Blog
← Back to Blog
August 23, 2016 general

Cloud Backups vs. Local Backups: The Real Conversation

Server room with cloud computing concept

We've talked a lot about backups this year. Every ransomware post, every breach post, every security checklist comes back to the same thing: do you have good backups? But we haven't dug into the actual question most practice owners ask us: should I back up to the cloud or keep my backups local?

The honest answer is: both. But let me explain why, because the decision isn't as simple as the cloud vendors want you to think, and it's not as scary as the "I don't trust the cloud" crowd believes.

Local Backups: The Case For

Speed. If you need to restore a full server from backup, doing it from a local device (an external drive, a NAS, a dedicated backup appliance) is dramatically faster than downloading everything from the cloud. A 500GB restore from a local USB 3.0 drive takes hours. From the cloud, depending on your internet speed, it could take days.

Control. Your data stays on your premises. You know where it is, you control who has physical access to it, and you're not dependent on a third-party service staying online.

Cost. A good NAS device or external backup drive is a one-time purchase. Cloud backup involves ongoing monthly subscription fees that add up over time.

Local Backups: The Case Against

Ransomware. This is the big one. If your local backup is connected to the same network as your computers (and most are), ransomware can encrypt your backup along with everything else. We've seen this happen. Practice thinks they have a backup, ransomware hits, backup drive is encrypted too. Game over.

Physical disaster. Fire, flood, theft, power surge. If your backup is in the same building as your server, any physical disaster that takes out one takes out both.

Human error. Someone accidentally unplugs the backup drive. The backup software fails silently and nobody notices for three weeks. The drive fills up and stops backing up. These aren't hypotheticals. We see them regularly.

Cloud Backups: The Case For

Offsite by default. Your data is stored in a data center that's physically separate from your office. Ransomware can't encrypt it. A fire can't destroy it. It's the offsite component of the 3-2-1 backup rule without you having to physically move anything.

Automation. Cloud backup services typically run automatically on a schedule. No human intervention required. And good ones will alert you if a backup fails.

Versioning. Most cloud backup services keep multiple versions of your files. So if ransomware encrypts your data on Tuesday, you can restore Monday's clean version. This is harder to do well with local backups.

Cloud Backups: The Case Against

Restore speed. Downloading your entire practice database over the internet is slow. If your internet goes down (which sometimes happens during the same disaster that required the restore), you're stuck.

Ongoing cost. Cloud backup fees are typically based on storage volume. As your practice data grows (and it always grows), so does the bill. Budget for this.

Vendor dependency. You're trusting a third party with your most critical data. What happens if they go out of business? If their data center has an outage? If they change their pricing? Read the fine print.

HIPAA considerations. If you're backing up patient data to the cloud, the backup provider needs to sign a BAA and meet HIPAA security requirements. Not all cloud backup services are HIPAA-compliant.

The Right Answer: Both

The 3-2-1 backup rule exists for a reason: three copies of your data, on two different types of media, with one copy offsite. The best way to achieve this for most practices:

  1. Primary data on your server (copy 1)
  2. Local backup to a NAS or backup appliance, ideally one that's not directly accessible from user workstations (copy 2, different media)
  3. Cloud backup to a HIPAA-compliant service (copy 3, offsite)

This gives you fast local restores for everyday issues (accidentally deleted file, software corruption) and offsite protection for catastrophic events (ransomware, fire, theft).

The Most Important Thing

Whatever backup strategy you choose, test your restores. Regularly. A backup that you've never tested is a backup that might not work. And you really, really don't want to discover that when you actually need it.

Set a calendar reminder. Once a month, restore a file or a database from backup. Verify it's complete and usable. That 15-minute test could save your practice.