Backup Study Guide

📖 Core Concepts Backup – a copy of data stored separate from the original to allow restoration after loss, corruption, or accidental modification. Disaster Recovery – using backups (often with an off‑site copy) to restore IT services after a major event. 3‑2‑1 Rule – keep 3 copies of data, on 2 different media types, with 1 copy stored off‑site. Backup Types Full Backup – copies every selected file/bit at a point in time. Incremental Backup – saves only data changed since the last backup (full or incremental). Differential Backup – saves all changes since the last full backup. Reverse Incremental – maintains a current mirror of the source; stored data represents earlier states. Near‑CDP – periodic snapshots (e.g., every 15 min) that let you restore to any snapshot point. Continuous Data Protection (CDP) – records every write as it occurs. Storage Tiers Online – instantly accessible (e.g., internal disks, SAN). Near‑Line – fast but not instant (e.g., tape libraries). Offline – requires manual media loading (e.g., tape in a drawer). Off‑Site – physically separate location for disaster protection. RPO & RTO Recovery Point Objective (RPO) – the oldest acceptable data loss, measured in time. Recovery Time Objective (RTO) – the maximum time allowed to resume normal operations. --- 📌 Must Remember Backup definition: copy stored elsewhere; enables point‑in‑time restoration. 3‑2‑1 rule: 3 copies, 2 media types, 1 off‑site. Full → Incremental → Differential restoration flows. Reverse incremental keeps a live mirror; older states are reconstructed from stored deltas. Near‑CDP ≈ snapshotting (regular intervals), not true continuous capture. Tape = cheap per‑GB, sequential access; HDD/SSD = fast random access. RPO → frequency of backups; RTO → speed of restore (media choice matters). Compression, deduplication, encryption are applied before data hits final media (often during staging). Checksum/Hash validation guarantees data on media matches source. --- 🔄 Key Processes Full Backup + Incremental Cycle Run a full backup (baseline). On each subsequent schedule, capture only changed blocks → incremental. Restore: retrieve latest full + apply incrementals in chronological order. Differential Restore Take a full backup. Periodically run differential backups (changes since that full). Restore: retrieve latest full + most recent differential only. Reverse Incremental Update Keep current mirror on primary storage. After each change, store a reverse delta that can rebuild the prior state. Near‑CDP Snapshot Creation At set intervals (e.g., every 15 min): Quiesce applications (VSS on Windows). Take a copy‑on‑write snapshot. Store snapshot as a restore point. Deduplication Workflow Source‑side: break data into blocks, hash each block, send only unique blocks to target. Target‑side: store a single instance of each unique block; maintain a reference map. Encryption & Key Management Encrypt data before writing to media. Securely store encryption keys; loss of keys = loss of data. --- 🔍 Key Comparisons Full vs Incremental vs Differential vs Reverse Incremental Full: complete copy every time → large storage, simple restore. Incremental: smallest daily size → longer restore (need full + many incrementals). Differential: grows over time → moderate storage, fast restore (full + one differential). Reverse Incremental: always‑up‑to‑date mirror → quick restores, but requires reverse deltas. Tape vs HDD vs SSD vs Optical Tape: cheap per GB, sequential access, excellent for long‑term archiving. HDD: inexpensive, fast random access, good for near‑line/offline. SSD: fastest random access, higher cost, ideal for online restores. Optical (WORM): immutable, useful for compliance‑grade archives. Online vs Near‑Line vs Offline Online: immediate (ms) access, vulnerable to ransomware. Near‑Line: minutes‑scale, mechanical devices (tape libs). Offline: manual retrieval, immune to network‑based attacks. CDP vs Near‑CDP CDP: captures every write → true “zero‑RPO”. Near‑CDP: snapshots at intervals → small RPO, lower overhead. --- ⚠️ Common Misunderstandings “Incremental alone can restore without a full backup.” – Impossible; a full baseline is required. “Tape provides fast random reads.” – Tape is sequential; random access is slow. “One off‑site copy satisfies the 3‑2‑1 rule.” – You still need two local copies on different media. “Encryption removes the need for key security.” – If keys are compromised, encrypted data is exposed. “RPO = RTO.” – RPO concerns how much data you can lose; RTO concerns how quickly you must be back up and running. --- 🧠 Mental Models / Intuition Backup Pyramid (3‑2‑1): Visualize three layers – copies (top), media diversity (middle), off‑site (base). Timeline Slider: Full backup = “reset point”; incrementals = “ticks”; differentials = “stretch from last reset”. Snapshot as Photograph: Think of a snapshot like a frozen picture of the filesystem at that instant – perfect for point‑in‑time restores. --- 🚩 Exceptions & Edge Cases Reverse Incremental keeps a live copy; useful for environments needing instant roll‑back. Some systems can synthesize a new full backup from a chain of incrementals, reducing restore time. Near‑CDP may still lose up to the interval length (e.g., 15 min) – not truly zero‑RPO. WORM optical media provides immutable storage, but is slower to write and read than HDD/SSD. Offline media are immune to ransomware but introduce longer RTO due to manual retrieval. --- 📍 When to Use Which | Situation | Recommended Backup Approach | |-----------|------------------------------| | Critical business data, need <5 min RPO | CDP (or near‑CDP with ≤5 min snapshots) + local SSD mirror | | Standard departmental files, moderate change | Weekly full + daily incremental (store incrementals on HDD, full on tape) | | Fast restore priority, limited storage | Differential backups (full weekly, differential nightly) | | Long‑term archiving, cost‑sensitive | Magnetic tape with periodic full backups, store off‑site | | Compliance requiring immutable records | Write‑once optical (WORM) or tape with offline storage | | Environment with many open files/databases | VSS‑based snapshots + near‑CDP; consider reverse incremental for always‑current state | | Remote office with limited bandwidth | Source‑side deduplication + incremental uploads to cloud backup | | High‑availability cluster | Remote disk mirroring to a DR site (online storage) plus nightly tape for archive | --- 👀 Patterns to Recognize Differential size grows as days pass after the last full backup → expect longer backup windows. Multiple incrementals needed for a restore → look for “chain of incrementals” in exam questions. Checksum / hash logs listed → indicates validation step was performed. Deduplication enabled → sudden drop in storage growth despite large data sets. Snapshot schedule listed (e.g., every 15 min) → implies near‑CDP protection level. --- 🗂️ Exam Traps “Reverse incremental is the same as incremental.” – Wrong; reverse incremental maintains a current mirror, while incremental stores only changes forward. “Tape provides faster restores than disk.” – Incorrect; tape is slower due to sequential access. “Having an off‑site copy alone fulfills the 3‑2‑1 rule.” – Misses the requirement for three total copies on two media types. “RPO and RTO are interchangeable terms.” – They measure different things (data loss vs downtime). “Encrypting a backup eliminates the need for checksum validation.” – Encryption protects confidentiality; checksum verifies integrity. ---