The ABCs of 3-2-1 Backup Plans

We’ve got the fundamentals down: ransomware attacks are a major concern, and threat actors target backups to encrypt or delete them. On the bright side, It appears there’s increasing awareness for the latter, as we have seen more organizations with viable data backup policies during ransomware incidents. And according to data breach experts, this means that fewer end up being forced to pay the ransom to restore their data. 

What can we learn from these companies? First, regardless if they utilized an enterprise-level or small-business backup strategy, they all had backups of all their critical systems. While that won’t be the focus of this blog post, the significance of that cannot be overstated - know your critical systems and back them up. In addition to knowing their environment and backing up critical systems, they followed best practices to ensure their backups were protected from threat actors so they could be recovered and restored. They all utilized the 3-2-1 backup strategy (also known as a “3 2 1 backup rule” by some), which we’ll explore below, and take one step further. Let’s do this.

What Is a 3-2-1 Backup Plan?

An effective security strategy is a layered approach that has backstops and catchalls (I’ll spare everyone the onion analogy). It should be no surprise that the most effective data backup strategy is about layers. Enter the 3-2-1 backup strategy, an approach that is as simplistic as it is effective. It goes:

3 Copies of the Data

The first layer is to have at least three copies of the data. I emphasize “at least” because I encourage going above this, especially with how existing backup technology makes it so easy to automate the process. When thinking about copies of data, take into consideration the following recommended configuration for your data storage system. There are best practices throughout that apply to all copies of the data.

Production Data (Copy 1, Media 1)

While the data in use every day is the first copy, it’s a free giveaway for the count.

• This is a primary reason why you shouldn’t stick to just three copies since a disaster recovery plan exists because of this first line getting impacted. 

On-site Backups (Copy 2, Media 2)

An on-site backup solution is the heavy lifter in backups and should be heavily protected.

• Keep these backupa under lock and key!

Offsite Backups (Copy 3, Media 3)

These are backups that are off of your network.

• Most commonly this includes two mediums. First, is tape backups where data is written to a cassette tape and then stored offline. Second, is the option of following cloud backup best practices, to safely store data in the cloud.

2 Different Media Types

The different types of backups (media types) were scattered throughout the prior section. To summarize, here are various media types that are routinely seen in the 3-2-1 backup strategy:

Disks

• Storage Area Networks (SAN), Network Attached Storage (NAS), dedicated backup appliances

Snapshots

• Hypervisor or storage

Tape

• Off-site storage

Cloud

• Object-based storage or long-term cold storage

Hosted Backups

• Managed service provider or backup service

1 Offsite Copy

At this point, the offsite storage should be fairly straightforward. Two main options exist:

Tape Backups

Physical media provides more of a logistics challenge but many vendors exist who will securely store your backups and work with you to quickly return them when needed.

Cloud Storage

While still requiring an active Internet connection, cloud backups offer an easy-to-setup and maintain solution for off-site backups. Layering in the best practices above will help ensure they are stored safely.

Go Beyond 3-2-1

Let’s not stop at 3-2-1. We’re going to take this a step further to maximize your backup strategy. Enter the 3-2-1-1-0 rule being popularized by backup provider Veeam.

1 Air-gapped or Immutable Copy

There’s a reason immutable copies were a best practice. It helps ensure that a backup copy can’t be deleted (whether accidentally or on purpose) or encrypted during a ransomware event. If done well, that immutable copy will be the backstop for you and serve as a reliable part of your incident response and remediation strategy.

0 Errors after Testing and Recovery Verification

Test, test, test and practice good cybersecurity monitoring! It doesn’t matter what you do if you can’t confirm it actually works. This is a step that so many organizations fail to do and they only realize that something is broken when it is too late. You don’t have to be one of those companies! Many backup solutions have automated backup verification to ensure your data is viable. Go even deeper. Put time on the calendar at least once a year to walk through the recovery procedure and test that the systems and applications work. It’s not enough to restore systems if the applications and services on those systems do not function after restoration due to hardware failure.

What Are the 8 Best Practices for Backups?

Use Snapshots

With the heavy virtualization of environments, you get a built-in second copy through virtual snapshots to ensure data retention.

• This can be through the hypervisor itself or through storage appliances that will provide snapshots of the data. Be cognizant of where your snapshots are stored. In traditional disaster recovery situations of failed disks, if snapshots are stored on the same storage as the production data you risk losing both.

Remove the Backup Servers From the Windows Domain

The backup server and storage repository should have unique credentials and not be joined to a Windows domain.

Require MFA for Access

Backups are critical to your success, and there is no reason not to enforce cybersecurity mitigation practices such as MFA for access to the backup console.

Leverage an Immutable Data Repository

This restricts the ability to delete or modify backups leaving an extra layer of protection.

• To take this further, leverage a backup appliance that has additional snapshot capabilities.

Enforce the Principle of Least Privilege

Allowing broad access to backups increases the attack surface.

• Limit access to these systems to only those accounts that are needed for functionality and management. This same concept applies to the accounts used to manage the backup process itself.

Encrypt Backups

While this will not help with redundancy of data, it does protect in situations where an unauthorized user obtains a backup and is able to extract sensitive data.

Leverage A Long-Term Cold Storage Solution

Cloud providers can offer longer-term, cost-effective, storage that is stored “off” the cloud.

• While it is not instantly accessible through the cloud, cloud storage can serve as another layer of offline storage and has the ability to be immutable.

Putting it All Together

An effective backup strategy doesn’t have to be complex, you’ll find that sticking to the basics will work wonders for you when analyzing your options for incident response solutions. If you follow this simple recipe, the chances of success will multiply. The layers exist to help you mitigate risk and the likelihood of an attacker destroying your entire backup stack. Just like in security, layers of backups provide additional cyber risk mitigation. And just like in life, don’t make assumptions that what you’re doing is effective. Test, confirm, practice good cyber monitoring, and sleep easier.