The 3-2-1 Backup Rule Explained

3, Three total copies of your data Your live data counts as copy one. You need two additional backup copies. If two copies are affected simultaneously, which happens more often than people expect, you still have a third.

2, Two different media types Do not store all three copies on the same type of storage. Common combinations: local NAS plus cloud, or on-site tape plus cloud. Media diversity protects against failure modes that affect one technology simultaneously (for example, a bug that corrupts a specific file system).

1, One copy offsite If your office burns down, floods, or gets ransomwared from the inside, the offsite copy survives. For most SMBs, "offsite" means a Canadian cloud data centre, typically replication to Azure Canada Central, AWS Canada (Central), or a Canadian backup-as-a-service provider.

Ransomware broke the original 3-2-1 rule. Attackers now target backup infrastructure directly, they sit in networks for weeks, find backup systems, and encrypt or delete them before deploying the final payload.

The updated model adds:

+1, One immutable copy Immutable storage means the backup cannot be altered or deleted for a defined retention period, regardless of administrator credentials. Even a fully compromised domain admin cannot touch it.

+0, Zero errors in restore tests A backup that has never been restored is a guess. Quarterly verified restores, with documented results, are the standard for any properly managed backup programme.

Single backups fail silently. A drive can develop silent corruption over months. A cloud sync can quietly delete files if a source deletion replicates. Two copies can fail together. Three copies give you the redundancy to catch cascading failures.

Yes, if it is a separate facility from your production environment. Backing up to OneDrive or Google Drive on the same Microsoft 365 tenant as your live data does not count as a true offsite copy. Replication to a dedicated Canadian backup data centre, separate from your production cloud, satisfies the offsite leg.

Not without immutability. If every copy of your backup can be reached and modified by a compromised admin account, ransomware can destroy all three copies before you notice anything is wrong. Modern backup design requires:

North Star tests restores quarterly for every protected workload, with documented results. We test individual files, full mailboxes, and full server recoveries on rotation. If a restore fails during a test, we fix it immediately, not after a real disaster.

What is the 3-2-1-1-0 backup rule? An extension of 3-2-1: three copies, two media, one offsite, one immutable, zero errors in restore tests. It is the current best practice for ransomware resilience.

Does backup to Microsoft OneDrive satisfy 3-2-1? Only if OneDrive is separate from your primary data source and protected with versioning and immutability. Standard OneDrive sync is not a backup.

How long should I retain backups? Most SMBs keep 30 days of daily backups, 12 months of monthly backups, and 7 years for financial records. Regulated industries may require more.

What is the difference between a backup and a snapshot? A snapshot is a point-in-time image of a volume, usually stored on the same storage system. It is useful for fast recovery from accidental deletion but not a substitute for offsite backup.

Can North Star IT manage our backups? Yes. North Star designs and manages 3-2-1-1-0 backup programmes for businesses across Northern BC, Alberta, and Yukon, including immutable Canadian cloud replication and quarterly verified restores.

Is your backup strategy actually ransomware-proof? Call 672-983-1174 or book a free backup assessment at northstarit.ca.