In 2021, Colonial Pipeline paid $4.4 million in ransom after attackers encrypted its IT systems and threatened its operational infrastructure. In 2023, MGM Resorts suffered an attack that cost the company an estimated $100 million in losses — not from the ransom, but from the downtime itself. In both cases, the question asked in every boardroom across the world was the same: how long will it take to recover, and what will we lose?
That question used to belong to IT operations. It now belongs to the board.
The shift is not only about ransomware. Regulatory requirements around data availability, recovery time objectives, and business continuity planning have tightened across every regulated industry. Cloud adoption has created complex data sovereignty and replication questions that did not exist a decade ago. And the explosion of unstructured data — driven by AI workloads, video, and IoT — has made storage management both more expensive and more consequential than it has ever been.
This post covers the enterprise storage landscape, the backup and recovery disciplines that protect it, and the disaster recovery planning that determines whether an organisation survives a major incident or not.
What Storage, Backup, and DR Actually Covers
Enterprise storage is the discipline responsible for managing where data lives, how it is organised, how it is protected, and how it is recovered. It spans three interconnected sub-domains.
Storage infrastructure manages the hardware and software platforms that hold data — from traditional SAN and NAS arrays through software-defined storage to cloud object storage. The decisions made here determine cost, performance, scalability, and data mobility.
Backup and data protection ensures that copies of data exist that can be used to restore systems and services after data loss, corruption, or ransomware encryption. The critical shift in recent years has been from backup as an afterthought to backup as a primary security control.
Disaster recovery goes beyond backup to address the full restoration of IT services after a major disruption — not just individual files or databases, but entire applications, workloads, and the infrastructure they run on. DRaaS (Disaster Recovery as a Service) has made enterprise-grade DR accessible to organisations that previously could not afford dedicated recovery infrastructure.
Why Storage and DR Are Harder Than They Were
Three forces have fundamentally changed the storage and recovery discipline.
Ransomware has targeted backup infrastructure specifically. Sophisticated ransomware groups now spend weeks inside enterprise environments before activating their payload — identifying and compromising backup systems before encrypting production data. An organisation that discovers its backups were also encrypted has no recovery path without paying the ransom or rebuilding from scratch. Backup immutability — preventing backups from being modified or deleted, even by administrators — has become the primary defence.
Recovery time expectations have compressed dramatically. The business tolerance for application downtime has fallen precipitously. Organisations that planned for 24-hour recovery windows five years ago are now expected to recover in hours. This has driven adoption of continuous data protection (CDP) and near-synchronous replication, which maintain near-zero recovery point objectives (RPO) at a cost that has become increasingly accessible.
AI and unstructured data have created a storage explosion. AI model training requires petabyte-scale storage with high-throughput access patterns. Video surveillance, IoT sensor data, and digital media have driven exponential growth in unstructured data volumes. Traditional storage architectures were not designed for this — driving adoption of object storage, data lakehouse architectures, and tiered storage strategies that automatically move data to lower-cost tiers based on access frequency.
The Sub-Domains That Matter Most
Backup Immutability
Immutable backups cannot be modified, encrypted, or deleted — even by privileged users — for a defined retention period. The two primary implementations are object lock (S3-compatible object storage with WORM — Write Once Read Many — policies) and air-gapped backups (physically or logically isolated copies with no network connection to production).
The 3-2-1-1-0 rule has become the industry standard for enterprise backup strategy: three copies of data, on two different media types, with one offsite, one offline or immutable, and zero unverified backups. The addition of the final two elements — immutability and verification — reflects the ransomware reality.
Recovery Testing
An untested backup is not a backup — it is a hypothesis. Regular recovery testing, including full application recovery tests in isolated environments, has become a compliance requirement in many regulated industries and a board-level governance expectation in others. Automated recovery testing — where recovery processes are executed and validated programmatically on a scheduled basis — is the direction the market is moving.
DRaaS
Disaster Recovery as a Service delivers recovery infrastructure on demand, eliminating the need for organisations to maintain dedicated standby datacentres. The economics are compelling: organisations pay only for the storage required to replicate their workloads and the compute consumed during testing and actual recovery events.
The leading DRaaS platforms — Zerto, Veeam, Commvault, and VMware Cloud Disaster Recovery — have made enterprise-grade recovery capabilities accessible to mid-market organisations that previously could not justify the investment.
Software-Defined Storage and Cloud Tiering
Software-defined storage separates the storage software from the underlying hardware, enabling organisations to use commodity hardware and manage storage through a consistent software layer regardless of the physical infrastructure underneath. VMware vSAN, Nutanix, and IBM Spectrum Scale are the leading platforms.
Cloud storage tiering automatically moves data between performance tiers based on access frequency — keeping frequently accessed data on expensive, high-performance storage and automatically archiving cold data to significantly cheaper object storage or cloud archive tiers. The cost reduction for organisations with large data estates can be substantial.
Key Metrics Every IT Leader Must Know
RTO (Recovery Time Objective): The maximum acceptable time between a disruption and the restoration of service. RTO is a business requirement — defined by how long the organisation can operate without the affected system.
RPO (Recovery Point Objective): The maximum acceptable amount of data loss measured in time. An RPO of one hour means the organisation accepts losing up to one hour of data. RPO drives the frequency and technology of data replication.
MTTR (Mean Time to Recovery): The average actual time taken to restore service after an incident. Organisations benchmark MTTR against RTO — a persistent gap between the two indicates a recovery process problem.
RTO vs RPO trade-off: Reducing RTO and RPO requires investment in replication technology, standby infrastructure, and orchestration capability. The relationship between business impact of downtime and cost of recovery capability should drive target RTO and RPO — not arbitrary standards.
The Gartner Magic Quadrant Landscape
Enterprise Backup and Recovery MQ
Gartner's Magic Quadrant for Enterprise Backup and Recovery Software Solutions identifies four consistent Leaders: Veeam, Commvault, Rubrik, and Cohesity.
Veeam holds the largest market share by deployment count — strong breadth, excellent ecosystem integration, and a trusted presence in mid-market and enterprise environments. Commvault has repositioned successfully as a data protection and cyber recovery platform, with strong compliance and governance capabilities. Rubrik and Cohesity represent the next generation — both have built security deeply into their platforms, with immutability, threat detection, and ransomware recovery as core capabilities rather than add-ons.
Vendor Comparison
| Dimension | Veeam | Commvault | Rubrik | Cohesity | Zerto |
|---|---|---|---|---|---|
| Category | Backup & Recovery | Data Protection & Compliance | Cyber Recovery Platform | Data Management & Security | DRaaS / Replication |
| MQ Position | Leader #1 | Leader | Leader | Leader | Visionary |
| Ransomware defence | ★★★★☆ | ★★★★☆ | ★★★★★ | ★★★★★ | ★★★☆☆ |
| Immutability | ★★★★☆ | ★★★★☆ | ★★★★★ | ★★★★★ | ★★★☆☆ |
| Cloud integration | ★★★★★ | ★★★★☆ | ★★★★☆ | ★★★★☆ | ★★★★★ |
| DRaaS / replication | ★★★★☆ | ★★★☆☆ | ★★★☆☆ | ★★★☆☆ | ★★★★★ |
| Ease of management | ★★★★★ | ★★★☆☆ | ★★★★☆ | ★★★★☆ | ★★★★☆ |
| Mid-market fit | ★★★★★ | ★★★☆☆ | ★★★★☆ | ★★★★☆ | ★★★★☆ |
| Best for | Broadest coverage, VMware/Hyper-V heavy | Compliance-heavy, regulated industries | Ransomware recovery, security-first | Data management at scale | Near-zero RPO replication, DRaaS |
What the MQ Doesn't Tell You
Choose Veeam if: You need the broadest platform coverage with the lowest operational overhead. Veeam's ecosystem integrations are unmatched — it supports virtually every hypervisor, cloud platform, and SaaS application. The most common choice for organisations without a specialist security recovery requirement.
Choose Commvault if: Compliance, data governance, and audit trails are primary drivers. Commvault's data management depth — including eDiscovery, legal hold, and compliance reporting — is genuinely differentiated for regulated industries.
Choose Rubrik if: Ransomware recovery and security-first backup are the top priorities. Rubrik's immutable architecture and threat hunting capabilities make it the strongest choice for organisations that have accepted security risk as their primary backup concern.
Choose Cohesity if: You want to consolidate backup, file services, and data management on a single platform at scale. Cohesity's DataProtect combined with DataSphere creates a data management fabric that goes significantly beyond backup.
Choose Zerto if: Near-zero RPO continuous replication and DRaaS are the specific requirements. Zerto's journal-based replication and recovery automation deliver recovery objectives that traditional snapshot-based backup cannot match.
What to Do Next
Three questions every IT leader should ask before their next storage and DR review:
1. When did you last successfully test a full application recovery from backup? If you cannot answer this question with a specific date and test report, your DR plan is a document, not a capability.
2. Are your backups immutable? If an attacker with domain admin credentials could delete or encrypt your backups, you do not have ransomware protection — you have ransomware exposure.
3. What is the business impact per hour of your most critical application being unavailable? If you cannot answer this, you cannot set meaningful RTO and RPO targets — and every recovery investment decision you make is arbitrary.
The final post in this category — the MQ Spotlight on Cloud Infrastructure — compares AWS, Azure, and GCP across every dimension that matters for enterprise infrastructure decisions.
