Rethinking the 3-2-1 Backup Strategy

With the rise of ransomware attacks, it has become crucial for businesses to adopt and innovate on their backup policies and procedures to remain effective and prevent attacks.

In 2022, 493.33 million ransomware attacks were detected by organisations worldwide. These attacks involved cyber criminals leveraging malware, encryption, and network intrusion to restrict access to a company’s data, encrypt it and disable backups.

Having appropriate backups and disaster recovery protocols in place allows for the swift restoration of ransomware-infected systems, effectively foiling attackers’ plans. Nevertheless, hackers have gained knowledge on how to erase or destroy backups while simultaneously encrypting and locking production files. In the event that companies successfully restore their systems using backups, effectively circumventing the attack, they will naturally eliminate the necessity to adhere to any ransom demands.

The 3-2-1 Approach 

For decades, the 3-2-1 backup policy has served as the established benchmark for guaranteeing backup security. This method involves generating three copies of data, utilising two different storage mediums, and ensuring that at least one backup is stored offsite. Ideally, the backup should also be immutable, meaning it remains unalterable, undeletable, and undecryptable within a designated timeframe.

Over the past two decades or so, the typical interpretation of “two diverse media” in the 3-2-1 backup policy involved storing one copy on traditional hard disks and the other copy on tape. Immutability was commonly achieved by physically storing the tape in a cardboard box or rendering the tape cartridge un-writable by breaking a plastic tab. Duplicating the backup files across two corporate data centres was the most common method for creating an offsite copy.

However, with the advent of cloud technology, there has been a significant shift in backup storage practices. The cloud has emerged as a popular destination for storing backups, prompting many companies to reassess the traditional 3-2-1 policy. Nowadays, most organisations adopt a hybrid approach. Due to the cloud’s limited bandwidth, backups are initially directed to a local storage appliance, which generally offers faster speeds compared to backing up directly to the cloud. The same applies to restoring from backups, as retrieving from a local copy is consistently faster.

However, a challenge arises if the local backup has been destroyed by hackers. In such cases, the backup copy stored in the cloud becomes crucial. Many cloud storage providers now offer “immutable” storage, ensuring that data is locked and cannot be altered or deleted. This immutability feature acts as a safeguard against hackers destroying backups. Additionally, the cloud inherently satisfies the offsite requirement of the 3-2-1 backup policy, providing protection in the event of local disasters such as fires or floods. Even if the local backup is damaged, the cloud copy remains intact.

As for the third copy, the need for two different types of media is no longer widely recognised. The prevailing practice today is to replicate the cloud copy to a second cloud location, preferably at least 500 km away. Both cloud copies should have immutability features in place, ensuring the integrity and security of the backups.

Apart from ransomware attacks, there are various other factors that lead to the loss of primary data for companies, necessitating the restoration from backups. Human error stands as a prevalent factor, often resulting in inadvertent deletion or corruption of primary data due to actions like clicking the wrong button. Remarkably, according to a report in 2022, a staggering 95% of cybersecurity threats faced by individuals can be attributed, in some manner, to human error. Additionally, equipment failures can occur as well. Even if the local backup device fails, the existence of cloud copies provides a safety net. Most hard drives do not last forever and the majority of them will eventually fail. While software like RAID enhances disk array reliability, it does not eliminate the possibility of failures.

Generally, cloud storage vendors offer significantly higher data durability compared to on-premises storage devices. Leading providers like Microsoft, Google, Amazon, and Wasabi have adopted the gold standard of 11 nines of durability. This level of durability entails that if a user were to store one million objects, statistically, only one object would be lost every 659,000 years. That’s why incidents of cloud storage vendors losing customer data are rare. With two copies stored in different cloud data centres, the likelihood of data loss due to equipment failure becomes virtually zero, meaning that the traditional requirement of two different media is no longer necessary.

Furthermore, the second cloud copy significantly enhances the availability of backup data in addition to its durability. While the storage itself may exhibit 11 nines of durability, entire data centres may experience occasional downtime due to communication failures, resulting in lower availability of around 4 nines. By having two separate cloud copies, even if one cloud data centre is offline, you can still access your backups from the second cloud data centre. In the case of a ransomware attack, it is safe to presume that the local copy will likely be wiped out, making restoration from the cloud imperative. If, for any reason, the cloud itself is offline, your business operations will remain halted until you can access your backups. This underscores the importance of investing in two cloud copies for improved business continuity.

The Significance of an “Air-Gapped” Backup Strategy

In order to swiftly recover data and minimise disruption to business operations in the event of an attack, organisations must prioritise effective backup strategies. Backup software vendors are now advocating for a new approach that supersedes the traditional 3-2-1 strategy. This updated method is known as the 3-2-1-1-0 strategy, which entails maintaining three copies of data in at least two locations, with one copy stored offsite and one copy stored immutably, while also being regularly tested for zero errors.

The immutability aspect of the backup, often referred to as being “air-gapped,” ensures that it remains physically or logically disconnected from the corporate network, rendering it invisible to any intruders who may have breached the network. This air-gapped characteristic is achieved by relying on the cloud vendor to handle the replication of the cloud copies. Instead of users backing up to two distinct cloud locations, they back up to a single location, and the cloud vendor takes care of the replication process in a manner that remains entirely concealed from the network.

Implementing an air-gapped backup strategy is crucial to guaranteeing that organisations can restore their data without the risk of infection or loss. By combining this approach with regular monitoring and testing of backup functionality, businesses can maintain their operations even in the face of an attack, thereby mitigating potential damages and financial losses resulting from a cybersecurity breach.

Given the escalating frequency and increasing sophistication of cyber attacks, coupled with the continuous advancements in durability capabilities offered by vendors, organisations must take proactive measures to safeguard their data. It is essential to regularly assess and audit existing security strategies in light of new advancements to ensure ongoing high quality protection.

While the traditional 3-2-1 backup approach serves as a fundamental measure to initiate safeguarding practices against cyber threats, it alone is no longer adequate to provide state-of-the-art protection against modern cyber threats. To effectively guard against data loss or damage, organisations must now adopt an air-gapped backup strategy. This strategy involves physically segregating backups from primary and secondary data stores, making it the most effective method available today to ensure robust protection against cyber threats.


About the Author

David Friend is Co-Founder and CEO, of Wasabi Technologies. Wasabi is the hot cloud storage company. Hot cloud storage is fast to write, low-cost, and reliable cloud storage. Wasabi delivers fast, low-cost, and reliable cloud storage. Amazon locks companies into their expensive storage and nobody likes vendor lock-in. Wasabi Hot Cloud Storage is 1/5 the price of Amazon S3 and faster than the competition with no fees for egress or API requests.

Featured image:

more insights