3-2-1 backup rule update: Air gap your immutable backups
For many years, the 3-2-1 backup rule has been the gold standard for ensuring the protection of business-critical data. The principle suggests organizations keep three copies of data on two different storage media, with one copy being stored offsite to ensure continuity. But in today’s world, where businesses rely heavily on cloud software-as-a-service (SaaS) data, what does “offsite” really mean?
What does offsite mean for cloud SaaS data protection?
When the 3-2-1 backup rule was coined, offsite meant something very tangible: You stored your backup data somewhere other than your office (or its basement, for that matter). This created a physical “air gap,” ensuring that if your production data were compromised, your backup data remained safe and untouched outside of the domain of your primary dataset.
But what does offsite mean when your data is already hosted by a third-party provider like Microsoft, AWS, or Google? This question is one of the key reasons experts and analysts suggest updating the rule. In a cloud environment, offsite means storing your backup data on a separate infrastructure or domain. Put simply, you need to store backup data in a different cloud from your production data, creating a logical air gap, like storing backup tapes in another physical location. This would mean storing your backup copies independently from Microsoft, AWS, or Google — depending on which service you're using.
As businesses move more of their operations to SaaS solutions, they generate more data in the cloud, potentially exposing a gap in SaaS data protection by not ensuring adherence to air-gapped data protection. A key vulnerability arises when backup and production data reside within the same cloud environment. This means a single data loss event or cyberattack could compromise both production and backup data.
By definition, a backup must be taken and stored elsewhere. Amazon Web Services (AWS) defines data backup as “a copy of your system, configuration, or application data that’s stored separately from the original.” So, to have a true backup copy of production data of SaaS applications that are on AWS, for example, this backup copy would need to be stored outside of the AWS cloud.
Why analysts suggest the 3-2-1 backup rule needs an update
With the migration to the cloud, organizations have shifted away from traditional storage methods like tape. To help face challenges like ransomware and stricter data loss protection requirements, industry analysts recommend updating the 3-2-1 rule to better frame how to protect the massive amounts of data generated in third-party, off-premises SaaS applications like Microsoft 365 and Entra ID.
They believe, given these trends, the classic 3-2-1 backup strategy may no longer be enough. Some industry analysts and experts suggest businesses consider the 4-3-2-1 or 3-2-1-1-0 backup strategies instead. (If you’d like to learn more about the 3 2 1 rule, Keepit’s CTO wrote an in-depth blog that covers how it applies to modern cloud data.)
So, what are the new backup strategies analysts recommend?
- The 4-3-2-1 backup rule: This approach expands on the traditional rule by recommending four copies of data, potentially including a high availability (HA) copy, using three different storage types in two locations, with one copy stored offsite/in a separate administrative domain. This enhanced strategy aims to ensure better data loss protection through additional redundancy and improved recovery times in the face of cyberthreats. It adds an extra safety net of ensuring an air-gapped backup copy, reducing the chances of total data loss.
- The 3-2-1-1-0 backup rule: The 3-2-1-1-0 strategy takes the classic rule and adds further resilience. Here, you would still maintain three copies of your data on two storage types, but also include one copy on immutable storage, which is critical for preventing ransomware from corrupting your backups. Additionally, one copy is kept offsite, outside the production environment, and there should be zero backup errors — a goal to aim for through frequent and ongoing testing and verification.
The role of immutable backups and air gapping in SaaS data protection
One key recommendation is the use of immutable backups. Immutable backups cannot be altered or deleted, providing an extra layer of security against ransomware. Data immutability ensures that even if systems are compromised, your data stays intact within these backups, ensuring faster, safer recoveries.
Air gapping is another crucial consideration. This involves keeping at least one copy of your data entirely isolated from your production network, preventing malware or hackers from reaching your backups. If one system is compromised, the isolation between administrative domains ensures other systems remain safe. Read why you need air gapping.
Though air-gapped systems may involve more complex multi-cloud setup, they are highly effective for long-term data protection. There are backup-as-a-service (BaaS) specialists who own and operate their own infrastructure, making it easy to deploy the new data protection strategies focused on air gapping and immutability of cloud data.
The future of SaaS data backup
As organizations increasingly embrace SaaS applications to manage workflows and store critical data, the need for robust, cloud-optimized backup strategies will only grow. The future of SaaS data backup will likely revolve around several key advancements driven by evolving cybersecurity threats and the unique needs of cloud environments.
One significant trend is the rise of intelligent, automated backup solutions. These systems leverage artificial intelligence (AI) and machine learning (ML) to identify patterns in data usage, predict vulnerabilities, and optimize backup schedules and storage allocation. AI-driven automation ensures backups occur at the most critical times, while minimizing storage costs and streamlining recovery.
Data sovereignty concerns and privacy regulations such as GDPR and CCPA are also shaping cloud backup strategies. We can expect more solutions prioritizing compliance, allowing organizations to store data in geographically appropriate locations while maintaining backup integrity.
As multi-cloud environments become the norm, businesses will need strategies that span different cloud platforms. This diversification enhances resilience but requires solutions that can seamlessly manage data across multiple environments, ensuring quick recovery without loss. Cross-cloud replication and disaster recovery (DR) are becoming essential in this multi-cloud world.
Lastly, the integration of blockchain technology (Merkle trees) for immutable and verifiable backups plays a role in SaaS data protection’s future. Data immutability helps ensure that backup data cannot be tampered with, providing strong protection against ransomware and insider threats.
Final remarks: Is the 3-2-1 backup rule outdated?
The classic 3-2-1 backup rule has served businesses well for decades, but industry analysts believe the shift to cloud SaaS environments necessitates modern adaptations to the rule to help frame and clarify which elements are vital to avoid dangerous gaps in SaaS data protection. Whether following the 4-3-2-1, 3-2-1-1-0, or the 3-2-1 rule, businesses must prioritize immutability, air gapping, and cross-cloud redundancy to ensure comprehensive data protection.
Ensuring your approach to data protection incorporates immutable backups and air-gap strategies will significantly enhance your ability to prevent data loss and maintain the integrity of your cloud data backups. By adopting these best practices, you can better safeguard your data and operational resilience — even in the face of the most sophisticated attacks.