What is the 3-2-1 backup rule? Data backup best practices

Rachel Bishop
Rachel Bishop|November 13, 2023
General blog image
General blog image

The 3-2-1 backup rule states that organizations should have

  • (3) copies of their data on

  • (2) types of media (e.g., an external drive and cloud storage) and

  • (1) offsite copy.

The 3-2-1 backup rule is a great starting point if you want to implement a backup strategy for your organization’s data.

What is a backup strategy?  

A backup strategy is a critical component of an organization’s disaster recovery plan. This is the plan that stays right next to the fire extinguisher in the glass case in the hallway.

Should your organization fall victim to a cyberattack or natural disaster, a devised and tested backup strategy helps you minimize downtime and get back up and running as soon as possible. 

The 3-2-1 backup rule in practice

Let’s talk about what the 3-2-1 backup rule might look like in a business setting.

3 copies

First, you should have three copies of your data. The first copy lives in your environment, on your devices’ hard drives. The other two copies might live on another machine, an external hard drive, a server, or in the cloud.

2 media

Media diversification is important in the 3-2-1 backup rule. For maximum efficiency, back up your data to two different storage media types. These media might be cloud resources (such as Google Drive or Microsoft OneDrive), servers, hard drives, or even external drives. Back in the day, it was floppy disks (and if you remember these days like we do, don’t forget to take your ibuprofen).

1 offsite copy

Make sure you save at least one backup copy at an external location — one that’s physically distant from your main data. This provides an extra layer of protection during events such as natural disasters and network compromises. A hurricane may hit your office in Florida, but the chances of that hurricane moving on up and hitting your offsite copy in Wyoming are slim to none. By that same token, an offsite data backup remains untouched should your network be compromised.

Pros of the 3-2-1 backup rule

The 3-2-1 backup rule is great because it’s easy to remember — and easy to follow. It’s the first real backup rule that the security community has tweaked to fit into today’s modern world. While the 3-2-1 backup rule is dated (it was first introduced in the early 2000s), it still provides the groundwork to build a more modern backup strategy for your environment.

Fun fact: Did you know that a photographer is credited with creating the 3-2-1 backup rule?

Peter Krogh first wrote about this backup strategy in his book Digital Asset Management for Photographers. It’s hard to imagine how many photos he must have lost to have created the grandparent of today’s modern backup rules.

Should you find yourself in a pinch, the 3-2-1 backup rule can help you get your environment back up and running because your backup has a backup … and that backup has a backup. By saving your data three times, two ways, and in one additional location, you’re lessening the chances that a cyberattack or natural disaster will be the nail in the coffin for your business.

Cons of the 3-2-1 backup rule

Because of its age, the 3-2-1 backup rule doesn’t comprehensively cover modern challenges. For example, think about what happens during a ransomware attack. Your data becomes encrypted against your will and held for ransom. In this instance, any media discoverable via your network is at risk of compromise.

This is why more recent takes on the 3-2-1 backup rule call for immutable, air-gapped backup copies. You can write to immutable backups once and only once. After that, they can’t be altered — not even by the savviest of hackers. And you can’t touch air-gapped backup copies because they’re segregated from your main network. This isolation makes it so threat actors would need to be in the same physical vicinity as your data to do anything with it.

Why you need a backup strategy 

A backup strategy is arguably the most important part of any disaster recovery plan. If there’s one thing you can bet on, it’s that you will at some point need to deal with a cyberattack. We have to approach disaster recovery plans as though an imminent attack is looming right over our heads — because it might be.

Just like you can’t slap down an UNO reverse card on a hurricane to send it back to sea, it’s impossible to guarantee that your environment is completely safe from cyberattacks, no matter how you build your security stack. And that’s why we move on to the next best thing: preparedness.

During a cyberattack, the last thing you want is to add to the chaos because you don’t have a disaster recovery plan or backup strategy. Having these prepared and tested plans ready to go when the worst happens is the first step in ensuring business continuity.

RAID backups

Some organizations (particularly enterprises) might include redundant array of independent disks (RAID) in their backup strategies. RAID technology ensures redundancy in your backups by storing multiple copies of the same data on several hard disks or drives. And should your hardware fail, RAID technology can get you back up and running much faster, even if you have terabytes of data.

However, RAID technology is susceptible to threats, such as ransomware or data corruption. If you choose to rely on RAID technology, be sure to make it part of your backup strategy, not your entire backup strategy.

Other backup strategy alternatives

While the 3-2-1 backup rule served its purpose, there are a few more modern alternatives for backup strategies.

The 3-2-1-1-0 backup rule

Despite its name, the 3-2-1-1-0 backup rule isn’t just a bunch of random numbers in descending order … promise. 🙂 The 3-2-1-1-0 rule builds off the 3-2-1 rule, adding two extra components:

  • (1) air-gapped OR immutable backup

  • (0) errors

Again, air-gapped and immutable backups are necessary to protect against more modern risks, such as ransomware attacks. If you isolate your read-only data, you increase your chances of getting back up and running quickly should the worst happen.

And, of course, your backups won’t do you much good if there’s a problem during the backup process. Make sure each backup you perform completes successfully with no errors.

The 4-3-2 backup rule

Keeping with our trend of replacing the usual alphabet soup with numbers soup, let’s move on to the 4-3-2 backup rule. This rule consists of

  • (4) copies

  • (3) media types

  • (2) offsite copies

In other words, your backups’ backups’ backups have backup copies. (Still with me?) It’s essentially the 3-2-1 backup rule but with an extra copy, media type, and offsite copy.

Choosing the right backup strategy for your business

With so many variations and backup rules, you may wonder which one is right for your business. I can answer that question with a favorite quote from my colleague and content engineer at PDQ, Brock Bingham:

"It depends."

To elaborate, it depends on what your business’s goals are during times of crisis. For example, how long can you (literally) afford to be offline in case of a disaster? If your answer is “not very long,” you may want to invest in a backup solution that offers a quick-restore option.

We recommend starting with the 3-2-1 backup rule and going from there. In fact, this is how we handle our backups at SmartDeploy. But we also take it a step further with air-gapped and immutable backups. Your backup strategy can be exactly what you need it to be: a way to get your specific, unique environment back up and running as soon as possible.

You may be pressured to store at least one of your backups on the cloud. But in reality, this request boils down to storing one of your backup copies on an external device. The cloud is nothing more than someone else’s servers (aka, external devices). So, if you’re asked to store one of your copies on the cloud, you can conquer that task by backing up your data to an external device.

Now that your backups have backups, you can move on to simplifying your life in other ways. Provision your PCs and manage your Windows devices in just a few clicks with SmartDeploy. Download a free 15-day trial and see the magic for yourself.

Rachel Bishop
Rachel Bishop

A professional writer turned cybersecurity nerd, Rachel enjoys making technical concepts accessible through writing. When she’s not solving her Rubik’s cube, she’s likely playing a video game or getting wrapped up in a true crime series. She enjoys spending time with her husband (a former sysadmin now in cybersecurity) as well as her two cats and two birds.

Related articles

Ready to get started?

See how easy device management can be. Try SmartDeployfree for 15 days — no credit card required.