top of page

The 3-2-1 Backup Rule is Dead: Long Live 3-2-1-1-0

Long walkway in a data center leading to a server rack

Ransomware affected 66% of organizations in 2023, according to Sophos' "The State of Ransomware 2023" report. The surge in ransomware attacks have largely been led by more sophisticated attacks using AI tools to more effectively exploit vulnerabilities, in particular phishing attacks aimed at your employees, and Ransomware as a Service (RaaS) that is allowing even novice players carry out sophisticated attacks with proven tools and code that are plug and play.

These trends have led to a rethinking of the old 3-2-1 backup rule which advised companies to have:

  • 3 copies of their data

  • Backed up on 2 different storage devices or media

  • With at least 1 off-site copy (i.e. in a location that is different from where your primary storage lives)

In many ways it's the move away from tape-based backup systems that have precipitated a need to modify the 3-2-1 rule. Tape based backups offered a valuable defense against ransomware attack by virtue of their physical nature. By taking your tapes to offsite storage you were protecting them against bad actors by air-gapping them from being accessed via any of your systems.

The first step bad actors take in a ransomware attack is to silently and sometimes over lengthy periods encrypt, delete, or alter your backup data. This closes a path to recovery as this makes restoring from backup impossible.

In our tape based past your data copies were not subject to manipulation by these bad actors so you always had a feasible, but often inconvenient way, to restore.

With modern backup solutions not being air-gapped we have lost some of those inherit protections. While you can still pursue an air-gapped backup approach it typically involves a ton of labor along with losing frequency of backups as well as the convenience of a seamless restore.

The good news is that immutable backups give us all the convenience and speed of modern backup methods without exposing our backups to manipulation, deletion or encryption by ransomware attack.

What are immutable backups?

Simply put it means your data can't be changed or deleted in any way (including encryption). You can still set expiration dates for your backups so that you are properly managing them to accepted standards for your organization but for the period for which they are stored they are effectively bullet proof.

Should I use immutable backups for all my data?

It's generally a good idea to use a combination of traditional backups and immutable backups. Immutable backups are more expensive so they are good fit for mission critical data with a shorter retention timeframe (i.e. typically set to fit your RPO objective) where traditional backups are good for mission critical data that may need longer retention periods or non-mission critical data such as dev and testing environments.

Most modern backup solutions allow you to mix and match backup methods.

What is the new 3-2-1-1-0 rule?

  • 3 copies of their data

  • Backed up on 2 different storage devices or media

  • With at least 1 off-site copy (i.e. in a location that is different from where your primary storage lives)

  • With at least 1 copy being air-gapped or immutable (as we mentioned we don't think air-gapped is practical for most companies)

  • With 0 errors after automated testing and recoverability verification

By following the new 3-2-1-1-0 rule you are creating an additional layer of protection that will help ensure you always have a copy of your mission critical data to restore to in case of a ransomware attack. This is just one of many measures companies should be taking to ensure their organization is resilient and protected from ransomware attacks.

Ready to talk about protecting your data from ransomware attacks? Contact us here to get started.


bottom of page