Ensuring Business Continuity: The 3-2-1 Backup Rule

Downtime and data loss can wreak havoc on businesses, and there are statistics abound to prove it. For example, IBM’s Cost of a Data Breach Report 2020 found that the average cost of a single lost or stolen record was $146 USD. Additionally, Dell reported that the average cost of downtime in 2019 was $810,018 USD. Unfortunately, there’s no one-size-fits all solution to preventing data loss and downtime. Everything from ransomware to human error to failing hardware can lead to lost data and productivity. Because of the risks associated with data loss and downtime, reliable backups are a must have for modern businesses. A rock-solid backup strategy is the cornerstone of disaster recovery and business continuity. But, what backup strategy should you use? How about one that has been advocated for by a United States Computer Readiness Team paper and proven by years of use within the tech industry? The 3-2-1 backup rule fits that description to a T. Here, we’ll look at the benefits of the 3-2-1 backup rule, the details behind the concept, and how you can use it to your advantage.

What is the 3-2-1 backup rule?

The idea behind the 3-2-1 backup rule is simple:
  • Have at least 3 copies of your data
  • Save data on 2 different physical media
  • Keep at least 1 copy of the data offsite
The rule enables you to eliminate single points of failures in your backups. Keeping multiple copies on different physical media and different geographical locations, you greatly reduce the risk of a single catastrophic event wiping out your data.

The benefits of 3-2-1 backups

The primary benefits of 3-2-1 backups are resilience and risk mitigation. If one copy of your data is corrupted, you have 2 more to fall back on. If one storage medium goes obsolete, there is another you can use. If there is a disaster or complete loss of data at your primary site, you still have your offsite data. Simply put: a 3-2-1 backup strategy reduces your chances of losing your data completely. In a world where data loss and ransomware attacks can cripple a business, that is a major upside.

Why 3 copies?

The “3” in 3-2-1 backups means keeping 3 copies of your data. 1 copy is the primary copy, i.e. what you actively use in production. The other 2 copies are backups. This approach gives you redundancy in your backups. This means you won’t suffer a catastrophic loss of data just because 1 backup is corrupted. Remember: It’s important that your backups all have the same data and that the data is current enough to be useful. The point of backups is to get you back to an operational state in a reasonable amount of time. If your backups are stale and you can’t use them to continue day-to-day operations, they aren’t very useful. Keep this in mind as you design your overall backup and recovery strategy.

What’s this about 2 media?

There are plenty of different media that you can use to store data, including:
  • Hard Drive Disks (HDDs)
  • Solid State Drives (SSDs)
  • Magnetic tape drives
  • Optical media (e.g. DVDs)
Additionally, cloud storage, while technically not a type of physical media, is often called out as a “type” of storage. Each type of physical media has its own pros and cons. For example, magnetic tape can last for a long time (up to 30 years) and offers a lot of capacity at a low cost. However, it is slow to access and can wear out if used frequently. SSDs on the other had have fast access times but can cost more than other media. There are two different interpretations of different media when it comes to the 3-2-1 rule:
  • Use two different types of media (e.g. a separate SSD and HDD)– This is the traditional interpretation.
  • Use the same type of media but on two different physical devices (e.g. 2 separate HDDs)– This is a looser interpretation some have adopted over the years.
Many consider the stricter definition that calls for two different types of media as it is most consistent with the spirit of the 3-2-1 rule and the interpretation in the United States Computer Readiness Team paper. By using different media types, you reduce the risk of a single hazard or failure mode wiping out all your backups (tape, SSDs, and HDDs all fail differently and are more/less susceptible to different hazards). However, at the very least you should be following the looser interpretation and being sure to use separate physical devices. The most important takeaway here is: eliminate single points of failure in where your backups physically reside.

Why do offsite backups matter?

Using 2 different types of physical media doesn’t rule out a disaster like a fire wiping out all your data. That’s where the “keep at least one copy of your data offsite” rule comes in. For many businesses, cloud backups can make this simple. If your primary data resides at your local offices or corporate datacenters, a cloud service is inherently offsite. But what if you store your primary data in the cloud? How can you have an offsite solution in that case? You could use a second cloud provider or keep onsite copies of your data. The idea here is: 1 backup needs to be somewhere that would be unaffected by a disaster at your primary site. Whether your primary site is a  your own physical location or a cloud provider (that could go out of business or suffer a data loss of their own), this part of the 3-2-1 backup rule helps you avoid single points of failure in your backup strategy.

Different versions of the rule

There have been different twists on 3-2-1 backups over the years. We saw one earlier when we discussed the strict and loose interpretations of the “2 different physical media” rule. There are also concepts like 3-2-2 and 3-2-3 backups where you up the number of offsite storage locations. However, since the 3-2-1 rule calls for “at least” 1 offsite backup, these are really just different implementations of the same general 3-2-1 concepts.

Key points to remember when using the 3-2-1 backup rule

Here are a few key points to remember when you implement the 3-2-1 backup rule:
  • Don’t let data get stale. Schedule your full and incremental backup schedules so your backups will be useful in the event production goes down. When possible, automatically sync data (e.g. between on-site storage and the cloud).
  • Accessibility matters. Downtime costs money. If you have reliable backups but it takes too long to get the data into production, you have a business continuity problem. Understand how much data you may need to recover, set an RTO (recovery time objective), and design your backup strategy with that in mind.
  • Test your backup recovery strategy. A failure shouldn’t be the first time you test your backups. Test your recovery strategy regularly.
The 3-2-1 backup rule is a common best practice and a good starting point for many organizations. However, there are no one-size-fits-all solutions and context matters when designing a backup strategy. You’ll need to give some thought to your business requirements, cost of downtime, and risk appetite to get things right.