Why the 3-2-1 backup strategy is obsolete

·6-min read
 Hand increasing the protection level by turning a knob
Hand increasing the protection level by turning a knob

In an era of escalating ransomware attacks, good backup policies and procedures have become essential. In 2022 alone, 236.1 million ransomware attacks were detected globally. Cyber criminals are using malware, cryptography and network infiltration to lock firms out of their data by attacking storage, encrypting data, and disabling backups. The prevalence of ransomware attacks, where businesses are forced into financial ultimatums by holding their systems and backups hostage, makes it imperative for businesses to improve their security and consequently their data backup protocols.

With proper backups and disaster recovery procedures, systems infected with ransomware can be restored fairly quickly, thus thwarting the attackers. However, hackers have learned to delete or destroy backups at the same time they are encrypting and locking production files. If their targets can restore their systems from backups, then obviously they won’t need to pay the ransom.

The 3-2-1 policy

The 3-2-1 backup policy has been around for decades and represents the traditional “gold standard” for ensuring the safety of backups. It entails the creation of three data copies, using two diverse storage media, with at least one backup being offsite. Preferably, the backup should also be immutable, meaning no-one should be able to delete, alter or encrypt the backup within an assigned timeframe.

For the past 20 years or so, the “two diverse media” generally meant one copy on traditional hard disks and the other copy on tape. Immutability was most commonly achieved by literally taking the tape and putting it away in a cardboard box, or breaking a plastic tab on the tape cartridge rendering it unwritable. While creating the offsite copy was most frequently done by replicating the backup files across two corporate data centers.

Enter the cloud. In recent years, the cloud has emerged as a popular destination for storing backups. Its introduction has caused most companies to reevaluate the traditional 3-2-1 policy. Most organizations are adopting a hybrid approach. Because the cloud has limited bandwidth, backups are first targeted to a local storage appliance, which is generally faster than backing up directly to the cloud. The same is true for restoring from backups. Restoring from a local copy will always be faster. However, what if the hackers have destroyed the local backup (which is highly likely)? Then one would turn to the copy in the cloud.

Most cloud storage vendors today offer “immutable” storage, meaning that it is locked and cannot be altered or deleted. This immutability is just what you need to keep hackers from destroying your backups. And the cloud is always “off-site,” thus satisfying one of the most important requirements of the 3-2-1 backup policy. If there is a fire or flood or anything that damages the local backup, you will still have the cloud. As for the third copy, people no longer see a need for two different kinds of media. The most common procedure today is to replicate the cloud copy to a second cloud location, preferably one that is at least 500 km away. Both cloud copies should be immutable.

In addition to ransomware attacks, there are other reasons that companies lose their primary data and are forced to restore from backups. The most common of these is human error – somebody clicks the wrong button and accidentally erases or corrupts the primary data, for example. But equipment can also fail. If the local backup device fails, you still have the cloud copies. Hard drives have a limited life span and most will eventually die. Software, such as RAID, makes disk arrays tolerant of disk failures, but it doesn’t eliminate them.

In general, cloud storage vendors offer much higher data durability than on-premises storage devices. The gold standard adopted by Amazon, Google, Microsoft, and Wasabi, is 11 nines of durability. If you run the math, 11 nines of durability means that if a user gives you one million objects to store, statistically you will lose one object every 659,000 years. That’s why you never hear about cloud storage vendors losing customer data. If there are two copies in two different cloud data centers, the chances of losing data due to equipment failure is essentially zero. This level of durability makes the old “two different media” requirement obsolete.

In addition to adding durability, the second cloud copy greatly enhances the availability of backup data. While the storage itself may have 11 nines of durability, entire data centres do go offline from time to time due to communications failures. The availability of a data centre is usually more like 4 nines. With two separate cloud copies, if one cloud data centre is offline, you can still reach your backups at the second cloud data centre. In the case of a ransomware attack, you can assume that the local copy will be destroyed so you would be relying on restoring from the cloud. If the cloud is offline for some reason, your business will be down until you can get to your backups. That’s why having two cloud copies is a good investment.

The importance of an “air gapped” backup strategy

Overall, in the event of an attack, organizations need to be able to quickly recover their data and reduce disruption to their business operations. Backup software vendors are now promoting a new strategy to replace the old 3-2-1 strategy. They call this the 3-2-1-1-0 strategy. It stands for 3 copies, in at least 2 locations, with 1 copy offsite, 1 copy stored immutably, and tested for zero errors. The immutable copy is often referred to as "air gapped" because it is not physically or logically connected to the corporate network and hence is invisible to anyone who has penetrated the corporate network. This “air gapped” characteristic is achieved by leaving the replication of the cloud copies to the cloud vendor. So, rather than the user backing up to two different cloud locations, the user backs up to only one. The cloud vendor then does the replication in a manner that is completely invisible to the network.

This approach is an essential measure to ensure that organizations can restore their data without the fear of infection or loss. With an air-gapped backup strategy in combination with regular monitoring and testing of backup functionality, businesses can continue to operate even in the face of an attack, reducing the potential damage and financial losses that can result from a cybersecurity breach.

With the increasing frequency and sophistication of cyber attacks and the fact that durability capabilities for vendors are always advancing, organizations must be proactive about their security strategies and regularly audit their existing strategies against new advancements to ensure ongoing best-of-breed protection for their data. Though the conventional 3-2-1 backup approach remains a key tactic to begin establishing safeguarding practices against cyber threats, this approach alone is no longer sufficient to provide cutting-edge protection against modern cyber threats. The implementation of an air-gapped backup strategy, involving backups physically separated from primary and secondary data stores, is now the most effective method organisations can employ to ensure against data loss or damage.

We've featured the best endpoint protection software.