3-2-1 Backup Rule. Is it still up to date?

The backup strategy is almost as important as the data protection solutions used. Importantly, companies are gaining new opportunities in this area – alongside the standard 3-2-1 rule, new concepts are emerging. What are they changing, and how can they realistically affect company data security? We invite you to read on.

Farewell to the 3-2-1 rule (?)

Until recently, people were divided into those who do Backup and those who will do it. However, this formula has become outdated in recent times, and only the most inconsiderate users fail to make backups. What explains the sudden increase in the awareness of Backup? The two main reasons are the increase in the value and importance of data and the increase in cyber-attacks. In the latter case, ransomware has the most severe effect on businesses.

According to Coveware, in Q4 2021, the average decryption fee was $322,168, a 130 percent increase from the previous quarter. Interestingly, in as many as 84 percent of attacks, the attackers made their victims’ data public. In the coming months, data protection will present even more difficulties than before because of the war in Ukraine. Security experts are under no illusions – Russian hackers are expected to retaliate against the West in the coming months, resulting in unprecedented cyber-attacks. To put it simply, this means that the risk of data loss will increase to unprecedented levels.

Experts are calling for the replacement of Backup and DR solutions. But buying new software or hardware is only the first step and is akin to an army purchasing the most modern weapons. Even investing in the best tanks and combat aircraft does not guarantee victory. The generals need to develop an action strategy and put everything together carefully. Data protection is no different. Many IT managers choose a method that has been used for years, referred to as 3-2-1. Its popularity has further increased after ransomware attacks such as Petya. IT departments have learned an important lesson from this unpleasant experience: data should not remain solely on the user’s computer, and server resources must be adequately backed up to remote locations.

However, in recent years alternative concepts to 3-2-1 have been emerging. Are they worth considering, or is it better to stay with a familiar formula? There is no clear answer to this question. However, to obtain a solution, it is necessary to assess: the advantages and risks of each medium, financial resources, and needs, such as the amount of data to be archived, the protection of sensitive data (customer data, identifiable information), and data availability (permanent archiving, temporary backups).

Iron rule 3-2-1

The 3-2-1 backup rule has been in use for many years and is supported by solution providers, businesses, and governments. For example, the White House Administration recommends in the US-CERT (Computer Emergency Readiness Team) document the implementation of this very formula. The 3-2-1 backup rule states that three backups must be kept, two of which should be on two different media (usually disk and tape), while one copy must be outside the primary data center. How does this work in practice? One example of the use of three replicas is Windows Fabric, a technology known from

Windows Server. The server has two active copies and one passive copy in case of failure. The result is that the company has three backups of the same data set. Ultimately, one of the three data replicas can be used to restore service, application, data, or an entire virtual machine. This solution minimizes the risk associated with the loss of one of the drives where the copy is stored, as there will always be two other replicas available. Often the cause of data loss is damage to the disk array, e.g., caused by a faulty batch of disks. Therefore, it is worth thinking about additional storage media in addition to a NAS system. This could be tape (the most common solution), independent disk shelves available only in ‘read only’ mode, cloud storage, or Backup as a Service (BaaS).

It is also risky to store backups in a single location; hence many organizations choose to move key ones out of the main data center. This is the most effective way to protect data from potential threats (floods, fires, earthquakes). As a result of various external factors, the server room can be destroyed, and with it, the data stored there. However, if the data is in another location, it is not dangerous. Another issue is related to ransomware. One of the most destructive attacks in history using the Petya malware involved encrypting data across the entire organization attacked – in a split second, all essential services became unavailable.

Is the 3-2-1 rule not as perfect as it is made to be?

According to some experts, the set of previously iron-clad 3-2-1 principles can no longer stand the test of time. The very idea of making three copies is not objectionable, as it is easy enough to recover data lost due to a disaster or cyber-attack. But the rule concerning using two different media raises some controversy among specialists. The concept boils down to one of the media is accessible from the production system for quick recovery. In addition, such a solution is intended to protect valuable files such as photos or documents. Permanent damage to a mechanical drive will not result in their loss, as they will be retained, for example, on tape. Critics say this solution could be a problem for an organization that needs quick access to backups for recovery, testing, creation, and analysis. Different file systems and protocols can create more layers of complexity and cost in terms of compliance, as stored data must be treated similarly across all stored instances.

Mostly, however, the idea of different media seems redundant in light of the development of the cloud. In other words, the ability to move data off-site to the cloud is available cheaply and with sufficient bandwidth in a way that was not possible when the 3-2-1 rule was invented. Of course, tape still has its place, but it is used for archiving for the most part.

Data stored on tapes is additionally protected by an air gap barrier, which is created after the recording is completed and the medium is removed from the drive. In this way, the data is not permanently connected to servers or networks, being thus exposed to additional attacks, damage, deletion, or encryption.

Alternatives to 3-2-1

While most organizations use the 3-2-1 rule or have no backup strategy in place, there are innovators implementing new concepts. One such example is the 3-2-2 method.

What differentiates it from 3-2-1 is that two backups are stored off-site, with one of them being in a cloud environment. This helps to reduce the risk of data loss due to natural disasters, fire, theft, power surges, or cyber-attacks to almost zero.

Another relatively new option is 4-3-2. In this case, four copies of the data are stored in three locations, but two of these must be off-site. The 4-3-2 strategy means that backups are duplicated and geographically distant from one another to protect against natural disasters. Backups are also stored on two separate networks, isolating them from production networks in the event of a breach. Finally, stored copies are immutable, protecting them from being deleted or encrypted if a hacker gains access to the systems.

Slightly more complex than the previously mentioned is the 3-2-1-1-0 rule. This model stores three copies of data, on at least two types of storage media, with one of the storage copies in a different location and one copy offline or air-gap. Somewhat mysteriously, the ‘0’ in this formula means that data recovery solutions must not contain any errors. Maintaining this condition involves:

  • Monitoring the data daily.
  • Correcting any errors as soon as they are detected.
  • Carrying out regular restore tests.

Any backup strategy is better than no strategy at all. And don’t dismiss the as yet most popular 3-2-1 concept, as long as it allows you to recover data lost in the event of a natural disaster, a lost laptop, or accidental deletion. In summary, the minimum setup should contain three basic guidelines:

  • at least three copies of the data must be kept,
  • copies of the data must be in different locations distant from one another,
  • at least one copy of the data must be on the company’s premises so that data can be restored quickly.

Fortunately, modern data protection solutions such as Storware Backup and Recovery let you implement your desired backup strategy right out of the box.

Paweł Mączka Photo

text written by:

Pawel Maczka, CTO at Storware