Is the 3-2-1 backup rule still the golden standard?

As threat actors become more sophisticated, and datasets grow immense, some professionals think the IT industry’s golden 3-2-1 backup rule might be long overdue for an upgrade.

The 3-2-1 rule—not to be confused with the popular technique used to smoke flavorful BBQ ribs—is a longtime best practice that helps organizations and professionals protect their data in the event of physical and digital emergencies. Organizations are encouraged to have three copies of their data on two different types of mediums, with one being stored off-site.

Druva CTO Stephen Manley told IT Brew that the backup rule is one of the few things in the industry that predates him. Its effectiveness stems from its “reasonable common sense” approach to ensuring resilience. “That was the genesis of the rule: I want multiple copies, I want them to store them on something different, and I want to store them far enough away that it can be resilient to some sort of reasonable blast radius.”

It’s a different world. However, much has changed since the 3-2-1 rule hit the backup scene. Judson Dressler, director of Resilience’s risk operations center, told IT Brew that datasets have grown in size, especially training datasets used for GenAI.

“That’s where you know potentially this golden rule runs into a little bit of a snag,” Dressler said. “Having three copies of a training data set that is that large is probably impractical.”

And that’s not all. Michael Hornby, CEO of tech service provider Techmentum, added that the threat landscape has evolved. Malicious actors are now often deleting backups as a way to pressure organizations into paying ransoms.

“If you have three copies of your data as 3-2-1 states, and the hackers can get in and delete or block your access to all three copies, then you effectively have no restorable copies,” Hornby said. Last year, Microsoft Threat Intelligence shared the ploy of a threat actor (tracked internally as Storm-0501) who leveraged cloud-based ransomware to delete the backups and data within their victim’s environment.

Is it time to put 3-2-1 to rest? While the industry has entered a new era, IT professionals don’t think the infamous 3-2-1 backup method is a lost cause. Dressler told IT Brew the data protection strategy is still valid in today’s age, with a few “caveats.” For instance, companies should make sure they have a foolproof backup and perform tests regularly to ensure they can be restored easily, he said.

“Maybe it’s a 3-2-1-1-0,” Dressler said. “And the extra one is, essentially…one of your copies should be immutable.” (An immutable backup is one that can’t be altered or deleted for a set time.)

Hornby said an updated 3-2-1 backup rule has some extra steps that don’t quite fit into its short, quippy title. In addition to having one immutable backup, Hornby said it is important for IT pros to prioritize identity separation within their data protection strategy.

“If you have IT systems and they’ve got credentials for it [and] you use those same credentials to access the backup, it’s very easy for someone to move laterally from the systems that are being backed up to the backup,” Hornby said., “So, separate those identities [and] give different credentials to access the backups.”

Hornby added that, in today’s world, professionals need to make sure recovery testing is a key part of their routine: “You’d be surprised how many people think their backups are working and [they] aren’t.”

The risk of being old school. Manley said it should be no surprise that each component of the 3-2-1 backup rule requires a bit more legwork than it did 20 years ago. Those stuck in their old ways place themselves at risk.

“Those administrators, those teams, those companies that evolve their view of the 3-2-1 rule will be successful,” Manley said. “Those that say, ‘No, no, we’re just going to keep doing it the old way,’ I do think they will find themselves on the wrong side of the wrong side of evolution.”