Use the 3-2-1-1-0 rule for better backups

3-2-1-1-0 rule by the numbers 

The 3 in the 3-2-1-1-0 backup rule indicates that for data to be fully protected, there must be at least three copies of the data. While the original 3-2-1 rule reflects the same recommendation, there is a key difference between the two: When the 3-2-1 rule became standard, the recommendation was to have three copies of data, including the original data. The modern 3-2-1-1-0 rule stipulates that backup admins need at least three copies of data in addition to the original data. 

The 2 in the 3-2-1-1-0 rule directs organizations to back up data on two different types of media. The original 3-2-1 rule made the same recommendation, which often meant creating one backup on disk and another on tape. Today, there are other options, such as cloud storage and SSDs. 

The two backup media types should also differ from where the primary backup resides. This might be difficult for an organization that already uses a certain type of storage media, such as disk, for backups. However, there are other ways to incorporate different backup hardware. For instance, an organization might use one vendor's array to store primary data and an array from a different vendor to store backups. 

As in the original 3-2-1 rule, the first 1 in the 3-2-1-1-0 backup rule directs an organization to keep at least one copy of the data offsite. The easiest way to accomplish this is, of course, to store a backup copy in the cloud. Keep in mind, however, much of the original data probably already exists in the cloud. Consider storing backups in an alternative cloud so that primary data and backups do not reside in the same cloud. 

The second 1 in the 3-2-1-1-0 rule reflects the idea that at least one backup copy needs to be kept offline. Simply put, ransomware cannot infect a backup that is not physically connected to the network. An air-gapped backup cannot become compromised during a ransomware attack, so it is critical to have at least one. 

The 0 in the 3-2-1-1-0 is a critical addition to the original standard. This final step directs organizations to verify that the backup contains zero errors. A backup that contains errors might fail to restore properly, so it's important to seek out and resolve errors early. 

Why the 3-2-1-1-0 method is an improvement 

The 3-2-1 rule worked well when it was created back in 2005. However, the world has changed a lot in the last 20+ years. The 3-2-1-1-0 rule is an attempt to modernize the 3-2-1 rule based on the realities that exist today. 

As an example, ransomware in 2005 was not the threat it is today, so the original 3-2-1 rule did nothing to protect against it. However, the updated requirement to keep one copy of the backup offline is meant to be a direct hedge against ransomware attacks. 

Similarly, the original 3-2-1 backup rule did not address the issue of data integrity. At the time when the rule was created, it was relatively easy to verify a backup, but true backup testing was tedious and expensive. The modern rule, however, emphasizes the importance of making sure that your backup is usable. 

Shaping a backup strategy around 3-2-1-1-0 

Although the 3-2-1-1-0 rule provides a general backup strategy, organizations must figure out for themselves how best to implement this strategy.  

While there is no such thing as a universally applicable approach to aligning backups with the rule, many organizations have adopted a tiered approach. Since the 3-2-1-1-0 rule requires three backup copies, the three copies are handled as three separate tiers: 

Tier 1 is the backup of the organization's primary production data. These backups are created frequently and are designed for rapid recoverability. 

Tier 2 is geared toward long-term data retention. These backups are created less frequently, but can be useful for archiving or compliance purposes. As an example, some organizations will perform a weekly full backup that is written to low-cost archive storage in the cloud. 

Tier 3 consists of data written to offline, air-gapped media. Such backups might, for instance, be written to tape or to a removable hard disk. The media itself is rotated so that several copies are always available. As an example, an organization might create a daily tape backup, with a two-week rotation cycle. 

It’s worth noting that it’s important to build redundancy into the individual tiers as a way of protecting the organization against hardware failure. The Tier 1 storage could, for instance, be replicated to a separate storage array. 

Following the 3-2-1-1-0 rule in practice  

Transitioning from a backup that is based on the 3-2-1 backup rule to a 3-2-1-1-0 backup does indeed incur extra costs. The largest of these costs usually comes in the form of extra backup storage. Other costs might include backup infrastructure, software licenses, and labor costs related to backup verification and testing.  

While adherence to the 3-2-1-1-0 rule comes at an additional cost, these expenses are absolutely justified, particularly when viewed through the lens of risk mitigation and business continuity. The cost required to modernize an organization’s backups is usually far less than the cost of a data loss event and the subsequent reputational damage and regulatory fines. 
 
There are several concrete steps an organization can take to prepare for a transition to a 3-2-1-1-0 backup strategy. Some of these steps might include the following: 

• Identify critical RPO / RTO requirements. 

• Base the backup schedule on established requirements. 

• Purchase infrastructure and media that can be used for air gapped backups. 

• Determine how frequently backup media will need to be rotated and when media should be retired. 

• Determine how offline media can be stored securely and protected from fire or other disasters. 

• Come up with a plan for backup testing. 

• Document everything. 

Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.