Back to Posts List

Understanding the 3-2-1 Backup Rule

Share this article

Last updated January 18th, 2023 by Joshua Smith in Security, Explainer

3-2-1 Backup Rule

While data disasters are inevitable, having a planned backup strategy can mitigate its damaging effects. According to the Cybersecurity and Infrastructure Security Agency, businesses and organizations should observe the 3-2-1 backup strategy for assured data safety.

Superficially, the 3-2-1 backup rule is a backup strategy that increases and diversifies the number of backups used. According to the rule, you should have a minimum of three copies of data, two backups on different media, and one offsite or in the cloud to manage your data effectively. Read on to understand more about the 3-2-1 Backup rule.

The 3-2-1 Backup Rule Explained

The 3-2-1 backup rule has the following requirements:

Maintain Three Copies of the Data

The first part of this strategy is ensuring that you have at least three different copies of important data. The first copy should be the original or production data used for conventional purposes. The other copies are kept as backups. All copies should be configured and stored in a way to ensure they remain intact, even if the additional copies disappear or fail.

Worth noting is that all copies should have the same version of the information. You can't satisfy the first rule of this strategy if one copy of backed-up data differs from the other two copies. While you can create data backups at different points in time, it isn't part of the 3-2-1 Backup rule.

Use Two Storage Media for Data

According to the second part of the rule, two copies of backed-up data should be stored in two physically independent devices. One of the storage devices might be a file server, while the other is a network-attached device or flash drive. You shouldn't store different copies on different hard drives on the same server.

Doing this means you'll lose both copies if the server fails or is inaccessible. As such, you can't satisfy the 3-2-1 Backup rule by keeping multiple copies of backups in the same cloud or RAID array.

One Data Copy Should Be Stored Offsite

The third part of this rule is ensuring that one copy of your sensitive data is stored in offsite locations. This means it should be stored in a different place than other data copies. With this, you shouldn't store two backup copies in your office. Keep one copy in your office and another on a different physical site.

Benefits of the 3-2-1 backup Rule

Benefirts of 3-2-1 backup rule

Backups are crucial for all businesses and organizations. The 3-2-1 backup rule provides additional benefits, which include:

  • Spreads out backup locations – the strategy spreads out sensitive information to multiple locations. This prevents damage, data loss, and possible breach if one storage location is compromised.
  • Not reliant on one backup – This backup strategy ensures that organizations have multiple copies of sensitive data in different storage sites. Data won't be lost if one backup location is damaged.
  • Increases data protection – diversifying backup copies using the 3-2-1 Backup rule protects data while ensuring that your information is available when needed.

What are the Pros and Cons of the 3-2-1 backup Rule?

The 3-2-1 backup rule is undoubtedly an easy data backup strategy. It is a tried and tested backup method that organizations should follow. This rule helps organizations mitigate the disastrous effects of data breaches or loss, especially if one backup location fails.

Unfortunately, the 3-2-1 backup rule isn't a backup solution for all organizations. It should serve as a baseline backup strategy, not a hard-and-fast rule for all organizations. The rule is also disadvantaged by advancing technology. The rule hasn't advanced and evolved with technology, making it an outdated method for some organizations.

The 3-2-1 Backup Rule Tips

Consider the following tips for your 3-2-1 backup Rule to be successful:

  • Ensure the second data copies are not on the same machine – two copies, not including the original copy, shouldn't be stored on the same device. If you do this, you'll lose both copies if the machine fails. Storing backup copies in separate machines diversifies backup and increases data protection.
  • Have backups of your onsite storage – you should evaluate the business benefits of onsite data storage for additional data protection.
  • Minimize cloud storage – while cloud storage options are effective, maintaining them is costly, especially if you have large amounts of backed-up information. Prioritize sensitive information to be stored in the cloud. This helps minimize costs by ensuring that you store important data.
  • Automate backups – organizations should automate backups to avoid manual backups, which are prone to error. Automated backups are also secure.
  • Test backup copies – backups can fail, and data might get corrupted. Always test backups to verify and restore crucial information.
  • Consider other alternatives – using the 3-2-1 backup rule is one part of the data backup and recovery plan. It would help if you considered alternative options, such as data encryption and monitoring backed-up data for malware invasion.

How Can the 3-2-1 Backup Rule Be Faulty?

Interestingly, several things that guide current backup systems aren't suitable for the 3-2-1 Backup rule. For instance, cloud-based backup service providers store backed-up data in one server within the same storage facility. This significantly goes against the 2 and 1 aspects of the 3-2-1 rule.

Despite advancing technologies, it is common for individuals using public cloud backup services to create snapshots of the backup resources. However, these images are stored in the same account used by the primary storage system. This means that if hackers gain access to the primary account, they can infiltrate and delete both primary and secondary data copies.

Is 3-2-1 the Best Backup Strategy?

The 3-2-1 is undoubtedly a pivotal guideline that improves data backup. It is among the top practices recommended by information security experts and a good option for individuals and small businesses. However, with increasing ransomware attacks, organizations should build on the basic principles of 3-2-1.

Current cyberattacks target the entire network, increasing the risk of capturing all data stored in the network, backups included. This is a significant issue for individuals and small businesses, as it can force unexpected downtimes. If such happens, the 3-2-1 backup rule might not sufficiently save important organization data.

The Bottom Line

Around 39% of businesses and organizations don't have a solid incident response plan for data breaches and cyberattacks. Such organizations can suffer consequential losses in case of a crisis. You should evaluate your current data backup plan. Ensure that it meets the 3-2-1 backup rule and determine if backup as a service (BaaS) might benefit your organization.

Joshua Smith

Joshua Smith is a data content specialist residing in Austin, TX, working with the Pure Storage team on research related to open-source software and data backup technologies.

comments powered by Disqus