These materials are © 2021 John Wiley & Sons, Inc.

Any dissemination, distribution, or unauthorized use is strictly prohibited.

 Google Cloud
Backup
Veeam® Special Edition

by Paul McFedries

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Google Cloud Backup For Dummies®, Veeam® Special Edition

Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2021 by John Wiley & Sons, Inc., Hoboken, New Jersey

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without
the prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,
Making Everything Easier, and related trade dress are trademarks or registered trademarks of
John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not
be used without written permission. Inc. Veeam and the Veeam logo are trademarks or registered
trademarks of Veeam Software. All other trademarks are the property of their respective owners.
John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO

REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF
THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING
WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY
MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS.  THE ADVICE
AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS
WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN
RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES.  IF PROFESSIONAL
ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE
SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING
HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK
AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN
THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION
OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE.  FURTHER, READERS
SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR
DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

ISBN 978-1-119-80555-7 (pbk); ISBN 978-1-119-80556-4 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

For general information on our other products and services, or how to create a custom For Dummies
book for your business or organization, please contact our Business Development Department
in the U.S. at 877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/custompub.
For information about licensing the For Dummies brand for products or services, contact
BrandedRights&Licenses@Wiley.com.

Publisher’s Acknowledgments

Some of the people who helped bring this book to market include the following:
Development Editor: Business Development
Rebecca Senninger Representative: Matt Cox
Acquisition Editor: Ashley Coffey Production Editor:
Editorial Manager: Rev Mengle Tamilmani Varadharaj

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Table of Contents
INTRODUCTION................................................................................................ 1
About This Book.................................................................................... 1
Icons Used in This Book........................................................................ 2
Beyond the Book................................................................................... 2

CHAPTER 1: Understanding Cloud Data Risks..................................... 3

Who’s Responsible for Your Cloud Data?........................................... 4
Cloud Infrastructure Risks.................................................................... 4
Cloud Configuration Risks.................................................................... 5
On-Premises Risks................................................................................. 6
Accident Risks........................................................................................ 6

CHAPTER 2: Making Your Cloud Data Robust

and Resilient..................................................................................... 7
Planning for High Availability............................................................... 7
Forging a Backup and Recovery Plan.................................................. 8
Backing Up Data with Google Cloud Platform................................... 9
Setting Up an Optimized Backup Strategy....................................... 10

CHAPTER 3: Ten Cloud Data Protection Best Practices............. 11

Table of Contents iii

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Introduction
A
long list of advantages comes your way when you move
some or all of your compute and storage resources to a
cloud provider. These advantages include lower capital
costs, pay-as-you-go operating costs, nearly non-existent barri-
ers to entry, faster time-to-value, scalability (that is, adding or
reducing resources based on current demand), elasticity (scaling
resources automatically), and agility (scaling resources quickly).

That said, a few disadvantages are associated with moving to

the cloud. These disadvantages include potential security prob-
lems when not managed properly, planned and unplanned server
downtime, unknown costs, possible performance degradation,
and vendor lock-in.

However, perhaps the biggest problems associated with provi-

sioning cloud resources involve data. By definition, cloud stor-
age means your data resides in one or more remote data centers.
Can you be sure that data is always in a location that meets your
company’s compliance regulations? Is your data protected and
secure? What happens to your data if the server in which it’s
stored fails? Or if it becomes corrupt or is accidentally deleted?
Who’s responsible for creating, maintaining, and restoring data
backups?

These are important questions and Google Cloud Backup For

Dummies answers them.

About This Book

Google Cloud Backup For Dummies gives you the background and
know-how you need to make smart decisions about safeguarding
your cloud data. Chapter  1 makes the case that your cloud data
faces the same risks as on-premises data and that it needs pro-
tection. Chapter  2 helps you mitigate your data’s risk profile by
showing you how to create a data protection plan, including how
to best utilize native capabilities on Google Cloud Platform. You
then learn how to go beyond Google’s native services to create an
optimized backup strategy. The book closes with Chapter 3, which
takes you through ten best practices for Google Cloud backup.

Introduction 1

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Icons Used in This Book
Like other books in the For Dummies series, this book uses icons,
or little margin pictures, to flag info that doesn’t quite fit into the
flow of the chapter discussion. Here are the icons I use:

This icon marks text that contains info that’s useful or important
enough that you’d do well to store the text somewhere safe in
your memory for later recall.

This icon marks text that contains a shortcut or an easier way to

do things, which I hope will make your life — or, at least, the data
analysis portion of your life — more efficient.

Beyond the Book

There’s more about Google Cloud Backup that can fit in this
small book. Head to the Veeam website https://www.veeam.com/
google-cloud-backup.html to find out more about the Veeam
solution for Google Cloud Platform.

2 Google Cloud Backup For Dummies, Veeam Special Edition

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 IN THIS CHAPTER
»» Understanding the shared responsibility
for your cloud data

»» Getting a handle on the risks associated

with cloud data storage

Chapter  1
Understanding Cloud
Data Risks

M
igrating IT resources to a cloud provider such as Google
Cloud Platform (GCP) always involves data in some way.
It might be data you migrate directly from your
on-premises network; it might be data created internally using
cloud resources; or it might be data generated by customers,
vendors, suppliers, and other users of your cloud services.

When companies first consider migrating IT resources to GCP,

one of the (usually) unspoken assumptions is that all data moved
to or created within the cloud infrastructure is automatically
protected. Surely (so the thinking goes), GCP safeguards data
using backups, snapshots, data redundancy, or, well, something.

Ah, the look of surprise, then shock, then horror that cross the
faces of people when they’re told that these safeguards are non-
existent! “How can that be?” they ask in befuddlement. And it
only gets worse when you detail exactly the risks that your data
faces once it resides in the cloud. So, consider yourself forewarned.
This chapter spells out exactly what responsibilities GCP has
with respect to your cloud infrastructure, what responsibilities
your company must bear, and what are the specific risks facing
your data.

CHAPTER 1 Understanding Cloud Data Risks 3

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Fortunately, as you see in the rest of the book, you can take steps
to reduce or eliminate all the risks mentioned in this chapter.

Who’s Responsible for Your Cloud Data?

I mention at the beginning of this chapter that GCP offers no safe-
guards for your data. That’s true in the strictest sense of providing
backups, but there’s a bigger picture to consider. That is, although
GCP isn’t responsible for your cloud data, it is responsible for the
cloud in which that data resides. That is, GCP is responsible for
the following:

»» The physical security, maintenance, and safety of its data

centers.
»» Controlling and maintaining the servers, network devices,
and other hardware in its data centers.
»» Controlling and maintaining the host operating system (OS)
that runs on each server.
»» Creating and managing the OS virtualization layer that hosts
your virtual machines and other cloud resources.
»» Managing GCP services such as Cloud SQL and Compute
Engine.

Your responsibility is for everything you deploy in the cloud. Your

apps, accounts, settings, and, yes, your data are entirely your
responsibility. GCP calls this the shared responsibility matrix.

Cloud Infrastructure Risks

According to the GCP shared responsibility matrix, described in
the previous section, Google is responsible for the infrastructure
that underlies your cloud assets. How reliable is that infrastruc-
ture? Pretty darned reliable. GCP measures this reliability using
a value called annual durability, which is the percentage chance
that you won’t permanently lose any data over the course of a
year due to something like outage. According to Google, its Cloud
Storage service is designed to have an annual durability value of
99.999999999% (known in the trade as 11 9s). In other words,
over a year there’s just a 0.000000001% chance that you could
lose data permanently that lies within the responsibility of Google.

4 Google Cloud Backup For Dummies, Veeam Special Edition

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 GCP ensures such a high durability of data by storing data chunks
redundantly across multiple devices that are located in multiple
availability zones.

So, there’s a vanishingly small possibility of permanent data loss

due to infrastructure mishaps. Of greater concern, however, is tem-
porary data loss where some or all your data is unavailable for some
length of time, or data loss that occurs outside of Google’s responsi-
bility (read within your responsibility). Again, GCP uses a percentage
value to measure availability. The value depends on the service (see
Chapter 2), but at best you can get 99.95% availability using Cloud
Storage across multiple regions. That sounds high, but it still means
that your data is unavailable for about four hours and 23 minutes
every year. Where do these minutes and hours come from? The most
common causes of cloud downtime are server reboots, unplanned
short-term outages, and unplanned long-term outages.

Cloud Configuration Risks

You shouldn’t stay awake at night worrying about downtime
caused by GCP cloud infrastructure failures, but no one would
blame you for losing sleep over failures related to your end of
the shared responsibility matrix. If you don’t set up or configure
your cloud resources correctly, your data will be at risk of loss,
exposure, theft, or ransomware. Here are some risks to consider:

»» Malicious hackers can and will probe your network for

weaknesses.
»» Many cloud resources enable public IP addresses, which
expose the resources to the Internet.
»» When assigning permissions, not using the principle of least
privilege, where a user or group gets only the permissions
they require to do their job — no more, no less.
»» Exposing passwords in scripts or other files that are viewable
by unauthorized users. Hardcoding authentication in this
way is just asking for trouble.
»» Your virtual network and its data are vulnerable to distrib-
uted denial of service (DDoS) attacks and common exploits
such as SQL injection.

See Chapter  3 for some best practices that can help keep your
cloud data safe from these and other risks.

CHAPTER 1 Understanding Cloud Data Risks 5

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 On-Premises Risks
Even if all your data resides in the cloud, that doesn’t mean you
should no longer be concerned about on-premises failures. Here
are just a few to consider:

»» You can’t connect to your cloud. If your cloud data

requires regular interventions from the on-premises
network (for example, to update or configure the data), what
happens if a fire, natural disaster, or Internet outage means
you can’t connect to your cloud?
»» You can’t decrypt your data. You’re smart enough to
encrypt your data at rest and in transit, but what happens if
you lose your encryption key?
»» An employee clicks a link in a phishing email. The
resulting malware installation could compromise your
network or initiate a ransomware attack.
»» An internal user makes unauthorized use of on-demand
cloud services. This could result in data exfiltration, data
deletion, data corruption, and so on.
»» A fired employee destroys data for revenge. This can
happen if you don’t revoke ex-employee accounts right
away.

Accident Risks
To err, as the poet said, is human. We all make mistakes from
time to time, and sometimes those mistakes can wreak havoc on
your data:

»» A user inadvertently deletes data, thinks something is

protected when it isn’t, is unaware of data that needs
protecting, or improperly modifies data.
»» A script error accidentally deletes or modifies data.
»» A misconfigured automated GCP process shuts down or
removes a storage bucket.
»» A misconfigured setting for a GCP resource corrupts data.

6 Google Cloud Backup For Dummies, Veeam Special Edition

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 IN THIS CHAPTER
»» Keeping your business going with highly
available data

»» Learning how to back up your data on

Google Cloud Platform

»» Putting together an optimal backup

strategy

Chapter  2
Making Your Cloud Data
Robust and Resilient

T
he threats facing your cloud data are many, but you don’t
have to let those threats keep you awake at night. With a
sprinkle of foresight, a dash of preparation, and a healthy
helping of data protection tools offered by Google Cloud Platform
and third-party services, you can concoct a robust and resilient
plan to safeguard your data and keep your business running.

Planning for High Availability

High availability refers to the ability of a cloud resource to remain
functional and responsive despite the failure of one or more of
its components or dependencies. For cloud data, the best way to
ensure high availability is to store the data in a dual-regional
or multi-regional bucket location. The data then becomes
geo-redundant, which means the data is replicated in two (or
more) geographic areas that are separated by at least 100 miles
(160 kilometers). So, a region-wide outage (due to, say, a natural
disaster) means your data remains available in at least one other
region.

CHAPTER 2 Making Your Cloud Data Robust and Resilient 7

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Google Cloud Platform also offers several features that can reduce
the risk of accidental data deletion:

»» Bucket retention policy: Specifies the minimum age before

which data in a bucket can be replaced or deleted.
»» Object hold: Prevents the data object from being replaced
or deleted while the hold is in effect.
»» Object versions: Enables you to store previous versions of a
data object. You can then restore an older version should
the current version get inadvertently replaced or deleted.

Forging a Backup and Recovery Plan

A backup and recovery plan is a set of practices and systems designed
to help some resource — such as an app or data —get back online
as soon as possible in the event of a major disaster. You begin
planning by defining two important values:

»» Recovery time objective (RTO): The maximum time that it’s

acceptable for your app or data to be offline.
»» Recovery point objective (RPO): The maximum time that
it’s acceptable for data to be temporarily lost. The RPO varies
depending on how you use the data. Frequently used data
might have an RPO of just a minute or two, while rarely used
data might have an RPO of several hours or more.

As a general rule, the faster you want your data storage to

recover — that is, the lower the RTP and RPO times — the more
expensive it is to store the data. For example, the Google Cloud
Platform service level agreement (SLA) for Cloud Storage is shown
in the following table (ordered from highest cost to lowest cost):

Service Monthly Uptime

Standard storage in a multi-region or dual- >= 99.95%

region location

Standard storage class in a regional location, or >= 99.9%

Nearline or Coldline storage in a multi-region or
dual-region location

Nearline or Coldline storage in a regional location, or >= 99.0%

Durable Reduced Availability storage in any location

8 Google Cloud Backup For Dummies, Veeam Special Edition

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Backing Up Data with Google
Cloud Platform
Want to know the secret of (relatively) stress-free cloud data
storage? One word: backups. If you have your data backed up, then
you can relax knowing that you’ve got a way to recover should
disaster strike.

Google Cloud Platform offers a number of methods for imple-

menting backups, including the following:

»» Persistent disk snapshot: An incremental snapshot of the

current state of a persistent disk. The first snapshot contains
the disk’s entire data, while subsequent snapshots contain
only data that’s new or modified since the most recent
snapshot. You can set up a snapshot schedule to create
regular snapshots of a persistent disk.
»» Machine image: Incremental storing of the current state of
a virtual machine (VM), particularly all the VMs attached
disks. The first image contains all the data from all the disks,
while subsequent images contain only data that’s new or
modified since the most recent VM image.
»» Copy (cp) command: You can use the cp command to copy
files from an instance to a Cloud Storage bucket.

These methods offer varying degrees of usefulness and efficiency,

but is any one of them the ideal solution for your data? Probably
not because none of these methods can be considered in any way
an optimized backup strategy. That is, if you have disaster recov-
ery RTO/RPO time targets to meet, can you get there using just
Google Cloud Platform tools?

The native Google Cloud Platform backup tools are fine for very
small and very simple cloud deployments. Beyond that, creating
a robust and resilient backup strategy requires a more powerful
and flexible solution, such as the Veeam Backup for Google Cloud
Platform.

CHAPTER 2 Making Your Cloud Data Robust and Resilient 9

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Setting Up an Optimized Backup Strategy
Using persistent disk snapshots (or machine images for multi-
disk VMs) is a potential data protection tool, but it’s not an opti-
mal backup strategy for the following reasons:

»» Costs: Snapshots attempt to reduce storage costs by storing

only incremental changes after the initial snapshot. However,
storage costs can rise quickly if you don’t have some way to
delete old snapshots or move snapshots that require longer
retention to a lower-cost object storage tier.
»» Recovery: Data loss at the instance, disk, and file level
require different recovery techniques, which can make it
difficult to meet RTO and RPO targets.
»» Automation: You can schedule snapshots, but no other part
of the native backup strategy is automated.
»» Isolation: Backups aren’t automatically isolated from your
production deployment. If that deployment fails or suc-
cumbs to an internal or external threat, your backups fail
along with it, thus slowing (or preventing) recovery.
»» Portability: Backups aren’t easily moved between not only
Google Cloud Platform regions, but other company sites
such as your on-premises network and your other public
cloud deployments.

Overcoming these backup headaches isn’t impossible using only

Google Cloud Platform tools, but it requires planning, a signifi-
cant amount of difficult and complex configuration, and a near-
constant hands-on presence.

I assume you have better things to do with your time, so that’s

why it makes sense to consider a powerful and flexible third-party
solution. A well-designed product such as the Veeam Backup for
Google Cloud Platform leverages Google-native snapshots and
offers cost management, multi-level data recovery, full automa-
tion, cross-project and cross-region isolation, and unlimited data
portability.

10 Google Cloud Backup For Dummies, Veeam Special Edition

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 IN THIS CHAPTER
»» Automating, encrypting, monitoring,
patching, and more

»» Using Google Cloud Platform tools such

as the firewall, Web Security Scanner,
and Cloud Armor

Chapter  3
Ten Cloud Data
Protection Best Practices

E
ven if you’ve come up with an optimal backup strategy as I
discuss in Chapter  2, that doesn’t mean you can check
“secured cloud data” off your to-do list. If you’re serious
about cloud data security (and I know you are), then here are a
few more best practices to consider:

»» Automate your backups. When you work on a document in

the cloud, it gets saved automatically. Doesn’t that feel good?
Isn’t it much easier than having to remember to save your
work frequently? Now apply that good feeling to your cloud
data. That is, automate your cloud data backups for instant
peace of mind.
»» Encrypt your data. One of the iron laws of data security is
that if you store data in plaintext, someone not authorized to
read that data will read it. Google Cloud Storage always
provides free encryption on the server side, but you should
also encrypt in-transit data.
»» Create multiple backups in multiple locations. Having a
backup is good, but do you know what’s even better? Having
multiple backups, so if the first backup fails, you can still
recover. You know what’s even better than having multiple

CHAPTER 3 Ten Cloud Data Protection Best Practices 11

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 backups? Having those backups spread across multiple
regions, so even in the rare case where an entire region goes
dark, your data remains safe and recoverable quickly.
»» Revoke access to data when it’s no longer needed.
A variation on the principle of least privilege might be called
“no privilege.” That is, when a user no longer requires access
to cloud data (for example, by quitting or being fired), you
should immediately revoke that user’s access to the data.
»» Enable and review GCP logging and monitoring. You can’t
know if your cloud data is truly secure unless you not only
log and monitor access and usage of the data, but also
automate that monitoring.
»» Patch what you manage. A distressingly high number
of cloud data attacks take advantage of unpatched cloud
services and resources. Keep your cloud stuff updated
constantly.
»» Consider Cloud Data Loss Prevention (DLP). Cloud DLP is
an application programming interface (API) that enables you
to keep sensitive, proprietary, and regulated data safe and
secure. If you store sensitive data such as credit card
numbers, passwords, and national ID numbers, consider
implementing Cloud DLP to find and protect that data.
»» Use the firewall. To protect your virtual private cloud (VPC)
VMs and other resources — including your data — from
unauthorized access, take advantage of the firewall that
comes with each VPC. You can configure the firewall with
rules that allow legitimate traffic and deny unauthorized or
unknown traffic.
»» Keep an eye on costs. Look for solutions with backup cost
calculators and options to back up to low-cost object storage
to minimize cloud cost while still hitting SLOs.
»» Future proofing. Beware of software products with
non-prescriptive approaches that lock data in; rather, look
for a solution that offers flexibility to mobilize your data
and host, and protect it wherever the org needs.

12 Google Cloud Backup For Dummies, Veeam Special Edition

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.