3-2-1 Backup rule
3-2-1 Backup rule definition
What is the 3-2-1 backup rule?
The time-trusted 3-2-1 backup strategy involves data protection using multiple backups of data. Principles of the 3-2-1 backup rule:
- 3: Keep 3 copies of your data
- 2: Store the data copies on 2 different devices or media types
- 1: Store 1 copy of data offsite
Here’s a simple example:
You want to secure the data residing in your computer. As per the 3-2-1 rule:
- You must have 3 copies of your data – The source data stored on your computer is one copy of your data. You copy this data onto an external hard drive. This becomes your second copy. At the end of the day, the IT team at your organization transfers all the data copied into the portable hard drive onto a Google Drive account. Now, your PC data is effectively copied and stored in three places.
- Store the data on 2 different devices or storage types – This objective has been met by storing one copy on a portable hard drive and another on Google Drive, a cloud storage service. If tomorrow the original data on your computer is corrupted and everything is erased, you can easily copy your data back to your computer from the portable hard drive.
- Store 1 copy offsite (in a remote location) – his objective is fulfilled, as the Google Drive copy is stored in Google’s Data Center, which is most likely in a different city. If malware causes the laptop to crash while you are working from home, you can download the data stored in Google Drive and start working on another device temporarily. Similarly, if a natural disaster strikes your city, damaging both the hard drive in your office and the laptop at your home, you can use the backup copy on Google Drive to access work-related data.
Why does the 3-2-1 backup rule matter?
The purpose of the 3-2-1 backup rule is that there should be no data loss, even in the worst-case scenario. If an incident occurs, you should be able to recover your data from any one of the 3 sources.
How does the 3-2-1 rule apply for enterprise data backup?
IT teams can use the same 3-2-1 backup strategy to secure their organization’s data. If you are part of IT, you should always choose a solution purposefully built for data backup and disaster recovery. Before choosing your backup vendor, here are some questions that will help you plan and choose one that meets all of your needs:
What do you need to back up?
Most common are endpoints (desktops, laptops), servers (file servers, NAS, virtual machines), and SaaS apps (Microsoft 365, Google Drive). The preferred vendor must support all or most of the data sources that you need to back up.
What is your budget?
If you are a small business and your primary motive is solely data backup and recovery, stick to a simple, cost-effective solution. However, if you are part of a large organization with more than 1000 employees, list all your requirements and go with the solution that meets your needs, such as backing up and protecting data across multi-cloud environments, data centers, and edge.
What regulatory compliance protocols must you support?
Companies in the healthcare industry need to comply with HIPAA when dealing with patient record data, and financial services companies must comply with SEC, CFTC, FINRA, and exchange regulations. Ensure that your backup service provider is compliant with important regulations and frameworks.
How frequently do you want to back up data?
Frequent backups will require more storage space and high network bandwidth. If you are using on-premises storage, then you must also take into account the hardware costs, upkeep and maintenance costs, additional personnel to manage the storage system, and so on. A 100% SaaS solution with no hardware involved usually has consumption-based pricing. 100% SaaS can reduce your total cost of ownership by up to 50%.
Is the solution easy to use?
Ease of use will ensure that employees of the organization can back up and restore their data as required without IT support. This would ensure that the IT team is free to handle more critical tasks such as remotely wiping a lost device or investigating backed-up data for potential malware.
What are 3-2-1 backup strategy best practices?
Back up frequently and regularly
You must back up your data at regular intervals throughout the day. Most companies plan to back up twice a day, such as before lunch and then again just before the end of the day. Ensure that each time you back up your data, there are two additional copies of it stored on different media or storage systems.
Before Druva, our NetApp snapshots only kept two weeks of data at a time, so if an employee needed a file from beyond that it was nearly impossible. Now we can find files quickly no matter how far back. Before Druva, our backups were taking three days to complete, and even then we would have to stop them because they had gone on too long, now they always complete within hours.
– John Parry – Group IT Infrastructure Manager
Johnson Service Group
Use software that will automatically backup your data as per the 3-2-1 rule at defined intervals during the day. This will eliminate the cumbersome process of manually creating copies of the data.
Test the data recovery speed and efficiency
Backups are only good if you can recover the data when required. As straightforward as it may seem, backing up data does not guarantee that you will be able to recover the whole data. Ransomware specifically targets backups because they eliminate your failsafe first to force companies to pay the ransom.
Maintain basic cyber hygiene
Ensure you continue to adhere to cyber security practices such as using antivirus for your devices, avoiding phishing emails, refraining from uploading or adding sensitive business information on any website, using corporate VPN when sending and receiving official data while you are not in your office, refrain from connecting unknown hard drives or USB devices to your office computer, and so on.
Back up important files only
Avoid backing up unimportant data such as personal videos, pictures, cache folders, and other things that are not related to work. If you are using backup software, you can pre-define the file types and folders that you want to back up.
What are the shortcomings of the 3-2-1 backup strategy?
- No clarity on storage types that you must use – The rule does not specify what types of storage media you should use for storing data both onsite and offsite. On-premises storage such as tapes and disks require an upfront hardware investment, physical space, personnel for regular upkeep and maintenance (which can be a challenge with the pandemic), and are prone to physical disasters such as fire and theft. On the other hand, the cloud helps to reduce costs, as you don’t need any upfront investment and are only charged for the amount of data you store, and it scales with your requirements.
- Costly – The price of copying data to tapes and sending them to a different location to safely keep in a vault is huge when you are a large organization generating several terabytes of fresh data daily. In addition, if you have to recover data, retrieving it from an offsite location can be time-consuming and expensive.
- Does not take into account viruses and ransomware – Cyber attacks are now more frequent and severe. However, the 3-2-1 rule assumes that your backed-up data is uninfected. If you inadvertently copy infected data to other storage locations, you run the risk of infecting other data stored in such systems. If all systems are connected to the same network, the infection can quickly spread to multiple devices. If you restore this data to any device you will reinfect that device
- Too much data redundancy – The rule assumes that you will create fresh copies of data every time you back up your data. This approach would use up a lot of space as you are re-copying entire files and not the files that have changed. This would increase costs as you keep adding more space to your backup storage system.
Is the 3-2-1 backup rule relevant for cloud backups?
It absolutely is. The 3-2-1 backup rule serves as a template for any backup strategy that you want to use. Here’s is Mr. Backup (W. Curtis Preston) himself explaining how the rule applies to the cloud:
How does modern data protection with Druva support the 3-2-1 backup rule?
Druva’s cloud data protection solution uses AWS S3 for storing backup data. Whenever you back up any data, it is immediately encrypted using an AES 256-bit encryption key and then replicated in three separate locations. This enables you to have 4 separate copies of data in 4 different locations. As the data is encrypted, only authorized personnel from an organization can view and restore the data. Thus, you always have an offsite version of the data that is not only secure but always accessible to the right people.
Druva’s cloud-native, scalable, 100% SaaS solution takes advantage of the public cloud’s simplicity and scale to provide a single solution for backup and recovery, disaster recovery, cyber resilience, eDiscovery, legal hold, compliance, and forensics.
Click here to download our free guide to enterprise data backup and recovery architectures. It explains the different backup methods available today so that you can make an informed decision while choosing your backup vendor.