Backup Strategy
2026: 3-2-1-1-0, Explained

The old rule, briefly

3-2-1 said: keep 3 copies of your data, on 2 different media, with 1 offsite. It was good guidance from a different era. Then ransomware happened, and we learned that 'offsite' isn't enough if the offsite copy is reachable from the same compromised credentials.

The new rule: 3-2-1-1-0

Three copies of data. Two different storage types. One copy offsite. One copy immutable or air-gapped. Zero errors after verification. The extra '1' is the immutable copy. The '0' is the verification step nobody skips.

Immutable means immutable

Immutable storage cannot be modified or deleted for a set retention period, even by an admin. Object lock, S3 immutability, or appliance-based immutability. If an attacker who got domain admin can also delete your backups, they're not immutable.

Air-gapped vs immutable

Both work. Air-gapped means the backup is on storage that isn't connected to the production network. Immutable means it's connected but can't be modified. Most modern stacks use immutable cloud tiers. Some still use tape rotation for the air gap.

Verification is the work

A backup that exists but doesn't restore is worth nothing. Monthly automated restore tests with documented success criteria. Quarterly full DR exercise that boots a system from backup. Annual tabletop with leadership.

Retention vs cost

Common targets: thirty days fast restore, one to seven years long-term archive. The long-term archive is cheap on object storage. Don't compromise retention to save five dollars a month.

RTO and RPO on paper

Recovery time objective is how fast you need it back. Recovery point objective is how much data you can lose. Write them down per system, in business terms. Then design backup to meet them.

Common gaps we find

Saas not backed up. M365 mailboxes not backed up. Cloud servers not snapshotted. Endpoints not backed up at all. The backup product on the server doesn't tell you about the SaaS gap. Map the data, not the systems.