3-2-1 Backup Rule

The Seagate 3-2-1 reference describes the formulation: “3 Copies of Data: Maintain three copies of data, the original and at least two copies. 2 Different Media: Use two different media types for storage. This can help reduce any impact that may be attributable to one specific storage media type. 1 Copy Offsite: Keep one copy offsite to prevent the possibility of data loss due to a site-specific failure.”¹

The fundamental concept

The 3-2-1 rule is a simple mnemonic for layered data protection that addresses three distinct categories of failure:

• Single-device failure (the 3): any single storage device will eventually fail; multiple independent copies make total loss statistically unlikely.
• Correlated failure (the 2): identical storage media share failure modes (firmware bugs, environmental sensitivity, age-related wear); diverse media break correlation.
• Site disasters (the 1): fire, flood, theft, power events, regional incidents destroy everything in one location; offsite copies survive.
• Technology-agnostic: the rule applies equally to floppy disks and modern cloud object storage; the principles are independent of specific technologies.
• Scales from individuals to enterprises: a freelance photographer and a Fortune 500 company use the same 3-2-1 framework with different specific implementations.
• Baseline, not ceiling: 3-2-1 is the minimum acceptable; environments with higher requirements add additional layers.

The “single point of failure” framing

The AvePoint 3-2-1 reference describes the underlying logic: “The logic behind the rule is straightforward: It eliminates single points of failure. If one storage device fails, you have two other copies. If a local disaster destroys both on-premises copies, you have the off-site copy. If ransomware encrypts your primary environment, your off-site backup remains intact, provided it is isolated from the network.”² The implications:

• The original is itself a copy that can fail; it counts as one of the three.
• Two backup copies plus the original gives three total copies for redundancy.
• Different media types defend against correlated failures: a firmware bug affecting one HDD model won’t affect a different model.
• Offsite copies defend against site-specific catastrophes that destroy everything in one location.
• The rule doesn’t dictate specific technologies; it provides principles that adapt to current technology.

The mathematical intuition

The probabilistic argument behind the rule:

• Single drive failure rate: consumer HDDs typically have 1-3% annual failure rate; enterprise drives lower.
• Two-copy probability of total loss: if both copies are independent, simultaneous loss is rare (1% × 1% = 0.01% annually).
• Three-copy probability of total loss: dramatically lower (1%³ = 0.0001% annually for independent failures).
• Independence is the critical assumption: if two backups share a failure mode (same model HDD, same RAID array, same building), they are NOT independent and the math doesn’t apply.
• Offsite breaks correlation: a fire that affects all on-site copies cannot affect an offsite copy, restoring independence.
• Different media breaks correlation: firmware bug in one HDD model doesn’t affect tape or SSD or cloud.

Why 3-2-1 has stood the test of time

The Connection Technologies reference describes the durability of the rule: “If there’s one piece of backup advice that has stood the test of time, it’s the 3-2-1 rule. First proposed by photographer Peter Krogh in the early 2000s, this simple framework has become the gold standard for data protection, used by everyone from freelancers to Fortune 500 companies and government agencies.”³ The reasons:

• Memorability: three single-digit numbers are trivially memorable.
• Technology-independence: works equally well with tape, disk, cloud, or future storage technologies.
• Scalability: applies to a single laptop user as effectively as a global enterprise.
• Maps to actual failure modes: each number addresses a specific category of risk that exists regardless of technology.
• CISA endorsement: the US Cybersecurity and Infrastructure Security Agency recommends 3-2-1 as the foundational data protection framework.
• Compliance alignment: regulations like HIPAA, GDPR, SOC 2, PCI DSS effectively require 3-2-1-style redundancy.

Understanding where the 3-2-1 rule came from clarifies why it focuses on the specific principles it does and why the original interpretation matters in modern implementations.

Peter Krogh and The DAM Book

The Backup Wrapup podcast interview with Krogh describes the origin: “Peter Krogh coined the term fifteen years ago. He first talks about how he coined the term ‘3-2-1 Rule’ while writing the first edition of The DAM Book: Digital Asset Management for Photographers, now in its 3rd edition. He didn’t invent the idea of three copies and offsite backup, but he did distill it down to what we now refer to as the 3-2-1 rule. (Three copies on two media types, one of which is offsite.)”⁴

Why digital photographers needed the rule first

Digital photographers in the early 2000s faced an unusual problem that pushed them ahead of typical IT users:

• Large data volumes: RAW image files at the time were already gigabytes per shoot; commercial photographers generated terabytes per year.
• Irreplaceable assets: wedding photos, news events, expedition photos cannot be recreated if lost.
• Limited backup tools: consumer backup software was primitive; photographers had to design their own systems.
• Storage technology limitations: early 2000s hard drives were 30-80 GB; CD-R backup was the alternative.
• Distributed work locations: photographers shoot in the field, store on laptops, transfer to studios; multiple physical locations were natural.
• Professional liability: losing client photos meant losing a business; risk tolerance was low.

Krogh’s process for distilling the rule

The BDRShield reference describes Krogh’s research: “In the early 2000s, Peter Krogh, a photographer (yes, you heard it right, not a tech-savvy person), invented the 3-2-1 backup rule to protect his photographs. He explained this concept in his book The DAM Book: Digital Asset Management for Photographers in 2007.”⁵ The Computer Weekly reference adds the historical context: “Krogh formulated his rule almost two decades ago, at a time when his available personal storage options included hard drives with a 30 gigabyte capacity and compact disc backups.”⁶

Krogh’s clarification of the “2”

The Backup Wrapup podcast captures an important Krogh clarification on the “2” interpretation: “Mr. Backup had a slightly different understanding of the 2! Peter feels that the ‘2’ refers to different media types. (This led to a very interesting discussion about how you do what he’s asking for in today’s cloud world.) One idea he talked about is that if you have two hard drives on the same network, they’re still subject to many of the same risks, which isn’t really keeping in line with the original idea of the 2.” Implications:

• Two HDDs on the same network are not “2 different media”: they share network exposure, same building, same power supply.
• Two NAS devices on the same shelf are not “2 different media”: they share environment and disaster exposure.
• Two cloud accounts at the same provider are not necessarily “2 different media”: they share provider failure modes.
• The original intent: diversity of media type to break correlation between failure modes.
• Modern interpretation: diversity of media class (HDD vs SSD vs tape vs cloud) AND diversity of administration domain (different accounts, different providers).

From photographers to gold standard

The HYCU reference describes the broader adoption: “His work has influenced backup strategies for both individuals and businesses. The 3-2-1 backup rule continues to be important for data safety and data resiliency.”⁷ The progression from photography-specific to universal:

• Initial photography community adoption: photographers shared the rule through workshops and online forums.
• Backup software vendor adoption: Acronis, Veeam, and others incorporated 3-2-1 into product marketing and best practices.
• Government recommendation: CISA, FBI, and other agencies began recommending 3-2-1 in cybersecurity guidance.
• Compliance framework integration: regulatory auditors began using 3-2-1 as a baseline expectation.
• Universal recognition: the rule is now taught in computer science programs, IT certifications, and security training.

Each number in the 3-2-1 rule addresses a specific failure mode and has practical implications for implementation. Understanding what each component means precisely is essential to getting the rule right.

The “3” – Three copies of data

The first number means three total copies including the original. The AvePoint reference describes the math: “Three copies. Your original data plus two backup copies. Having three copies ensures that even if two fail simultaneously, your data survives.” Properties:

• The original counts as copy 1: production data is the first copy; backups are copies 2 and 3.
• Probabilistic protection: three independent copies have very low simultaneous failure probability.
• Why not 2 copies?: single backup means single failure between original and recovery; two backups provide insurance for backup failure.
• Why not 4 copies?: diminishing returns; cost grows linearly while protection improvement is marginal.
• Independent copies required: three copies of the same corrupted file are still corrupted.
• Different recovery points: ideally the three copies represent different points in time for protection against logical corruption.

The “2” – Two different storage media

The second number requires copies on different storage technology types. The Krogh-clarified interpretation:

• What “different media” means: different storage technology classes (HDD vs SSD vs tape vs cloud vs optical).
• What “different media” does NOT mean: two HDDs of the same model from the same manufacturer; two SSDs in the same array; two LUNs in the same SAN.
• Why media diversity matters: firmware bugs, manufacturing defects, environmental sensitivities, age-related wear all correlate within a media type.
• Common pairings: local disk + cloud object storage; NAS + tape; on-premises backup appliance + cloud.
• Modern complications: cloud storage can be considered a single media type even if it spans multiple availability zones; multi-cloud strategies provide stronger separation.
• Cost-benefit: diverse media types add complexity but address correlated failures that simple redundancy cannot.

The “1” – One copy offsite

The third number requires geographic separation between at least one copy and the production environment. The AvePoint reference describes the failure mode addressed: site-specific disasters that destroy everything in one location. Properties:

• What “offsite” means: physically separated from the production environment by enough distance that a single disaster cannot affect both.
• Common offsite implementations: cloud backup (AWS S3, Azure Blob, Google Cloud Storage), branch office, dedicated DR site, courier-shipped tape, off-site safe deposit box.
• What “offsite” does NOT mean: on a shelf in the same building; on a server in the same data center; on the same campus.
• Distance considerations: for natural disaster protection, hundreds of miles separation is typical; for fire/flood, different building suffices.
• Network considerations: the offsite copy must be reachable for restoration; pure air-gap (e.g., couriered tape) is more resilient but slower to recover.
• Network connectivity caveat: an offsite copy on the same network as the production environment can be encrypted by network-propagating ransomware.

Common 3-2-1 implementation patterns

Pattern	Copy 1 (original)	Copy 2 (different media)	Copy 3 (offsite)
Home user	Computer hard drive	External drive or NAS	Cloud backup service
SMB office	File server / workstations	Local NAS or backup appliance	Cloud backup or remote office
Enterprise	Production servers	On-premises backup appliance	Cloud backup or DR site
Microsoft 365	M365 tenant data	Third-party M365 backup (cloud)	Different region or different cloud
Photographer	Working drive (laptop)	External RAID for primary backup	Cloud backup + offsite drive rotation

What does NOT satisfy 3-2-1

Common configurations that appear adequate but fail the rule:

• RAID is not backup: a RAID array provides high availability but counts as a single copy; loss of the array (controller failure, multi-drive failure, ransomware) destroys all RAID copies simultaneously.
• Sync is not backup: Dropbox, Google Drive, OneDrive sync changes (including encryption and deletion) to all copies in real time; the cloud copy mirrors corruption.
• Two copies on same NAS: NAS failure destroys both copies; fails 2-different-media test.
• Two copies in same cloud account: account compromise affects both; partial offsite at best.
• Microsoft 365 native retention alone: 30-93 day recycle bin is not point-in-time backup; shared responsibility model places protection on customer.
• Backup on shelf above primary computer: fire affects both; fails offsite test.
• The mdrepairs photographer case: photographer relied on Google Drive sync; ransomware encrypted files, sync propagated encrypted versions to Google Drive, version history expired before recovery; approximately 40% of portfolio lost permanently.

The 3-2-1-1-0 rule is a modernized extension that addresses two failure modes not adequately covered by the original framework: ransomware specifically targeting backup repositories, and verification gaps that allow successfully-written but unrecoverable backups to provide false confidence.

The two additions explained

The AvePoint 2026 backup guide describes the extension: “The 3-2-1-1-0 rule is a modern extension of the original framework, adding two critical requirements: 1 offline or air-gapped copy (to withstand ransomware that targets connected backup systems) and 0 errors (meaning all backups are verified and tested before they are needed). This variant has been commonly recommended for enterprise environments facing persistent ransomware threats.”⁸

The +1 immutable or air-gapped copy

The first addition addresses the ransomware problem: attackers target backup repositories specifically because destroying backups makes ransom payment more likely. The AvePoint reference describes the protection: “+1 air-gapped or immutable copy. An offline or logically isolated copy that ransomware cannot reach. This could be tape, a cold storage vault, or an immutable cloud backup where data cannot be overwritten or deleted for a defined retention period.” Implementations:

• Tape rotation: traditional offline backup; tapes physically removed after writing; cannot be encrypted while disconnected.
• AWS S3 Object Lock (Compliance mode): immutable cloud storage; cannot be modified or deleted even by root account.
• Azure immutable blob storage: time-based retention policies enforce write-once-read-many for configured period.
• Google Cloud Bucket Lock: retention policies at bucket level cannot be reduced once locked.
• Hardware air-gap appliances: dedicated backup systems that physically disconnect from network after backup completes.
• Wasabi compliance immutability: built-in compliance immutability for cloud storage.

The +0 errors via verification

The second addition addresses the verification problem: backup jobs report success based on data being written, not on data being recoverable. The AvePoint reference describes the gap: “+0 errors. Backup jobs that run successfully but fail during restore testing provide a false sense of security and increase recovery risk. The zero-error requirement means automated backup verification plays a critical role in the strategy.” Practices:

• Hash verification at write and read: compute checksums when writing backup; verify checksums periodically and on read.
• Scheduled restoration tests: periodically restore backups to non-production environments and verify data integrity.
• Automated verification: backup software’s built-in verify-after-backup features.
• Disaster recovery drills: full-scale restoration exercises typically quarterly or annually.
• Application-level validation: for database backups, run consistency checks; for VM backups, boot the restored VM.
• Log analysis: review backup logs for warnings that don’t trigger explicit failures but indicate problems.

Why 3-2-1-1-0 is increasingly mandatory

Several forces are pushing 3-2-1-1-0 from “best practice” to “required”:

• Cyber insurance requirements: insurers increasingly require immutable backups and verified recoverability for coverage.
• Compliance frameworks: regulators are updating frameworks to explicitly require immutability and verification.
• Ransomware prevalence: ransomware attacks targeting backups have made immutability essential rather than optional.
• Cloud-native capabilities: AWS S3 Object Lock, Azure immutable blobs, Google Bucket Lock make immutability easy to implement.
• BaaS provider integration: Backup-as-a-Service vendors include immutable storage and verification by default.
• Awareness from public incidents: high-profile ransomware cases where backups were also encrypted have raised awareness.

Other modern variants

Beyond 3-2-1-1-0, several other variants have emerged for specific contexts:

• 4-3-2 rule (Druva): 4 copies, 3 different media, 2 offsite locations; emphasizes broader redundancy for cloud-native environments.
• 3-2-2 rule: 3 copies, 2 media, 2 offsite; addresses single-cloud risk by requiring two separate offsite locations.
• 5-4-3-2-1 rule: aggressive variant for highly-regulated environments; 5 copies, 4 media, 3 different sites, 2 cloud providers, 1 immutable.
• SaaS-adapted variants: for cloud-first organizations, the original “offsite” interpretation may need adaptation; typically requires cross-cloud or cross-tenant separation.
• The Computer Weekly critique: the 3-2-1 rule’s principles remain valid but specific implementations need translation for cloud-first environments.

The 3-2-1 rule scales from individual home users to global enterprises with the same underlying principles but different specific implementations. Below are common practical implementations.

Home and individual implementation

For individuals protecting personal photos, documents, and creative work:

• Copy 1 (original): data on the computer’s internal drive; this is the working copy used daily.
• Copy 2 (local backup): external hard drive or NAS device updated regularly; incremental backup via Time Machine, File History, or third-party backup software.
• Copy 3 (cloud backup): Backblaze, Carbonite, IDrive, or similar service with automated continuous backup.
• Update frequency: local backup at least weekly (ideally automated daily); cloud backup continuous or daily.
• Cost: external drive $50-200; cloud backup $50-100/year for unlimited home use.
• Test recovery: annually verify cloud backup by restoring a sample file.

Small and medium business implementation

For SMBs with file servers, applications, and Microsoft 365:

• Copy 1 (production): data on company file servers, application servers, workstations, and Microsoft 365.
• Copy 2 (local backup): NAS device (Synology, QNAP) or backup appliance (Datto SIRIS, Veeam-managed) with daily incremental and weekly full backups.
• Copy 3 (cloud backup): cloud backup or BaaS service replicating to offsite cloud or to a different physical location.
• M365 protection: dedicated M365 backup solution (Veeam Backup for M365, Druva inSync) since native retention does not satisfy 3-2-1.
• Recovery testing: quarterly restoration testing of representative data sets.
• Documentation: documented backup procedures, retention policies, and recovery runbooks.

Enterprise implementation

For enterprise environments with diverse workloads:

• Copy 1 (production): data across virtualized infrastructure, databases, applications, file shares, M365, Salesforce.
• Copy 2 (centralized backup): enterprise backup software (Veeam, Veritas NetBackup, Commvault) with deduplication appliances; daily incrementals, weekly fulls, monthly synthetic fulls.
• Copy 3 (cloud or DR site): tiered cloud storage with lifecycle policies, or replication to geographically distant DR data center.
• +1 immutable: tape rotation to offsite vault, S3 Object Lock in Compliance mode, or hardware air-gap appliances.
• +0 errors: automated hash verification, quarterly restoration tests, annual full DR drills.
• Centralized management: backup admins separate from production admins; isolated authentication; MFA for backup operations.

Common implementation pitfalls

Even with intent to follow 3-2-1, organizations make implementation mistakes:

• Backup software credentials shared with production: compromised production credentials enable backup destruction.
• Backup network on production VLAN: ransomware spreading laterally finds backup servers as easily as production.
• Single cloud account for all backup tiers: account compromise destroys all cloud backup copies simultaneously.
• RAID counted as multiple copies: RAID drives in same array fail together; counts as one copy.
• Untested backups: backup jobs report success but restoration fails; not discovered until disaster.
• Outdated backup software: can’t read backups created with newer versions; recovery fails.
• Retention policy too aggressive: needed restore point aged out before discovered.

The Connection Technologies practical example

The Connection Technologies reference provides a typical SMB implementation: “Copy 1 (original): Data lives on the company file server or in Microsoft 365 (SharePoint, OneDrive, Exchange). Copy 2 (local backup): A NAS device in the server room runs nightly backups of the file server. For M365 data, a backup agent pulls data to local encrypted storage. Copy 3 (off-site / cloud backup): A cloud backup service automatically replicates data to a UK-based data centre every night.” The recovery scenarios:

• If the file server hard drive fails, restore from the NAS (fast).
• If the office floods and destroys both server and NAS, restore from the cloud (slower, but complete).
• If ransomware encrypts the server and the NAS, restore from the cloud (the offsite copy is isolated from the attack).
• If accidental deletion is discovered after weekly retention expires on NAS, restore from cloud’s longer retention.
• If Microsoft 365 data is lost beyond M365 native retention, restore from third-party M365 backup.