The 3-2-1-1-0 Backup Rule: Why the Original Rule Isn't Enough Anymore
The classic 3-2-1 backup rule was written before ransomware could encrypt your backup target. Here's the updated 3-2-1-1-0 rule, what each digit means, and how to implement it in a modern enterprise.
A Rule From a Different Era
The 3-2-1 backup rule has been the gold standard of data protection strategy for two decades. Formulated by photographer Peter Krogh in the mid-2000s, it is simple and memorable:
- 3 copies of your data
- 2 different storage media types
- 1 copy stored off-site
For most of the rule's history, the primary threat was hardware failure — a disk dying, a server room flooding, a fire destroying a building. Against those threats, 3-2-1 works well. An off-site copy survives a local disaster. Multiple media types prevent a single vendor defect from wiping all copies.
But ransomware changed the equation. And 3-2-1 was not designed with ransomware in mind.
The Problem: Ransomware Targets Backups First
Modern ransomware is not opportunistic — it is methodical. Before encrypting production systems, sophisticated ransomware operators spend days or weeks moving laterally through a network, mapping infrastructure, and specifically identifying backup systems and storage targets. They know that if they encrypt your backups before your production data, you cannot recover without paying.
Under a traditional 3-2-1 implementation, this is exactly what happens. Your on-site backup is connected to your network. Your off-site copy is a cloud target that is also accessible from your network. If the ransomware operator compromises domain admin credentials — which is standard practice for human-operated ransomware — they can reach and destroy or encrypt all three copies.
A backup that can be reached from the production environment can be targeted by ransomware. The 3-2-1 rule provides no protection against this.
The Updated Rule: 3-2-1-1-0
The 3-2-1-1-0 rule extends the original with two additional requirements designed specifically for the ransomware era:
| Digit | Meaning |
|---|---|
| 3 | Three copies of your data |
| 2 | Two different storage media types |
| 1 | One copy off-site |
| 1 | One copy offline, air-gapped, or immutable |
| 0 | Zero errors verified — all backups tested and confirmed restorable |
The Fourth Number: Offline, Air-Gapped, or Immutable
This is the critical addition. At least one copy of your data must be stored in a state that cannot be modified or deleted by ransomware, even if attackers have full domain administrator access.
There are three ways to achieve this:
Offline (tape or removable media): A copy that is physically disconnected from all networks. Ransomware cannot reach what it cannot connect to. Tape remains relevant precisely because of this property — a tape in an off-site vault is genuinely unreachable.
Air-gapped: A backup copy that is logically isolated from your production environment. This can be implemented with dedicated backup infrastructure that has no route to your production network, or with cloud storage that is accessible only via a dedicated, separately secured connection.
Immutable object storage: Cloud backup written to object storage with Object Lock enabled. Immutable storage uses a WORM (Write Once, Read Many) model — once data is written and the lock is applied, it cannot be modified, overwritten, or deleted until the retention period expires. Not even the storage administrator can delete it. This is the most operationally practical implementation for most organisations, as it does not require physical media management.
Cloud providers including AWS (S3 Object Lock), Azure (Immutable Blob Storage), and IBM (Object Storage with WORM policies) support immutable storage natively. Backup solutions like Veeam, Druva, and IBM Spectrum Protect can write to immutable targets.
The Fifth Number: Zero Errors
The original 3-2-1 rule said nothing about whether the backups actually work. The zero in 3-2-1-1-0 addresses a brutal reality: most organisations that suffer a ransomware attack discover their backups are incomplete or unrestorable at the worst possible moment.
Zero errors means:
- Every backup job completes successfully, with verification
- Backup integrity is checked automatically (hash verification, synthetic fulls)
- Restore tests are performed regularly — not just checking that backup jobs complete, but actually restoring data to a test environment and confirming it is usable
- The time required for a full restore is measured and documented so recovery time objectives are realistic
A backup that has never been tested is not a backup — it is an assumption.
Implementing 3-2-1-1-0 in Practice
For SMEs and Mid-Market Organisations
Most organisations in this size range should implement the rule as follows:
- Production copy — live data on primary storage
- On-site backup — a local backup appliance or NAS (fast restore for common scenarios like accidental deletion)
- Off-site cloud backup — cloud backup target in a different region or provider
- Immutable copy — cloud backup written to object storage with Object Lock, OR a separate air-gapped cloud vault with no direct connectivity to the production backup job
The immutable copy does not need to be a full second cloud backup — it can be a separate retention tier within your backup solution that writes select recovery points to immutable storage.
Key Questions to Ask Your Backup Vendor
- Does your solution support writing to immutable object storage? (Look for AWS S3 Object Lock, Azure Immutable Blob, or equivalent support)
- Can the immutability be bypassed by the same credential set that manages production backups? If the same admin account that runs backups can also remove Object Lock policies, the immutability has limited value.
- What does your backup verification include? Job completion alerts are not verification. Hash checks and test restores are.
- How are backup credentials stored? Backup credentials should not be accessible from domain controllers or production servers.
3-2-1 vs 3-2-1-1-0: A Quick Comparison
| Scenario | 3-2-1 | 3-2-1-1-0 |
|---|---|---|
| Server room fire | ✅ Off-site copy survives | ✅ Off-site copy survives |
| Hardware failure | ✅ Multiple copies survive | ✅ Multiple copies survive |
| Ransomware with network access | ❌ All networked copies at risk | ✅ Immutable copy survives |
| Admin credential compromise | ❌ Backup admin can delete all copies | ✅ Object Lock cannot be bypassed by admin |
| Silent backup corruption | ❌ Not addressed | ✅ Verification testing catches it |
FAQ
Does 3-2-1-1-0 apply to cloud-native workloads?
Yes. The rule is media-agnostic. For cloud-native workloads, the immutable copy might be a separate cloud region with Object Lock, or a different cloud provider entirely. The principle is the same: one copy that cannot be deleted or modified through the same credential chain that attackers would compromise.
Is tape still relevant in 2026?
Yes, specifically because of its air-gap property. Large enterprises and government organisations continue to use tape for long-term retention precisely because a tape in a vault is genuinely unreachable from the network. For smaller organisations, immutable cloud storage is more practical.
How often should restore testing happen?
At minimum, quarterly for representative workloads. Critical systems (ERP, finance, CRM) should be tested more frequently — monthly or after any significant change. The test should confirm that the restored data is usable, not just that the restore completed.
What is the cost difference between 3-2-1 and 3-2-1-1-0?
The primary additional cost is immutable object storage. Object Lock storage is typically priced similarly to standard object storage — the cost is marginal. The larger investment is in tooling and process changes: backup software that supports immutable targets, credential separation, and a documented restore testing programme.
Does this satisfy POPIA's security requirements?
POPIA's Condition 7 requires "appropriate, reasonable technical and organisational measures" to protect personal information. A 3-2-1-1-0 backup implementation, with documented restore testing, provides a strong evidence base for appropriate security measures in any regulatory investigation.
The Bottom Line
The 3-2-1 rule built a generation of resilient data protection practices. The 3-2-1-1-0 extension answers the ransomware era with two additions: a copy that attackers cannot reach, and a verification discipline that ensures the copies you have will actually work when you need them.
If your current backup strategy does not include an immutable or air-gapped copy, and does not include regular restore testing, it is 3-2-1 — and 3-2-1 is no longer sufficient.
Talk to our team about designing a backup architecture that meets the 3-2-1-1-0 standard for your environment.