Backup advice

Hi Guys,
We have about 10 users on a SBS network and planning to purchase Symantec Backup Exec SBS and an HP DAT160 External USB Tape device
Now my questions
1. What type of security/password protection will i have on my tape backups. a dedicated person will take the tapes offsite but we want only authorised persons to be able to access backed up data. I have seen Software and Hardware encryption but dont know which one or how, i know the Dat160 Tape device does not supprt encryption? Advice here, i want my data rock solid secure
2. What is the best known backup strategy one can use? Data is crucial and around 100GB in size. We want daily and offsite
3. How long does the tapes last? Replacement time span if any?
Reinert WentzelManaging MemberAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Do you have internet access?  Why not utilize an online backup company.  Don't have to worry about tapes and it is offsite.  For the price of tapes, software and tape device, it might be cheaper to go this route.

Here are a few:
Server Licenses: $6.95 + $0.50/GB per month = $56.95 with the amount of data you are talking about.
100GB-149GB $75

Reinert WentzelManaging MemberAuthor Commented:
Hi thx for the advice, but online backups are expensive in terms of all the data traffic we will be paying for. Imagine 100GB a day! i want multiple sets of backups done. So i thing onsite will be best. Can someone advice me further on my questions?
Thomas RushCommented:
Hello, Reiner.  I think I can help with your questions.

1) BackupExec can perform encryption in software.   This should be encryption that is secure enough except for truly determined attackers with significant computing resources.  
Why the "secure enough"?    Because even if BE is using AES256 encryption, to be completely secure, you would need a random key (i.e., not generated by a pass phrase, among other requirements), and you would need to use a different key for each tape.     The real-world impact?   Unless you're a government agency or a huge financial institution, nobody who wants your data will have the resources to crack it.

1b) Be aware that software encryption (as BE will do) may put a significant CPU load on your server, which could affect  backup performance, or performance of other applications hosted on the backup server.  IF YOU ENCRYPT IN BE -- turn HW compression off for the tape drive -- else you may see negative compression ratios (data bigger after "compression" due to metadata storage).

1c) Be aware that sending encrypted data to your tape drive will make the data uncompressible.  You mentioned that you have 100GB of data in a full backup; as DAT160 is only 80GB native (that is, without compression), you will spill over to a second tape cartridge for each full backup.  

You can compress the data in BackupExec, but compression is also a very CPU-intensive task, and will put a further, possibly significant, load on your backup server.

1d) DAT320 now supports HW encryption.   This encryption is done in the hardware of the tape drive, without any load on the server (BackupExec simply sends an encryption key to the tape drive and tells the tape drive to encrypt, but BE does not itself perform any of the encryption computation).    HW encryption also compresses the data before it encrypts it, so there is no loss of compression.

I hate to recommend you buy new hardware (such as a DAT320 drive), but given your goal of the best backup solution, you may find that a SAS-attached DAT320 will give you both significantly better performance, and more confidence in your encryption solution (plus a 160GB native capacity, ensuring that all of your data fits on one tape for some time to come).

2) There is no "best" backup solution.   Every business is different.  The three most important decisions you have to make in designing the backup solution best for you are:
a) What's my recovery point objective?   That is, how much data can I afford to lose if I'm down?   Is it the last transaction?   A minute's worth of data?   An hour's worth?  A day's worth?    Even three day's worth (as was the case for a customer I spoke with last year)?
    This tells you how important some sort of continuous access/mirroring is to your solution.  The less data I can afford to lose, the more expensive the solution will be.

b) What's my recovery time objective?  If I'm down, do I need to be up in seconds, minutes, hours, days?   The less time I can afford to be down, the more expensive the solution will be.

c) How much can i afford to spend?   If my business is worth $50,000/year, what I can afford to spend may be constrained, compared to a $1,000,000/year business.

That said -- tape is a good start for a backup solution.   As you know, it gives you the ability to easily and cheaply store multiple generations of data, to have that data off-site in case of a site disaster, and to have that data outside of the reach of both viruses and other data destroying code, as well as individuals who may maliciously want to destroy your data.   It also provides you with a solution for long-term archiving, be it for government compliance or  business requirements.

You can layer some sort of replication on top of that as well, but this will add to the cost of the solution.   The replication can be a replication of backup jobs (You backup to a backup appliance, and that appliance handles replication to an equivalent device at a second location), or a replication of primary storage managed by your storage array (again, to an equivalent device at a second location).  

The replication of primary storage can be synchronous or asynchronous (synchronous requiring lower latency and often times being higher cost).   You can also -- with products such as HP Storage Mirroring -- have a server at the remote site that can serve as a fail-over server in case of the primary server going down.    The problem with mirroring primary storage is the risk that a) if you catch a virus on your production server, that virus's malicious activity gets mirrored to the second site, and the data there is corrupted almost immediately, also.    And, b) If you delete data accidentally on the primary site, that deletion is replicated and the data deleted on the mirror site as well.    

Therefore, mirroring primary storage is *NOT* a backup.    Using a system like a D2D Backup System, you can take backups just as if it was a tape library, use deduplication to store data for relatively long periods of time six months or so in the space that might have only held two weeks' worth of data without deduplication.    In addition, you can now send only the changes and new data across to the replication target (this is called "low bandwidth replication") instead of the whole new backup, and create an exact copy of the new backup job.

This kind of replicated solution -- whether primary or backup storage -- will cost you somewhere in the $10,000 range and up.    You're probably pretty well served simply by using a known, proven tape rotation schedule (Grandfather/Father/Son for instance) with weekly backups periodically promoted to a monthly archive, and a monthly tape periodically promoted to a yearly archive, etc.    If your DAT160 tape drive is an HP drive, it came with a license for HP Data Protector Express Single Server Edition, which has a large number of built-in tape rotation schemes; it might be worthwhile for you to investigate that.

3) HP gives the life of data on DAT160 and DAT320 tapes in storage as 10+ years.   The life of an individual tape may be less than this -- you'll want to keep your tapes in rotation so that one tape isn't used over and over again; I don't remember the number, but there is a suggested limit to the number of full-tape writes before a tape is considered 'worn out'.    As long as you're using several tapes and rotating them in and out of use on a defined schedule, you're not likely to hit this limit until long after you have upgraded to a new tape technology (DAT640!).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You wouldn't be paying 100gb a day.  Just the modified files, which would probably be a very small amount.
Reinert WentzelManaging MemberAuthor Commented:
thx for the great solution. will check and revert back
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage Software

From novice to tech pro — start learning today.