You know you need to back up your data. Maybe you’ve developed a backup strategy and gotten the process started, or maybe you’re still in the planning phase. Now you’re starting to wonder: how long do I need to keep all these backups I’m going to accumulate? It’s the right question to ask, but the truth is there’s no one-size-fits-all answer.
How long you keep your backups will depend on your IT team’s priorities, and will include practical factors like storage costs and the operational realities that define the usefulness of each backup. Highly regulated industries like banking and healthcare have even more challenges to consider on top of that. With all that in mind, here’s what you need to know to determine how long you should keep your backups.
First Things First: You Need a Retention Policy
If you’re asking how long you should keep your backups, you’re already on your way to designing a retention policy. Your organization’s retention policy is the official protocol that will codify your backup strategy from top to bottom. The policy should not just outline what data you’re backing up and for how long, but also explain why you’ve determined to keep it for that length of time and what you plan to do with it beyond that point.
Practically speaking, the decision about how long to keep your backups boils down to a balancing act between storage costs and operational value. You need to understand how long your backups will be useful in order to determine when it’s time to replace or dispose of them; keeping backups past their viability leads to both unnecessary spend and the kind of complexity that breeds risk.
Backup vs. Archive
Disposal isn’t the only option when a backup ages. Sometimes it’s more appropriate to archive data as a long-term storage option. As your organization’s data footprint expands, it’s important to determine how you interact with different types of data to make the best decisions about how to safeguard it (and for how long).
While backups are used to restore data in case of loss or damage, or to return a system to a previous state, archives are more often used to off-load data from faster or more frequently accessed storage systems.
- Backup: A data recovery strategy for when loss, damage, or disaster occurs.
- Archive: A long-term or permanent data retrieval strategy for data that is not as likely to be accessed, but still needs to be retained.
Knowing archiving is an option can impact how long you decide to keep your backups. Instead of deleting them completely, you can choose to move them from short-term storage into a long-term archive. For instance, you could choose to keep more recent backups on premises, perhaps stored on a local server or network attached storage (NAS) device, and move your archives to cloud storage for long-range safekeeping.
How you choose to store your backups can also be a factor into your decision on how long to keep them. Moving archives to cloud storage is more convenient than other long-term retention strategies like tape. Keeping archives in cloud storage could allow you to keep that data for longer simply because it’s less time-consuming than maintaining tape archives, and you also don’t have to worry about the deterioration of tape over time.
Putting your archive in cloud storage can help manage the cost side of the equation, too, but only if handled carefully. While cloud storage is typically cheaper than tape archives in the long run, you might save even more by moving your archives from hot to cold storage. For most cloud storage providers, cold storage is generally a cheaper option if you’re talking dollars per GB stored. But, it’s important to remember that retrieving data from cold storage can incur high egress fees and take 12–48 hours to retrieve data. When you need to recover data quickly, such as in a ransomware attack or cybersecurity breach, each moment you don’t have your data means more time your business is not online—and that’s expensive.
How One School District Balances Storage Costs and Retention
With 200 servers and 125TB of data, Bethel School District outside of Tacoma, Washington needed a scalable cloud storage solution for archiving server backups. They’d been using Amazon S3, but high costs were straining their budget—so much so that they had to shorten needed retention periods.
Moving to Backblaze produced savings of 75%, and Backblaze’s flat pricing structure gives the school district a predictable invoice, eliminating the guesswork they anticipated from other solutions. They’re also planning to reinstate a longer retention period for better protection from ransomware attacks, as they no longer need to control spiraling Amazon S3 costs.
Next Order of Business: The Structure of Your Backup Strategy
The types of backups you’re storing will also factor into how long you keep them. There are many different ways to structure a secure backup strategy, and it’s likely that your organization will interact with each kind of backup differently. Some backup types need to be stored for longer than others to do their job, and those decisions have a lot to do with how the various types interact to form an effective strategy.
The Basics: 3-2-1
The 3-2-1 backup strategy is the widely accepted industry minimum standard. It dictates keeping three copies of your data: two stored locally (on two different types of devices) and one stored off-site. This diversified backup strategy covers all the bases; it’s easy to access backups stored on-site, while off-site (and often offline or immutable) backups provide security through redundancy. It’s probably a good idea to have a specific retention policy for each of your three backups—even if you end up keeping your two locally stored files for the same length of time—because each copy serves a different purpose in your broader backup strategy.
Full vs. Incremental Backups
While designing your backup strategy, you’ll also need to choose how you’re using full versus incremental backups. Performing full backups each time (like completely backing up a work computer daily) requires huge amounts of time, bandwidth, and space, which all inflate your storage usage at the end of the day. Other options serve to increase efficiency and reduce your storage footprint.
- Full backup: A complete copy of your data, starting from scratch either without any pre-existing backups or as if no other backup exists yet.
- Incremental backup: A copy of any data that has been added or changed since your last full backup (or your last incremental backup).
When thinking about how long to keep your full backups, consider how far back you may need to completely restore a system. Many cyber attacks can go unnoticed for some time. For instance, you could learn that an employee’s computer was infected with malware or a virus several months ago, and you need to completely restore their system with a full backup. It’s not uncommon for businesses to keep full backups for a year or even longer. On the other hand, incremental backups may not need to be kept for as long because you can always just restore from a full backup instead.
Effectively combining different backup types into a cohesive strategy leads to a staggered, chronological approach that is greater than the sum of its parts. The grandfather-father-son system is a great example of this concept in action. Here’s an example of how it might work:
- Grandfather: A monthly full backup is stored either off-site or in the cloud.
- Father: Weekly full backups are stored locally in a hot cloud storage solution.
- Son: Daily incremental backups are stored as a stopgap alongside father backups.
It makes sense that different types of backups will need to be stored for different lengths of time and in different places. You’ll need to make decisions about how long to keep old full backups (once they’ve been replaced with newer ones), for example. The type and the age of your data backups, along with their role in the broader context of your strategy, should factor into your determination about how long to keep them.
A Note on Minimum Storage Duration Policies
When considering cloud storage to store your backups, it’s important to know that many providers have minimum storage duration policies. These are fees charged for data that is not kept in cloud storage for some period of time defined by the cloud storage provider, and it can be anywhere from 30–180 days. These are essentially delete penalties—minimum retention requirement fees apply not only to data that gets deleted from cloud storage but also any data that is overwritten. Think about that in the context of the backup strategies we’ve just outlined: each time you create a new full backup, you’re overwriting data.
So if, for example, you choose a cloud storage provider with a 90-day minimum storage duration, and you keep your full backups for 60 days, you will be charged fees each time you overwrite or delete a backup. Some cloud storage providers, like Backblaze B2 Cloud Storage, do not have a minimum storage duration policy, so you do not have to let that influence how long you choose to keep backups. That kind of flexibility to keep, overwrite, and delete your data as often as you need is important to manage your storage costs and business needs without the fear of surprise bills or hidden fees.
Don’t Forget: Your Industry’s Regulations Can Tip the Scales
While weighing storage costs and operational needs is the fundamental starting point of any retention policy, it’s also important to note that many organizations face regulatory requirements that complicate the question of how long to keep backups. Governing bodies designed to protect both individuals and business interests often mandate that certain kinds of data be readily available and producible upon request for a set amount of time, and they require higher standards of data protection when you’re storing personally identifiable information (PII). Here are some examples of industries with their own unique data retention regulations:
- Healthcare: Medical and patient data retention is governed by HIPAA rules, but how those rules are applied can vary from state to state.
- Insurance: Different types of policies are governed by different rules in each state, but insurance companies do generally need to comply with established retention periods. More recently, companies have also been adding cyber insurance, which comes with its own set of requirements.
- Finance: A huge web of legislation (like the Bank Secrecy Act, Electronic Funds Transfer Act, and more) mandates how long banking and financial institutions must retain their data.
- Education: Universities sit in an interesting space. On one hand, they store a ton of sensitive data about their students. They’re often public services, which means that there’s a certain amount of governmental regulation attached. They also store vast amounts of data related to research, and often have on-premises servers and private clouds to protect—and that’s all before you get to larger universities which have medical centers and hospitals attached. With all that in mind, it’s unsurprising that they’re subject to higher standards for protecting data.
Federal and regional legislation around general data security can also dictate how long a company needs to keep backups depending on where it does business (think GDPR, CCPA, etc.). So in addition to industry-specific regulations, your company’s primary geographic location—or your customers’ location—can also influence how long you need to keep data backups.
The Bottom Line: How Long You Keep Backups Will Be Unique to Your Business
The answer to how long you need to keep your backups has everything to do with the specifics of your organization. The industry you’re in, the type of data you deal with, and the structure of your backup strategy should all combine to inform your final decision. And as we’ve seen, you’ll likely wind up with multiple answers to the question pertaining to all the different types of backups you need to create and store.