Backup Fundamentals: Network, Rating, and DPaaS Basics

After seven years of architecture reviews with customers, three patterns show up so often I now ask about them in the first conversation. Most teams have gaps in at least two.
Senior Product Marketing Manager
Image
Discover how to evaluate backup vendors, secure backup networks, and build a modern DPaaS strategy with cloud-native backup, migration, and disaster recovery.

Three patterns I keep seeing 

After seven years of architecture reviews with customers, three patterns show up so often I now ask about them in the first conversation. Whether the team understands what Data Protection as a Service is supposed to cover. What questions they are asking backup vendors during evaluation. And how they are securing the network paths backup data travels. 

Most teams I talk to have gaps in at least two of the three. Sometimes all three. The gaps are not because the teams are weak. They are because the industry has built up so much vendor noise around backup that the fundamentals get buried under product positioning. This piece is what I would tell a peer who asked, "What should I actually know about backup architecture before I sign a contract?" 

DPaaS basics: what data protection as a service actually covers 

Data Protection as a Service is a delivery model where backup, recovery, migration, and disaster recovery are provided as a managed service. Not software the customer installs, configures, and maintains. The customer subscribes. The service runs. 

The relevant question is not what DPaaS means as a category. It is what a real DPaaS platform actually has to deliver. Three pillars define the scope. 

Data Protection 

Application-consistent backup and recovery for every workload that runs in the environment. VMs, databases, containerized applications, object storage, and SaaS applications. The defining requirement is consistency across environments. Same policy framework, same recovery model, same management whether the workload runs on-premises, in AWS, in Azure, in Google Cloud, or in SaaS applications like Microsoft 365 and Salesforce. 

Data Migration 

The same backup data that protects a workload can move that workload. Between on-premises and cloud, between cloud providers, or between regions. Migration is not a separate product category in modern DPaaS. It is a recovery operation targeting a different destination. About 95% of cloud customers are in some form of workload migration at any given time as they optimize price and performance, which makes migration a continuous operational requirement, not a one-time event. 

Disaster Recovery 

Cloud-native DR using public cloud regions as failover targets, with an economic model that matters. Store the backup copy continuously at low cost. Only consume compute and high-performance storage when DR is actually triggered. Always-on replica environments are expensive precisely because they run 24/7 for an event that may never happen. Pay-when-triggered DR is a fraction of that cost. 

Flexera's 2026 State of the Cloud Report found 73% of organizations are operating hybrid cloud environments, with multi-cloud adoption continuing to rise, often driven by mergers, SaaS sprawl, and decentralized teams rather than deliberate strategy. A DPaaS platform that does not span every cloud the business runs on is not a complete data protection strategy. It is a partial one with gaps the customer is responsible for filling. 

Rating your backup infrastructure: five questions that work 

Most data protection vendors have repackaged legacy products under cloud branding. The architecture underneath, fixed sizing, agents per server, big upfront deployments, is still the data center approach lifted into cloud-hosted form. Five questions cut through the marketing quickly. 

Question to ask the vendor  What a good answer looks like 
How long will it take to plan and architect the backup infrastructure?  Minimal upfront planning, modular expansion or contraction as the organization changes. Rigid architectures break when business plans change, and roughly 98% of plans change. 
How much time to deploy before we can protect workloads?  Hours, not weeks. Pre-built virtual appliance or fully as-a-service. Manual binaries, data movers, agents, and plugins indicate the legacy installation model. 
How much effort to scale as the environment grows?  Scale up, scale out, and scale across on-premises and public clouds seamlessly, with one management plane. Re-architecture or additional appliances mean friction. 
What is the learning curve for the team?  Days, not months. A UI purpose-built to the supporting platform's terminology lets administrators feel familiar from the first session. 
How much time will the team spend keeping the lights on?  Minimal. Lightweight architecture, detailed logging, instant upgrades, minimal maintenance. The goal is to free IT for high-value work, not to consume hours on backup platform care. 

 These questions reveal architectural reality underneath the marketing. A vendor whose answers begin with "it depends on your environment" or "we can scale you up with additional appliances" is selling the on-premises model in cloud packaging. 

Network considerations: securing the paths backup data travels 

Backup data is only as protected as the network paths between sources, hosts, and storage targets. A backup architecture with strong encryption at rest and weak network security on the path to the target is exactly as compromised as the weakest link in that chain. Five categories matter most. 

Multi-homing the backup VM 

While a single virtual NIC will work, multi-homing the backup VM with two vNICs (one management, one storage network) provides cleaner separation and lets administrators disable the web listener on the storage NIC. Production backup traffic should not share an interface with administrative access. If a credential leak gives an attacker the web console, you do not want them on the same network as the backup data. 

Securing storage target connections 

Different storage targets have different network security requirements. 

Storage target  Network security configuration 
NFS  Configure the appliance whitelist to permit traffic only from backup VM IP addresses. Anonymous NFS exports are the most common misconfiguration. 
SMB  Configure a dedicated service account with access only to the backup share. Disallow unauthorized network access. Do not attach the backup share to other machines, because any compromised machine becomes a path to the backup data. 
iSCSI  Enable and configure CHAP on both target and backup VM. Unauthenticated iSCSI is a backup risk that is trivially exploitable inside a compromised network. 
Cloud object storage  Configure storage account credentials and access keys. Choose one of three network paths based on security posture: peered encrypted connection, site-to-site VPN, or HTTPS/TLS over public internet for low-sensitivity scenarios. 

 Certificate and authentication hygiene 

Self-signed certificates are fine for initial deployment but should be replaced with certificates from your organization's CA in production. Source connections to hypervisor management (Nutanix Prism, VMware vCenter) should use certificate authentication where supported. SSH access to the backup VM should be disabled after initial setup. Ongoing administration through the web UI or platform management interfaces, not shell. 

Limiting administrative access 

Access to Prism Element, vCenter, or the cloud provider console for environments containing backup infrastructure should be restricted to specific admins and workstations, not the whole IT team. Micro-segmentation provides enforcement. The backup management network should be reachable only from named administrative jump hosts, not from general workstations or developer machines. 

Basic hygiene that closes most of the attack surface 

Three habits eliminate most of the network attack surface against backup infrastructure. No internet access to production servers, route through proxies and bastions. Strict workstation hygiene for admins who hold backup credentials, because the path of least resistance for most ransomware is through a compromised admin's machine. And storage target selection that includes anti-ransomware features (immutability, WORM, object lock) at the storage layer itself. 

Common questions on backup fundamentals 

What is the difference between DPaaS and BaaS? 

Backup-as-a-Service is the narrower term, specifically backup and recovery as a managed service. Data Protection as a Service is broader, covering backup, recovery, migration, and disaster recovery as integrated capabilities through one platform. Most modern offerings deliver DPaaS even when they are marketed as BaaS. The distinction is whether the platform handles migration and DR through the same management plane as backup. 

How do I know if a backup vendor is cloud-native or just cloud-washed? 

Three diagnostic questions. Does the solution require deploying and maintaining a backup virtual appliance in the cloud? If yes, the on-premises architecture has been lifted into cloud-hosted form. Does pricing scale with actual usage, or does it require upfront license and storage provisioning commitments? Does the solution auto-discover new workloads through cloud APIs, or does it require manual configuration for each new VM? Manual configuration and fixed sizing are the data center operating model. 

What is the most common network security gap in backup deployments? 

The SMB backup share attached to too many machines. Administrators set up an SMB target, configure it correctly with a service account, then mount the same share to other servers for convenience: file servers, application servers, even desktops. Every machine that has the share mounted becomes a potential attack vector. Backup target shares should be reachable only from the backup VM itself. 

Do I need CHAP if my iSCSI traffic stays inside a private network? 

Yes. Modern attacks assume the attacker is already inside the network. Perimeter defenses are not the threat model anymore. CHAP authenticates the iSCSI initiator to the target so a compromised host on the same network cannot mount the storage. The configuration takes minutes. The protection is meaningful. 

If you take one thing from this 

Walk through the five rating questions with your current backup vendor this quarter. If their answers make you uncomfortable, that discomfort is the signal worth investigating. Vendors who can answer these questions cleanly built for the world you operate in. Vendors who cannot will keep generating those uncomfortable answers for as long as you stay with them.