Backup Strategy (3-2-1 Rule)

What Is the 3-2-1 Rule

The 3-2-1 rule is a backup strategy widely adopted as a fundamental principle of data protection. Proposed in 2005 by American photographer Peter Krogh, this principle consists of three elements: 3 copies, 2 different types of media, and 1 offsite copy.

Specifically, it means: (1) maintain at least 3 copies of your data (production data + 2 backups), (2) store them on 2 or more different types of storage media (e.g., SSD and external HDD, NAS and cloud), and (3) keep at least 1 copy in a physically separate location.

The effectiveness of this principle is rooted in probability theory. If the probability of a single storage device failing is 1/100, the probability of two independent storage devices failing simultaneously is 1/10,000. By distributing across different media and locations, you eliminate single points of failure and can also address physical risks such as fire, theft, and natural disasters.

The 3-2-1-1-0 Extended Rule for the Ransomware Era

As the threat of ransomware intensifies, the traditional 3-2-1 rule alone is insufficient in many cases. Ransomware can launch encryption attacks on network-connected backup destinations, creating a risk that all online backups are wiped out.

This led to the proposal of the 3-2-1-1-0 rule. In addition to the traditional 3-2-1, it adds two elements: maintaining 1 air-gapped (physically disconnected from the network) or immutable (unmodifiable) copy, and confirming 0 errors in backup restore tests.

Immutable backups can be achieved with AWS S3 Object Lock or cloud storage WORM (Write Once Read Many) features. Since data written once cannot be deleted or modified for a set period, a safe copy remains even if ransomware strikes.

Practical Backup Configuration Examples

For individual users, a realistic configuration is: production data (PC's internal storage) + periodic backups to an external HDD + automatic sync to cloud storage. Connecting the external HDD only during backups and keeping it offline otherwise also serves as ransomware protection.

For enterprise environments, a multi-layered configuration is recommended: production server + on-premises NAS (daily backup) + cloud replication (daily) + tape or immutable storage (weekly).

The most commonly overlooked aspect of backups is restore testing. Even if backups are taken successfully, they are meaningless if they cannot be restored. Conduct restore tests at least quarterly and verify that your RTO (Recovery Time Objective) and RPO (Recovery Point Objective) meet requirements.

Combining with data encryption is also important. If backup data is not encrypted, a stolen offsite media could lead to a data breach.

Backup Strategy Pitfalls and Countermeasures

There are common failure patterns in backup operations. First is confusing "sync" with "backup." Cloud sync services (Google Drive, Dropbox, etc.) reflect file changes in real time, so accidentally deleted files or ransomware-encrypted files also propagate to the sync destination. Sync is not a substitute for backup.

Second is inadequate backup generation management. If you keep only the latest single backup generation, you cannot restore healthy data if data corruption is discovered late. It is recommended to maintain at least 7 days of daily backups and 4 weeks of weekly backups.

It is also essential to incorporate recovery procedures from backups into your incident response plan. Document who restores from which backup using which procedure, and conduct regular drills so you can respond quickly during an actual outage.

The 3-2-1-1-0 Rule for the Cloud Era

Now that ransomware routinely encrypts even network-connected backup destinations, the 3-2-1-1-0 rule - which adds two elements to the traditional 3-2-1 rule - is becoming the industry standard.

"1" - Immutable Backup: Maintain at least one immutable (unmodifiable) backup. With AWS S3 Object Lock (Compliance mode) or Azure Blob Storage immutable storage, even an attacker with administrator privileges cannot delete or modify data during the retention period. Set the retention period based on your RPO, with a minimum of 30 days recommended.

"1" - Air-Gapped Copy: Maintain a copy that is physically disconnected from the network (air-gapped). This includes writing to tape media or external storage that is disconnected from the network after backup completion. In cloud environments, cross-account replication to a different account and region can achieve a logical air gap.

"0" - Zero-Error Verification: Conduct backup restore tests regularly and confirm zero restore errors. Backup job success logs alone are insufficient. Only after actually restoring data and performing file integrity checks (checksum verification) can you claim "zero errors."

To enhance ransomware resilience, it is also important to completely separate the backup environment's authentication credentials from the production environment. Design it so that even if the production Active Directory is compromised, the backup system remains inaccessible. It is recommended to incorporate restore procedures from immutable backups into your BCP recovery strategy and conduct drills quarterly.

To learn more about this topic, see Ransomware Protection Guide: Defending Against Extortion Attacks.

Common Misconceptions

Storing data in cloud storage satisfies the 3-2-1 rule

A single cloud storage service is merely "one copy on one type of media." Given the risks of cloud provider outages and account compromises, it must be combined with local backups.

RAID eliminates the need for backups

RAID provides redundancy against disk failures but is not a backup. It cannot handle accidental deletion, ransomware, file system corruption, or RAID controller failures. RAID and backups are complementary technologies with different purposes.

Comparison of Backup Methods - Full Backup vs. Incremental Backup

Related Terms

Related Articles