The 3-2-1-1-0 Rule: Modern Backup Standard
Direct answer
The 3-2-1-1-0 rule is the corporate evolution of the classic 3-2-1: three copies, on two different media, one offsite, one immutable, and zero restore errors. Adopted after the 2020-2024 ransomware wave proved that online backups can also be encrypted.
Why classic 3-2-1 is no longer enough
The 3-2-1 rule emerged in the 2000s when the main threat was hardware failure. Today's modern attacker spends hours or days inside the network before encrypting — time enough to identify and destroy online backups. Cases like Colonial Pipeline (2021), Kaseya (2021) and Change Healthcare (2024) showed that backups connected to Active Directory fall together with production. The two 3-2-1-1-0 additions close this gap: immutability prevents tampering even by a compromised administrator, and restore testing guarantees the copy works when needed.
Most common implementation mistakes
- 1.Keep backup in the same Active Directory domain. Compromised account deletes backup along. Use a dedicated isolated credential for the backup server.
- 2.Think snapshot is backup. Snapshot depends on the original storage. If it fails or is encrypted, snapshots fall together.
- 3.Never test restore. Backup that was never restored is hope, not solution. Regular testing is part of strategy.
- 4.Trust mutable backup against ransomware. Veeam, Commvault and similar are primary targets. Immutability is mandatory against modern ransomware.
How to implement 3-2-1-1-0 in 5 steps
Applicable to any size — adaptable to on-premise, hybrid or 100% cloud.
- 1
Map critical assets first
Identify which systems must be back in 4h, 24h and 72h. OLTP applications (ERP, CRM, medical record systems) have critical RTO. Dead logs and archives may tolerate 72h. Without this prioritization, backup becomes an end in itself.
- 2
Ensure 3 copies on 2 media
Copy 1: production. Copy 2: local backup on different storage (ideally a different vendor to avoid falling together with a firmware bug). Copy 3: secondary backup with longer cadence.
- 3
Add the offsite copy
AWS S3, Azure Blob, Wasabi or secondary data center. Ideally in a different geographic region to survive a physical disaster.
- 4
Make one copy immutable
Object Lock (S3, MinIO, Wasabi) in Compliance mode, Veeam Hardened Repository with chattr +i, or WORM LTO tape. Modern ransomware deletes mutable backup before encrypting production.
- 5
Test restore monthly
Most companies discover that backups do not restore at the worst moment. Partial restore in isolated environment every month, full restore quarterly. Document the real time — not the theoretical.
FAQ
Does 3-2-1-1-0 fully replace 3-2-1?
For corporate environments with ransomware exposure, yes. The classic 3-2-1 still applies to personal use, but for any company with Active Directory, ESXi or internet-exposed servers, 3-2-1-1-0 is the defensive minimum.
What is the average implementation cost?
Varies widely. For SMB with 10 TB useful data: ~US$10-30/month in Object Lock S3 + backup software cost (Veeam, Veritas). For mid-sized with 100 TB: ~US$100-400/month. Low compared to the impact of an attack without immutable backup.
Can I use cloud-only backup (no local copy)?
Technically yes, but RTO suffers. Restoring 50 TB from S3 takes days depending on bandwidth. Fast local copy + immutable offsite is the typical balance.
Where does Veeam Hardened Repository fit?
It is the most common way to implement the '1' of immutability on-premise. Linux server with chattr +i on backup files prevents deletion even by root. Detailed setup in another post of this blog.
How do I audit if the backup is really immutable?
On S3: try to delete via console — must fail with 'Object Lock'. On Veeam Hardened: SSH the server and try rm — must return 'Operation not permitted'. Test quarterly.
Need help designing your 3-2-1-1-0 strategy?
Point-in-time consulting and implementation for SMB and enterprise.