Having an effective means of backing up your data and restoring it in a disaster recovery scenario is an essential part of your overall business continuity plan. In order to ensure that your data is protected effectively, you want to backup your data in harmony with industry-proven best practice recommendations.

There is a well-documented industry best practice standard for backing up your business-critical data that allows you to effectively protect your data, mission-critical virtualized and physical server infrastructure. It is known as the 3-2-1 Backup rule.

Let’s take a look at the 3-2-1 backup rule data protection strategy and see how you can use this effectively to protect your most valuable infrastructure and data.

The 3-2-1 Backup Rule Data Protection Strategy Overview

To begin with, let’s first define what the Backup 3-2-1 Rule for your data protection strategy is exactly. Each part of the 3-2-1 backup rule signifies an aspect of protecting your data in a way that satisfies best practices. In the 3-2-1 backup rule, it is recommended to have (3) copies of your data, stored on at least (2) different types of media, with at least (1) copy stored offsite.

Why is each aspect of the 3-2-1 backup rule significant? Let’s take a look at each facet of the 3-2-1 backup rule and see how each contributes to keeping your data safe.

Download Banner

(3) Copies of your Data

Data disasters can happen due to any number of reasons for your production environment. This can be due to anything related to natural or manmade disasters. Natural disasters like hurricanes or earthquakes can affect entire geographic locations.

Having multiple copies stored across different devices and different locations drastically reduces the chance that all copies of your data will be affected by an unforeseen disaster. The fewer copies you have and the less diversity in the locations where your data is stored, the greater the chance of data loss.

Primarily, the (3) in the 3-2-1 backup rule recommends (3) copies of your data. This can break down to your main production copy and at least two additional backups. There is no rule that says you can’t have more than three copies. Rather, you need at least three copies.

(2) Different Types of Storage Media

You not only want to have multiple copies of your data in the form of the three that are recommended by the 3-2-1 backup rule, but you also want to have multiple types of media these are stored on. Why is this? Having your data stored on the same types of storage media can be a bad idea.

The same types of storage media are naturally going to have the same types of failure tendencies and potentially the same or close to same Mean Time Between Failures (MTBF). If multiple copies of your data are stored on the same storage technology you could potentially experience failures across the same storage technology at roughly the same time.

You want this to be as unlikely as possible to happen. For this to be the case, you want to diversify the type of storage media you are using. Typically, this means you will have a different type of technology besides “spinning hard disks” to store your backups. This may include using media like tape, NAS, or even cloud storage.

Since these types of storage media are technically different than plain hard drive storage, it constitutes a different type of storage media. This helps to have the diversity recommended by the 3-2-1 backup rule for your data protection strategy.

(1) Copy Stored Offsite

As mentioned briefly in the “(3) Copies of your Data” section, natural disasters and even manmade disasters can affect large geographic regions. If you have all backups stored in the same location, there is a great chance your backup data will be affected the same as your production data.

The offsite storage of at least one copy of your data helps to ensure that if your primary production site is affected by a disaster, you have at least one other copy of your data stored in a different physical location, preferably in a different geographic region.

Offsite storage can also be a combination of storage media that is utilized for storing your copies in a different physical location. This can include your tape storage if you are utilizing this for your offsite storage. In addition, it can be on-disk storage that is simply housed in another physical location.

Offsite storage is now very commonly including cloud storage as part of the means to get your production data copied offsite. Cloud storage is relatively inexpensive and is infinitely scalable and elastic depending on your needs. If you need more storage you can click a button and have what you need. Conversely, if you no longer have the need for the amount of cloud storage you have provisioned, you can elastically shrink the storage to what you need.

Many organizations are attracted to cloud for the offsite aspect of their disaster recovery strategy and means to fully accomplish the 3-2-1 backup rule. Cloud requires no physical infrastructure investment by your business. This means no secondary datacenter to build out. Additionally, it is an operational expense as opposed to a capital expense.

Offsite storage is an extremely important aspect of the 3-2-1 backup rule and by extension, your overall data protection strategy. It helps to ensure that your data is protected when a disaster affects your main production site and potentially your entire production geographic region.
There are a couple of additional takes on the original 3-2-1 backup rule we want to consider and see how these interpretations can also benefit your data protection strategy.

What is the 3-2-1-0 Backup Rule?

In the age of data leakage, there has been a new backup rule that has been coined called the “3-2-1-0” backup rule. In this rule, the first 3-2-1 stands for the description found in the traditional 3-2-1 backup rule. However, the new “0” portion of the rule helps to describe the state of the type of “backup” you don’t want – someone else having a copy of your data.

  • “0” day data release – this assumes that someone else has a copy of your production data illegally or in an unauthorized manner

How can someone else get a copy or “backup” of your data? There are many different ways this can potentially happen. All too often we hear news reports of data being leaked inadvertently or intentionally. This can happen due to inadvertently exposed Amazon S3 buckets, insecure API keys, SQL injection attacks, and leaked credentials just to name a few.

Also, an unscrupulous employee may intentionally leak data due to some imagined slight they feel they have suffered at the hands of their employer. An employee may also unintentionally expose data by accidentally emailing out a sensitive document or spreadsheet to unintended recipients.
There is no end to the reasons and scenarios that may lead to data leakage these days. The aforementioned reasons are in addition to attacks that are levied by hackers and others to compromise vulnerabilities or other weak points in your cybersecurity defenses.

In addition to taking the steps needed to recover from a disaster scenario where data is lost, this helps businesses to think about scenarios where data is not necessarily lost but leaked. Just as you hopefully have a disaster recovery plan in place, you need to have a plan in place to recover from a data leak disaster.

At a minimum this requires that you have a plan that might include the following steps:

  1. Response
  2. Remediation
  3. Hardening
  4. Review and Next Steps


The first few minutes, hours, and days after a data leak event are extremely important. As we all know from watching data leak disasters unfold before our eyes on public media outlets, how a company responds to these types of events can shape the outcome of the event, for better or worse.

All too often businesses try to skirt their responsibility in a data leak disaster, placing blame elsewhere instead of with themselves. This can certainly lead to poor public opinion, lost customer confidence, and tarnished reputation which can be disastrous.

The more aggressive the response, generally, the better the perception and the overall outcome of the data leak event. Proper response means aggressively:

  1. Investigating how data was leaked
  2. Gathering the clues and digital evidence needed to build a timeline of events
  3. Make a cybersecurity forensic analysis of systems
  4. Analyzing logs and other audit data
  5. Producing an incident report
  6. Forming a media response to the data leak event by leveraging factual IT and cybersecurity information


Remediation of data leakage is key since it can help to close gaps in security or other holes that led to the data leak event in the first place. This may involve:

  1. Shutdown of key systems that have been identified as compromised by threat actors
  2. Sanitize and or rebuild infected or compromised systems
  3. Remediate security holes with needed patches, new code releases, or additional security mechanisms


Hardening systems even further past the needed remediation helps to ensure that future security breaches will be exponentially harder to achieve. It also helps to preserve as much customer and stakeholder confidence as possible. This may include:

  1. Rearchitecting infrastructure for better security
  2. Putting in place additional security hardware and/or software
  3. Implementing better processes and procedures
  4. Reviewing change control procedures

Review and Next Steps

In the Review and Next Steps phase, you continue to perform heightened cybersecurity operations and continue to look for ways to prevent future attacks including those that may involve data leakage. This may include:

  1. Continued monitoring and heightened monitoring
  2. Continued planning and efforts to increase and strengthen preventative measures
  3. Additional cybersecurity training for all key personnel involved with cybersecurity incident response
  4. Forming cybersecurity teams if none are in place

Let’s now look at another interpretation and addition to the traditional 3-2-1 backup rule, the 3-2-1-1-0 rule.

What is the 3-2-1-1-0 Backup Rule?

The 3-2-1-1-0 backup rule is yet another interpretation and addition to the traditional 3-2-1 backup rule. Again, the first 3-2-1 of the 3-2-1-1-0 backup rule is the same as the traditional 3-2-1 backup rule. As you note, there is an additional “1-0” in the backup rule. What do these stand for?

The additional “1-0” portion of the 3-2-1-1-0 rule stands for “1” additional copy of your data that is offline. The “0” stands for backups that have 0 errors.

What is the significance and importance of these two additional features of effective backups?
The additional 1-0 in the 3-2-1-1-0 backup rule helps to protect against arguably the greatest threat to your data today, ransomware. Ransomware can silently destroy your business-critical data by encrypting it so that it is unreadable. Attackers using ransomware generally demand a ransom from your business before a decryption key is released that will allow you to regain access to your data.

So, what is the significance of the 1-0 addition in the 3-2-1-1-0 backup rule in relation to ransomware? Ransomware can essentially destroy all data it has access to. In a worst-case scenario, if a workstation in use by an IT administrator is infected with ransomware, any data the IT administrator has access to is a target of the ransomware infection. This can include backup data! Any data that is online and accessible via the network can potentially be encrypted.

Having a copy of your data offline helps to ensure that even if your environment is infiltrated with ransomware, the offline copy is unreachable via the network as it is offline. This is extremely important in the age of ransomware infections and how readily they can spread throughout a network.

Another critically important aspect of backups that are highlighted with the 3-2-1-1-0 backup rule is to ensure that your backups have “0 errors”. This is an often-overlooked aspect of back strategies in general. The last thing you want to discover about your backups when you are in a disaster recovery scenario is they are corrupted or have errors related to restoring key systems or data.

Having “0 errors” means you are testing your backups to ensure they are “restorable” and have no errors that would prevent being able to recover critical data. Often, the testing of backups gets overlooked and passed by due to the effort required to actually test backups to ensure recoverability. Having an automated means for doing this helps to ensure that backups are tested and validated so they can be used successfully in times of disaster.

Use Vembu to Accomplish your 3-2-1 Backup Rule Objectives

Your data protection solution is the key component of ensuring you can meet your 3-2-1 backup rule data protection strategy. Depending on the features and capabilities of your backup solution, this helps to determine how easily you can achieve the goals set forth with the 3-2-1 backup strategy.

Vembu BDR Suite is a fully-featured data protection solution that allows organizations to meet 3-2-1, 3-2-1-0, and 3-2-1-1-0 backup rule objectives easily. Without installing separate client agents, you can configure image-based backups for VMware, Hyper-V, Windows Servers, and Workstations directly from Vembu BDR Backup Server web-UI console. The built-in features help to provide functionality in an automated way that helps meet your data protection goals with little or no manual effort.

What features of Vembu BDR Suite can you leverage to achieve the objectives of the 3-2-1 backup rule? Let’s look at the following:

  • Backups
  • Replication
  • Offsite Copy

Vembu Backups

The core essential of an effective data protection solution is backups. Backups allow you to create a separate copy of your production data that has no dependencies on the production infrastructure. You don’t want your backups to be connected in any way to the requirements for production. Backups need to be a standalone copy of your data.

Vembu provides great features for backing up your production environment. Features include:

  • Simple 5-step process to create backups of your production backups
  • Automatic backup scheduling
  • Application-aware guest processing
  • Retention Policies
  • Encrypted backups
  • Storage pooling to make use of all available storage for storing backups
  • Detailed backup reported
  • Image verification
  • Backup to Tape

The features included with Vembu BDR Suite allow you to have everything you need to support your 3-2-1 objectives as well as securing and verifying your backups for additional rules contained in both the 3-2-1-0 and 3-2-1-1-0 backup methodologies.

Vembu BDR Suite provides End-to-End Encryption (E2EE) for all backup components in the Vembu architecture. Vembu encryption makes use of the AES 256-bit encryption algorithm to encrypt your data that is in-flight over the network, and at-rest when stored in the Vembu backup repository. You can also choose to use different encryption passphrases for each backup job which helps to bolster security across your backups even further.

Vembu BDR Suite also allows automatic verification of your backups which saves a tremendous amount of administrative time and effort. Using the Image Integrity Check mechanism found in Vembu BDR Suite, the backup is periodically auto-verified. This is a three-tier verification check that verifies the following:

  • Boot check – This is carried out by booting VMs via Hyper-V manager in Windows and KVM manager in Linux OSes and taking the snapshot of the login page of the guest virtual machine. This allows seeing if the VM successfully boots and is operational. The result is reported in the Image Verification Report page and also emailed to Vembu administrators.
  • Mount check – This makes sure VM virtual disks and physical server disks that have been backed up are mountable. The Vembu BDR Suite backup server tests to see If each disk can be mounted temporarily to test if data is accessible.
  • Integrity Check – In the integrity check, Vembu ensures the integrity of the disks by using Windows check disk utility to check the integrity of each file that is backed up along with the VMs and physical servers.

Backup Strategy: The 3-2-1 Backup Rule

Creating a backup in Vembu requires on five simple steps

Vembu Replication

Vembu replication helps to ensure that you have not only multiple copies of your data, but also a “warm standby” VM that is ready to assume the production workload in case of a site-level failure. In line with best practice, you typically want to have your VM replicas created in a separate site such as a DR location. This also helps to satisfy the offsite requirement of the 3-2-1 backup rule.

With replication, you are essentially restoring a backup of your production machines at the set interval you select to the DR environment. The identical virtual machine replica that is created in the DR environment can assume the production workloads by means of the failover process where connectivity to the production VMs, is transferred to the DR location.

Vembu helps to support very low RTO values when failing over to replicated environments by means of automatic network reconfiguration rules that are built into the Vembu replication wizard. With automatic network reconfiguration, Vembu is able to reconfigure both the virtual network port group the VM is attached to in the DR environment as well as the network IP address configuration.

This takes much of the heavy lifting out of the failover process since the network settings are automatically reconfigured to match the DR environment requirements for connectivity.

Vembu replication features:

  • Simple 5-step process to configure replication
  • Automatic network reconfiguration
    • Both virtual network and IP address reconfiguration
  • Application-aware replication
  • Configurable replication retention

Backup Strategy: The 3-2-1 Backup Rule

Configuring Vembu replication using the 5-step replication wizard

Reconfiguring the required virtual networks in the replicated environment is part of the Vembu replication wizard.

Backup Strategy: The 3-2-1 Backup Rule

Reconfiguring the virtual networks for the replicated virtual machines with Vembu BDR Suite

The same is true for network IP address reconfiguration.

Backup Strategy: The 3-2-1 Backup Rule

IP Address reconfiguration using the Vembu replication wizard

Vembu Offsite Copies

As described in the 3-2-1 backup rule, offsite copies are an important way to ensure you will always have a good copy of your data, even if you lose all other backups. Vembu makes creating the offsite copy an easy task with the options available in the Vembu BDR Suite console.

You have two options for creating your Offsite copy of your Vembu backup data. The two options allow you to choose between where your Offsite copy data is located.

  • Vembu CloudDR Server – This allows replicating your backup data to the Vembu Cloud securely. This provides options for those that may not have a dedicated offsite facility.
  • Vembu OffsiteDR Server – This allows you to replicate your backup data to your own Vembu OffsiteDR Server using the same secure server technology. You simply install the Vembu OffsiteDR Server at your remote office and allow the Offsite Copy to replicate the backup data.

Vembu helps to support any network and other bandwidth and storage requirements with additional Offsite features such as:

  • Window settings – allows choosing the time frame between which you don’t want to replicate data to offsite
  • Retention settings – the number of recovery points that are stored on disk in the Offsite environment
  • Bandwidth throttling – the amount of bandwidth that can be used for the Offsite copy

Backup Strategy: The 3-2-1 Backup Rule

Vembu BDR Suite Offsite copy supports 3-2-1 backup objectives by copying data offsite

Wrapping Up

The 3-2-1 backup rule is an industry-standard approach to ensuring your data is protected during a disaster. It helps to emphasize having multiple copies of your data, stored on different types of storage media, and having at least one copy stored outside of your normal production environment.

It greatly diminishes the possibility that all your data, including backups, would be destroyed during a disaster event. In the age of ransomware and other cybersecurity threats, having multiple copies of your data and having those spread across numerous devices and environments is wise.

The data protection solution that is chosen for protecting your data plays a key role in helping to ensure the 3-2-1 backup rule is achievable in your environment. Vembu BDR Suite is a great example of a data protection solution that helps your business meet all the requirements of the 3-2-1 backup and extends well beyond those requirements by providing automated processes to seamlessly protect your environment.

Download a fully-featured trial version of Vembu BDR Suite here.

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Like what you read? Rate us