The 3-2-1 rule is dead. I know that’s a bold statement, especially coming from someone who has spent decades preaching the gospel of three copies, two media types, one offsite. But here’s the thing – ransomware killed it. Not because the fundamentals were wrong, but because the threat landscape changed so dramatically that the old rule became insufficient.
Long live 3-2-1-1-0.
This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/
Before you panic, let me be clear: the basic principles of the 3-2-1 rule are still the foundation of any backup strategy. If you’re not doing at least three copies of your data on two different media with one somewhere else, you don’t have backups. You have hope. And hope is not a strategy. But the 3-2-1 rule alone won’t save you anymore. It had to evolve or die. So we evolved it.
Why the 3-2-1 Rule Had to Die
The 3-2-1 rule came from a simpler time. Peter Krogh, a digital photographer, coined it in the 1990s to help protect his work from the most common threats of that era: hardware failure, accidental deletion, and physical disasters. Three copies meant redundancy. Two different media types meant you weren’t putting all your eggs in one basket. One offsite copy meant fire, flood, or theft wouldn’t destroy everything.
It worked beautifully. For years, if you followed the 3-2-1 rule, you were protected against pretty much everything that could go wrong. Hardware died? No problem, restore from backup. Someone deleted critical files? Got it covered. Office burned down? The offsite copy saves the day.
Then ransomware got smart.
Ransomware operators aren’t stupid. They know that if you can restore from backups, you won’t pay the ransom. So they started doing their homework. They’d get into an environment and spend days or weeks mapping out the infrastructure, including the backup systems. Then, before they encrypted your production data, they’d delete your backups. Or encrypt them. Or lock you out of your backup systems by compromising the credentials.
The 3-2-1 rule has a fatal flaw in the age of ransomware: all three copies can potentially be accessed and destroyed by someone who steals your administrative credentials. You might have three copies on two different media with one offsite, but if an attacker can authenticate as you, they can delete all of them. And that’s exactly what they do.
I’ve seen case after case where organizations thought they were protected. They were following the 3-2-1 rule religiously. Then ransomware hit, and when they went to restore, the backups were gone. Every single one of them. That’s when we realized the 3-2-1 rule, as originally conceived, was dead.
The Rebirth: Understanding 3-2-1-1-0
So we killed the old rule and replaced it with 3-2-1-1-0. Same foundation, critical additions. Let’s break down what those extra numbers mean and why they matter.
The first extra “1” stands for one immutable, air-gapped copy. This is the game-changer. Immutable means the data can’t be changed or deleted, even by an administrator. Air-gapped means it’s isolated from your network in a way that makes it inaccessible to attackers who compromise your primary environment.
Now, air-gapping doesn’t necessarily mean physically disconnected anymore. We’re not all running tape libraries (though if you are, good for you – tape actually works great for this). In a cloud world, air-gapping can be logical. It means different credentials that aren’t stored where attackers can find them. It means access controls that require out-of-band authentication. It means systems that are architecturally separated so that even if someone has full admin rights in your production environment, they still can’t touch this copy.
The key principle is this: if you can easily access and delete your backup, so can ransomware operators who steal your credentials. Human nature makes us want convenience. We want to be able to restore quickly and easily. But convenience is the enemy of security. That immutable, air-gapped copy needs to be inconvenient to access. That inconvenience is what saves you.
The “0” in 3-2-1-1-0 stands for zero failures. Your backups need to actually work when you need them. This sounds obvious, but you’d be shocked how many organizations discover their backups have been failing for weeks or months only when they try to restore during a crisis.
Zero failures means you’re actively monitoring backup success. It means you’re testing restores regularly, not just assuming they’ll work. It means you’re scanning your backups for ransomware – because what good is restoring data that’s already encrypted? And it means you have processes in place to fix problems immediately when they occur, not letting failed backups pile up because everyone’s too busy.
Why the 3-2-1 Rule Couldn’t Survive the Ransomware Era
Here’s something that really drives home why the 3-2-1 rule had to die: ransomware has become essentially the only reason we restore from backups anymore.
When I started in this business, the number one reason people restored was hardware failure. Drives crashed constantly. Servers died. Storage arrays had problems. We were restoring from backups all the time because the technology itself was unreliable. But hardware has gotten incredibly resilient. SSDs rarely fail. RAID protects against drive failures. Redundant systems keep things running even when components die.
We almost never restore because of technical failures anymore. Now we restore for one reason: someone did something stupid. They deleted files they shouldn’t have deleted, or they clicked on a phishing email that let ransomware in, or they misconfigured something that caused data loss. The only reason we need backups these days is human error and human malice.
And ransomware operators are really, really good at exploiting both. They trick people into clicking things. They steal credentials. They exploit vulnerabilities. And then they go straight for the backups, because they know that’s what stands between them and getting paid.
The traditional 3-2-1 rule wasn’t designed for an adversary actively trying to destroy your backups. It was designed for passive threats – equipment failures, accidents, natural disasters. That’s why it had to die and be reborn with immutability and air-gapping baked in.
What the Death of the 3-2-1 Rule Means for You
If you’re still relying on the old 3-2-1 rule without the additional protections of 3-2-1-1-0, you’re vulnerable. Your backups might survive a fire or a hardware failure, but they probably won’t survive a determined ransomware attack.
Look at any ransomware incident report and you’ll see the same story repeated: “and then the backups were deleted.” Or encrypted. Or made inaccessible. Organizations that thought they were protected found out the hard way that the 3-2-1 rule alone wasn’t enough.
The good news is that upgrading to 3-2-1-1-0 isn’t as hard as it might sound. You don’t have to throw out your existing backup infrastructure. You just need to add that immutable, air-gapped copy and make sure you’re actively monitoring for failures. Cloud storage with proper immutability settings and separate credentials can work. Tape stored offline works. Specialized backup appliances designed for ransomware protection work. You have options.
The bad news is that it’s not optional anymore. If you want backups that will actually save you during a ransomware attack – and ransomware is almost certainly the biggest threat you face – you need to make this upgrade. The 3-2-1 rule is dead. You can mourn it if you want, but then you need to move on to 3-2-1-1-0.
Don’t let your organization become another case study of backups that weren’t there when they were needed most. The 3-2-1 rule served us well for decades, but its time has passed. Long live 3-2-1-1-0.
Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data
