AvePoint
Resources Blogs What Is the 3-2-1 Backup Rule? (And Why It's Evolved to 3-2-1-1-0)

What Is the 3-2-1 Backup Rule? (And Why It's Evolved to 3-2-1-1-0)

author
calendar04/15/2026
clock 7 min read
feature image

book open Table of Contents

The 3-2-1 backup rule means keeping three copies of your data, on two different types of media, with one copy stored offsite. It's the most widely cited backup best practice in IT but it's no longer enough on its own. Ransomware changed the math. The modern standard is the 3-2-1-1-0 rule, which adds an immutable offline copy and mandatory verification. This article explains both, why the evolution happened, and what implementation looks like in practice.

What Is the 3-2-1 Backup Rule?

The 3-2-1 rule is a backup strategy framework originally popularized by photographer Peter Krogh and later adopted broadly in IT. The numbers stand for:

  • 3 — Maintain at least three copies of your data (the production copy plus two backups)
  • 2 — Store those copies on at least two different types of media (e.g., local disk and cloud, or disk and tape)
  • 1 — Keep at least one copy offsite, in a separate geographic location

The logic is simple: most failures are single-point events. A disk fails, a building floods, a server is ransomed. The 3-2-1 rule ensures that no single incident can destroy all copies simultaneously. If your primary data and local backup are wiped out, the offsite copy survives.

Why 3-2-1 Isn't Enough Anymore

The 3-2-1 rule was designed for hardware failures and localized disasters. Ransomware attacks a different threat model entirely.

Modern ransomware doesn't just encrypt your production data. It identifies and encrypts connected backup targets first. Attackers know the 3-2-1 playbook and they specifically target the offsite copy, cloud repository, and backup server credentials before triggering the encryption payload.

In the Colonial Pipeline attack (2021), attackers were inside the network for days before striking. In the Kaseya VSA incident (2021), ransomware propagated through managed service providers to their clients — including backup infrastructure. Standard 3-2-1 configurations with all copies network-connected provided no protection.

The 3-2-1-1-0 Rule: The Modern Standard

The updated framework adds two critical components:

  • 3 — Three copies of data
  • 2 — Two different media types
  • 1 — One offsite copy
  • 1 — One copy that is offline, air-gapped, or immutable (not reachable by ransomware)
  • 0 — Zero errors confirmed via automated backup verification testing

The fourth "1" is the ransomware defense. An immutable backup stored in object storage with WORM (Write Once Read Many) protection, or a physically air-gapped tape taken offsite, cannot be encrypted by malware — because it cannot be written to or deleted by network-connected processes.

The "0" is equally important. An unverified backup is not a backup. Automated recovery testing after every job confirms that the backup can actually be restored before you need it.

How to Implement the 3-2-1-1-0 Rule

Copy 1: Local backup on disk

Fast, accessible, used for day-to-day restores. Should be on a dedicated backup repository — not the same server as production data. Achieve RPOs of 15–60 minutes with hourly incremental jobs.

Copy 2: Secondary backup on different media or location

Backup copy job to a second repository on different hardware, a secondary site, or a cloud object store. Protects against local infrastructure failure.

Copy 3: Offsite or cloud copy

A third copy in a geographically separate location. This is your disaster recovery copy — used when the primary site is unavailable. Cloud object storage (Azure Blob, AWS S3) with versioning enabled works well here.

The immutable copy (the new "1")

Configure your cloud repository with object lock / WORM protection enabled. Most major cloud providers support this. Alternatively, tape taken physically offsite and disconnected from the network qualifies as air-gapped. The key property: this copy cannot be modified or deleted by any network-connected process, including your own backup software or admin credentials.

Verification (the "0")

Automate restore testing after every backup job. At minimum, verify that the backup file is readable and the checksum matches. Ideally, spin up the backup in an isolated sandbox environment and confirm the application starts correctly. Do this automatically, not manually.

3-2-1 for Microsoft 365: The Gap You're Probably Missing

Most organizations implement 3-2-1-1-0 for on-premises infrastructure and forget that Microsoft 365 is a separate data surface requiring the same treatment.

Microsoft's shared responsibility model is explicit: Microsoft protects the platform; customers protect their data. M365's built-in retention policies and version history are not backups. They don't protect against:

  • Ransomware encrypting SharePoint and OneDrive content through synced clients
  • Accidental or malicious mass deletion within the retention window
  • Data loss from third-party app integrations with write access

Applying 3-2-1-1-0 to your Microsoft 365 environment means automated, policy-driven backup of Exchange Online, SharePoint, OneDrive, Teams and more with immutable storage and verified restore capability. AvePoint Cloud Backup delivers this across the entire M365 surface.

Best Practices for the 3-2-1-1-0 Rule

  • Test restores on a schedule — monthly at minimum, quarterly for full application-level recovery validation
  • Monitor backup job status actively — silent failures are the most dangerous; a job that completes with errors and isn't caught leaves you exposed
  • Separate backup admin credentials from production admin credentials — attackers targeting backups often use compromised domain admin accounts
  • Enable immutability on cloud repositories at the storage level, not just the application level — application-level locks can often be overridden with admin credentials
  • Document your recovery order — the 3-2-1-1-0 rule tells you how to store data, not how to recover it; a DR runbook is also required
  • Extend the framework to SaaS — Microsoft 365, Salesforce, and other cloud platforms need the same backup discipline as on-premises workloads

Frequently Asked Questions

What does the 3-2-1 backup rule mean?

The 3-2-1 rule means keeping three copies of your data, on two different types of storage media, with one copy stored offsite. It's the foundational backup strategy for protecting against hardware failures, localized disasters, and data corruption.

Is the 3-2-1 backup rule still relevant?

Yes, but it's been updated to 3-2-1-1-0 to address ransomware threats. The original rule didn't account for attackers who specifically target connected backup infrastructure. The additional "1" (immutable/offline copy) and "0" (verified backups) close that gap.

What is an immutable backup?

An immutable backup is a copy of data that cannot be modified, overwritten, or deleted for a defined period — even by administrator accounts. Object storage with WORM protection (like AWS S3 Object Lock or Azure Blob immutable storage) is the most common implementation. Air-gapped tape is another option.

How does the 3-2-1 rule apply to Microsoft 365?

Microsoft 365 data requires the same backup discipline as on-premises data. Microsoft does not provide granular backup with point-in-time restore for M365 workloads. A dedicated third-party backup solution is needed to implement 3-2-1-1-0 coverage for Exchange Online, SharePoint, OneDrive, and Teams.

What is the difference between 3-2-1 and 3-2-1-1-0?

The original 3-2-1 rule focuses on redundancy and offsite storage. The 3-2-1-1-0 update adds an immutable/offline copy (ransomware protection) and automated verification testing (backup integrity assurance). The evolution was driven by ransomware attacks that demonstrated the vulnerability of all-network-connected backup architectures.

How often should backups run to meet the 3-2-1-1-0 rule?

Backup frequency is driven by RPO (Recovery Point Objective), not the 3-2-1-1-0 rule itself. Mission-critical systems may need continuous data protection or hourly incrementals. The 3-2-1-1-0 rule governs how many copies exist and where — your RPO governs how often they're created.

Conclusion

The 3-2-1 backup rule built the foundation of modern data protection strategy. The 3-2-1-1-0 update closes the ransomware gap. Three copies, two media, one offsite, one immutable, zero unverified backups — implement all five components and you have a backup architecture that protects against hardware failure, regional disaster, and targeted ransomware attacks simultaneously.

Make sure Microsoft 365 is inside that framework. It's where most of your business data lives now — and it needs the same discipline as the infrastructure you've been protecting for years.

  1. RTO vs RPO: What They Mean and How to Set Targets — backup frequency driven by RPO
  2. Microsoft 365 Backup: Why Built-in Tools Aren't Enough — M365 3-2-1 coverage
  3. What Is Ransomware? How It Spreads and How to Stop It — ransomware context for the rule evolution
  4. Immutable Backup: What It Is and Why You Need It — deeper dive on the fourth "1"
  5. How to Build a Disaster Recovery Plan for Microsoft 365 — applying the rule in practice

Competitive benchmark note: Benchmarked against Veeam (88 citations, 2,898 traffic) and Backblaze (52 citations, 4,410 traffic). Both cover the basic 3-2-1 rule but neither fully addresses the ransomware evolution to 3-2-1-1-0, the Microsoft 365 blind spot, or immutability at the storage layer vs. application

author

Grace Harrison

Grace Harrison is a Product Marketing Manager at AvePoint, Inc., based in Jersey City, NJ. She works in the Product Strategy department, contributing to solutions like AvePoint Cloud Backup, AvePoint Fly, and AvePoint tyGraph. Grace plays a key role in developing marketing strategies and competitive intelligence to support AvePoint's field teams and enhance their selling tools.