3-2-1…Airgap!?

Anyone who has had anything to do with backups knows the 3-2-1 Rule:

3 copies of the data, on 2 different mediums, and 1 air-gapped.

It has become something of a standard against which backup architectures are measured, and for good reason. While this methodology works well in the context of on-premises backups, in increasingly hybrid IT landscapes it has become at best a source of discussion, and at worse a full-stop blocker for the adoption of modern technologies into backup designs and strategies. The reason for this is the (relative) new kid on the block: the cloud.

  • Is cloud storage secure? 
  • How do you physically air-gap data stored over the internet? 
  • How much will this cost?
  • Would it just be easier to stick to LTO tapes?

It is this lack of clarity that we wish to address. To do so, we will look at three things over the course of three articles:

  1. A brief history of the 3-2-1 backup Rule, and a breakdown of the protections it provides.
  2. The 3-2-1 Rule in hybrid scenarios.
  3. The 3-2-1 Rule in a cloud-only context.

So let us start with a brief history lesson:


A brief history

Where did the 3-2-1 Rule come from? As it turns out, a not very IT source: photographer Peter Krogh. In his book “The DAM Book: Digital Asset Management for Photographers,” published in 2005, Peter presented this rule as a guideline for securing digital assets. It was quickly adopted from there as a best practice for securing data of all kinds, and is referenced by entities large and small, from backup expert blogs to software providers to government agencies. 

Deconstructing the Rule

The 3-2-1 Backup Rule sounds good with lots of copies of our data, but what does it actually do for us? What does it protect us from? Let’s break it down on a conceptual level:

3 copies: The first copy is the production copy, the second and third are backups. In short, with three copies we achieve a good level of data redundancy. Redundancy helps protect against hardware failures (such as a failed disk), human error, and physical theft/loss.

2 media: Two media types bring additional protection for our data in the sense of making at least one of our data sets resistant to the exact same risks as the others. Traditionally this has been implemented with hard disks and magnetic tape media. Risks that can be mitigated here: software related errors, hardware failures, and some environmental incidents (water damage in the datacenter for example).

1 air-gapped: Traditionally this has been interpreted as a physical separation. This copy is also usually the copy providing long-term retention. In most cases this means using LTO magnetic tapes and having them stored somewhere other than in the media library, such as a fire safe, or a safety deposit box. Having a copy air-gapped (and in a safe environment of some kind) helps protect against environmental disaster, infrastructure failure, and malicious attacks such as ransomware, as well as some forms of human error (there are so many….).

Protection Summary

Taken together the 3-2-1 Rule helps to protect data from:

  1. Human error.
  2. Software corruption.
  3. Loss/Theft.
  4. Environmental disaster.
  5. Hardware failure.

Accepted Risks and Costs

In the classic on-premises IT world, with a disk (1)-to-disk (2)-to-tape (3, air-gapped) setup, this solution brings with it a certain set of costs and risks:

  1. Possibly high recovery time (RTO): If recovery from the 3rd, air-gapped copy is required, it usually takes a long time to get data restored. Tapes may be off site, and in some cases the backups must be copied to disk first, then restored.
  2. Maintenance: The maintenance of the required infrastructure is a responsibility of the internal IT staff. This costs time and requires support contracts.
  3. Data Loss: For the long-term backups stored on removable media, backups can be spread out over several tapes or disks: Losing one tape could mean that a large part of the data becomes non-restorable. This can happen either through loss, physical damage, or a tape being overwritten, for example.
  4. Cost Management: The cost of this solutions is heavy on the capital expenditures (capex), with storages, LTO tapes and libraries being required.
  5. Supply Chain issues: It exposes the security of the data to delivery problems (tapes not being deliverable, repair service delays) as well as possible delays from internal departments such as purchasing or waiting on approvals.

10 years ago, these were considered “facts of life” for securing data on-premises. With the introduction of cloud computing there are new options that address some of these issues, but are there any real showstoppers for including the cloud as part of a good backup strategy? Does the 3-‑2-‑1 Rule still work? In the next two articles in this series, we will explore both hybrid and cloud-only scenarios to answer these questions. Stay tuned.