Let’s take a detailed look at the 3-2-1 rule, including its variations, implementation, and sovereign cloud-based application.
What is the 3-2-1 rule?
From natural disasters to malicious acts, data gets compromised, lost, and stolen every single day. To help prevent data loss and support business continuity, it’s important to look forward and develop enterprise backup solutions that work. The 3-2-1 backup rule is an innovative and resilient approach based on a simple and scalable method. From computers and hard drives to tablets and mobile phones, this strategy can be used on all devices and data types.
The 3-2-1 rule says:
- There should be 3 copies of the data,
- stored on 2 different media,
- 1 of which is located off-site.
While this rule seems simple, it fulfils three of the basic principles of data security. The first part of the rule deals with data duplication, which is the practice of copying data to make it more resilient. The second part of the rule separates data physically by recording information onto alternate formats. The third part of the rule deals with geo-redundancy, which is the practice of storing data in two or more places.
Backing up data is not enough in isolation — businesses should also consider duplication, media, and location. With this base rule, organisations can back up everything from daily records to mission critical data. The abstract nature and flexible attributes of this rule help to ensure data integrity in a range of operating environments. The 3-2-1 rule does not have any specific technology or hardware requirements, and it can address almost every possible failure scenario.
There are many ways to implement the 3-2-1 rule, from different methods of duplication to alternate media and diverse geographic locations. For example, you can copy data while it’s created, when it’s stored, or when it’s accessed. There are lots of media options available, including hard drives, tape, private cloud repositories, and public cloud archives. Geographic locations are infinitely varied, from data centres in a neighbouring building to cloud-based storage in another city.
The other consideration for government agencies is adherence to Essential Eight cyber mitigation strategies. This explicitly spells out the need to have a data backup strategy in place.
The 3-2-1 backup and recovery rule copes well with the vast majority of potential failure scenarios. It’s not a perfect solution, however, with demanding organisations requiring a more comprehensive solution. If you want to take data security even further, the 3-2-1-1-0 rule offers true enterprise-level backup and recovery. This rule adds two important steps to create something incredibly robust.
The 3-2-1-1-0 rule says:
- There should be 3 copies of the data,
- stored on 2 different media,
- 1 of which is located off-site.
- 1 of these copies should be offline or in the cloud,
- and the entire backup should have 0 errors.
The 3-2-1-1-0 rule is a complete enterprise backup solution. It provides faster recovery in the event of data loss and eliminates errors during duplication. With a higher level of data recoverability, businesses can enjoy better protection from ransomware, additional business continuity, and enhanced operational confidence.
The additional 1 part of the rule
If your backups are stored offline or in the cloud, you are protected from natural disasters and malware. This part of the rule can be understood through the concept of an ‘air gap’. To put it simply, this means putting the backup on a machine that’s physically separated from the data it’s backing up. This literal ‘air gap’ helps to ensure effective disaster recovery when an incident occurs. It offers full protection from malicious hackers and provides organisations with greater control over their data.
The additional 0 part of the rule
It doesn’t matter how often you back up or where your data is located if your records are riddled with errors. When data is checked for mistakes, organisations can move forward with full confidence regarding restoration. Regardless of your size or sector, this part of the rule provides an additional layer of data verification and control. This simple last step helps to keep the rest of the algorithm honest.
Overall, the extended 3-2-1-1-0 rule offers two important things. It helps to protect your organisation from all potential attack vectors. And it ensures a fast and effective recovery process if an attack occurs.
The 3-2-1 rule vs the 3-2-1-1-0 rule — what’s right for your organisation?
Each organisation needs to decide its own level of security. From government departments to private companies, enterprises have different values, standards, and operating approaches when it comes to data. The 3-2-1 rule was the trusted industry standard until recently, but things have changed over the last few years. A number of factors have influenced this trend, including the rise of cloud computing, the proliferation of ransomware attacks, pandemics and disasters like bushfires and flooding. Overall, organisations are becoming more risk-aware and increasingly security conscious.
The difference between the 3-2-1 rule and the 3-2-1-1-0 rule is simple. While both approaches provide comprehensive data security, only the latter offers complete backup-saving mechanisms. It’s not just about saving data — it’s about prioritising continuity, avoiding downtime, and avoiding long-term reputational damage when an attack occurs. From malware and malicious events to human error and physical damage, the 3-2-1-1-0 rule provides the highest level of protection available.
Implementation considerations for enterprise backup solutions
Whatever level of security you require, there are lots of crucial decisions to make regarding implementation. Each organisation is unique, with a tailored approach required to ensure full data protection and recovery. When it comes to implementation, there are lots of ways to make mistakes. While most organisations succeed with data duplication (the “3” part of the rule), many fail when it comes to the other steps.
For example, many cloud-based services store backups on the same servers they are supposed to be protecting. This ignores both the “2” and “1” parts of the rule. Other failures are linked to the second “1” step, with some businesses and backup services failing to create real ‘air’ between the original and copied data. The final “0” step can also fail implementation if the error checking mechanism is unable to examine or verify the stored data effectively.
What is a sovereign cloud provider?
If you want to follow the 3-2-1-1-0 data backup and recovery process in full, it’s important to deal with a trusted cloud provider. Sovereign cloud services offer continuous protection based on a highly secure and fully compliant national framework. Sovereign cloud providers meet Australian data residency and data sovereignty requirements, and they also provide a range of secure accessibility controls. If you need to control and protect sensitive, confidential, or restricted data, an Australian sovereign cloud is the best solution.
Sovereign cloud providers offer complete jurisdictional control, which is necessary for government organisations and desirable for many private enterprises – especially for those organisations in the 11 Critical Infrastructure sectors. To ensure operational integrity, data security, and national compliance, sovereign cloud providers offer a variety of domestic backup services based on the 3-2-1-1-0 rule. When your data is secured off-site but still kept at home through robust cloud architecture, you can be assured of complete sovereign control.
Sovereign cloud providers offer a range of data backup and recovery services, many of which are based on the 3-2-1-1-0 standard. Whether it’s delivered as a range of services or offered as a complete solution, domestic data integrity is crucial for many Australian organisations. While nothing in the rule itself mentions sovereignty, dedicated jurisdictional controls are needed whenever data is secured off-site.
Some of the individual services available from sovereign cloud providers include backup as a service (BaaS) and disaster recovery as a service (DRaaS). Many sovereign cloud providers offer dedicated backup plans for Microsoft 365, which is a secure and cost-effective way to overcome the limitations of native Microsoft products. When these offerings are part of a wider plan, they often fall under the infrastructure as a service (IaaS) model.
Take the next step
If you’re ready to take your organisation to the next level, AUCloud offers a complete enterprise cloud data protection solution. Enterprise-level backups based on the 3-2-1-1-0 rule are a critical part of our data protection and disaster recovery plans. Please contact our team to learn more about sovereign cloud solutions for your company. Our experts are always ready to help.
1800 282 568
