-sized investment firm designs a complete backup strategy across all six planning dimensions for its two critical systems: the trading database (high-change, mission-critical) and the compliance document archive (low-change, long-retention).

Trading Database β€” High-Change, Mission-Critical (RPO: 15 minutes)
Type: Transaction log backups every 15 minutes + full backup nightly
Replication: Continuous replication to secondary data center for hot standby
On-site: Local NAS for fast restore; 7-day rolling retention
Off-site: Secondary data center receives replicated data continuously
Cloud: Nightly full backup to encrypted cloud storage; 90-day retention
Encryption: All media and cloud storage encrypted with AES-256; keys in HSM
Recovery testing: Monthly restore test to isolated test environment; quarterly full DR simulation
Compliance Document Archive β€” Low-Change, 7-Year Retention (RPO: 24 hours)
Type: Daily incremental backup + monthly full backup
On-site: NAS with 30-day rolling daily incremental retention
Off-site: Monthly full backup shipped to tape vault (WORM tapes for compliance); 7-year retention
Cloud: Daily incremental to cloud with object lock (immutable); prevents ransomware from modifying cloud copies
Encryption: All tapes and cloud storage encrypted; compliance requires keys escrowed with legal counsel
Recovery testing: Quarterly spot-check restore of 10 random documents; annual full archive restore drill
Strategy Summary
The trading database uses multiple layers (replication + hourly logs + cloud) because each failure mode requires a different solution: replication for infrastructure failure; periodic backups for ransomware; cloud for site disaster. The archive uses simpler tiered backups because changes are infrequent and fast recovery is less critical β€” but immutability and 7-year retention are non-negotiable for compliance. Both systems use encryption as a baseline requirement.
A complete backup strategy is tailored to each system's RPO, data change rate, retention requirements, and threat model. No single backup method covers all scenarios β€” resilient organizations layer on-site, off-site, cloud, replication, and encryption to cover the full range of failure modes.