The 3-2-1 backup rule is part of a data protection or disaster recovery (DR) strategy that involves creating at least three copies of an organization’s data to be used as backups for cyber resilience and business continuity. Two copies are stored on-site (but on different media), and one is stored off-site.
Why perform this data isolation? Because a backup copy simply isn’t enough. Today, data is so important that organizations need to go to extra measures including air gapping, to ensure valuable data isn’t lost, stolen, encrypted, or otherwise rendered inaccessible or unusable. Organizations and their leaders don’t want, and frankly can’t afford, any single point of failure to get in the way of being able to access the data needed to run the business.
Data loss can be catastrophic to organizations, and can severely interrupt business operations.
The 3-2-1 backup rule is important because making a minimum of three copies of data is usually sufficient to successfully recover from incidents in which production data is lost, stolen, or compromised— whether through natural disasters, human errors, or cybercriminal activity.
The accelerating rise in ransomware underscores the importance of using the 3-2-1 backup rule. A recent survey found that 2022 attacks were 29% more numerous than 2021, and 34% higher than 2020. Ransomware attacks are on track to continue to rise. Moreover, 89% of all ransomware attacks now go beyond merely encrypting data to data exfiltration, leading to more cases of double extortion ransomware. Bad actors are increasingly intent on capturing all data, including backups, rendering traditional backup strategies useless.
Having two copies on two different on-premises types of media—for example, on both a storage appliance and a hard disk drive—strengthens disaster recovery postures based on the probability that at least one of the on-prem backups will survive an incident. Adding an off-site copy, whether tapes that are stored in a remote warehouse or data located online in the public cloud or a virtual air gap, adds a deeper layer of insurance that organizations have access to data even in circumstances where all on-site copies are destroyed.
When it comes to advantages, the 3-2-1 backup rule is proven, flexible, and effective.
Proven — Used for decades in businesses, both large and small, the 3-2-1 backup rule is an industry standard that provides a solid foundation on which to build a holistic data protection strategy.
Flexible — As storage media and data backup technologies and methods evolve, backup administrators can adapt this formula to suit changing strategic priorities.
Effective — The (at least) three copies provide necessary protection against most system failures— and an isolated off-site copy protects against both natural disasters and the rising threat of ransomware.
The chief disadvantages of the 3-2-1 rule are the following:
There are several steps in implementing and managing a 3-2-1 backup strategy.
Cybercrime hasn’t stood still over the decades that the 3-2-1 data backup rule has been in use. As technologies and processes have evolved, so have cybercriminals’ tactics and ways to prevent data from being lost, stolen, or corrupted. Because of this, the 3-2-1 backup rule has evolved into several different flavors that businesses can choose from to bolster their DR and data protection strategies. Cloud, in particular, has influenced this evolution.
The 3-2-1-1-0 approach
This approach depends on adding one more copy of data into the mix. The second “1” refers to a data backup that is air-gapped or immutable. (Air-gapped means the backup cannot be accessed by any network; immutable means the data cannot be modified or changed.)
The final “0” means that there are zero errors in the backups. Teams ensure this by monitoring various storage devices and media, resolving any issues they find, and doing regular testing of backup-and-restore processes.
The 4-3-2 approach
Organizations that choose this strategy increase the overall number of copies they make of their data, plus they have some stricter parameters to follow when it comes to types of storage.
The “4” means making four copies of data. The “3” refers to the fact that teams store them in three locations (on-premises; off-site with a provider such as Iron Mountain, and in the cloud with a cloud service provider). The “2” means that of the three locations, two are off-site, which can include an air gap.
When planning backup and recovery strategies, it’s important to have both off-site and onsite backup because organizations can’t afford a single point of failure. For example, if the primary backup of production data is local and onsite, teams could lose access to both primary and backup copies in cases of a flood, hurricane, power failure, or other natural or manmade disaster. Following the 3-2-1 backup rule, however, means having another copy of data off-site that can be recovered even if the two onsite copies are unusable.
Likewise, if teams depend only on off-site backup— either on-premises or in the cloud—they run some risks. Even off-site storage facilities are vulnerable to natural disasters wherever they are located. And for cloud storage, if a cyberattack succeeds in penetrating the cloud, organizations could lose data, unless they have another copy stored onsite. That’s another reason to follow the 3-2-1 backup rule (or one of its flavors).
The growing number and severity of cyberattacks are driving organizations to fortify their IT systems and data. Many follow some form of the time-honored 3-2-1 backup rule. Organizations investing in the Cohesity data security and data management platform have a head start on the 3-2-1 rule and the various industry-leading frameworks, such as the NIST Security Framework.
Cohesity Data Cloud is a purpose-built backup solution for 3-2-1, 4-3-2, and 3-2-1-1-0 strategies alike with defense-in-depth capabilities that include:
Isolation through air gapping requires organizations to keep at least one copy of their data physically and electronically isolated. However, this doesn’t replace existing backup and recovery or DR solutions but provides an extra layer of protection. And although highly secure, this approach does not support RTO and RPO goals.
As a result, backup data is stored in the cloud or another location with a temporary and highly secure connection. This provides a tamper-resistant environment protecting against ransomware while supporting the organization’s RTO and RPO objectives.
Balancing the need for minimizing RTO and RPO and data isolation is the best way to achieve cyber resilience that meets organizational objectives. Cohesity offers new data isolation techniques that integrate with backup and recovery processes to deliver stronger data protection and security strategies, reducing the risk of disruption to business continuity.