top of page

Enhanced Ransomware Protection: The 3-2-1-1 Backup Strategy

In the battle against ransomware, it's crucial to have a robust protection strategy in place. With the 3-2-1-1 approach, you can fortify your defences and safeguard your data more effectively than ever before.

So, what does the 3-2-1-1 strategy entail? Let's break it down:

3-2-1-1 Backup Strategy

Three Copies of Data: First and foremost, make three copies of your data. This ensures that you have multiple backups at your disposal, so even if one becomes compromised, you still have two others as a safety net.

Two Different Media Types: Store your backups on two separate media types. For example, use both cloud storage and external hard drives. Please don't consider the combination of an internal disk and a USB disk to be different media types. A USB drive is just as vulnerable as the internal disks. Multiple disk-based copies are only using one type of media. Consider Cloud and Tape solutions for the second backup media. This diversification adds an extra layer of protection, as attackers find it more difficult to target multiple storage mediums simultaneously.

One Copy of Data in an Off-site Location: Keep one of your backups off-site. This means that even if your primary location falls victim to a ransomware attack or other disaster, your data remains safe and accessible. Consider using a secure, remote backup service for optimal protection.

For instance, a large corporation with multiple data centres might be able to store backups at different locations. This geographical redundancy ensures that even if a disaster strikes one data centre, the data can be recovered from others.

In contrast, small businesses may not have the luxury of multiple data centres. In such cases, cloud services come into the picture. By leveraging a trusted cloud service, small businesses can store their data off-site on remote servers, which can be accessed over the Internet when needed. Not only does this provide an off-site backup solution, but also adds an additional layer of protection as reputable cloud providers employ their own robust security measures to protect the data stored on their servers.

One Air-Gapped Backup OR one copy of backup stored on Immutable Media:

An air-gapped backup is a wholly isolated storage solution disconnected from any network or internet connection. The obvious form of media is Backup Tape. Tape may be considered old school in these cloud-connected days; however, the old process of backing up to Tape, ejecting said tape & placing it in a Vault is still a valid (and cost-effective) manner of air-gaping backups.

A modern alternative of Tape is Virtual Tape, and the modern alternative of the Vault is Cloud Based Object Storage. StarWind VTL enables businesses to leverage disk storage to house "Virtual Tapes" for backup targets. Then StarWind VTL handles archiving complete tapes by copying them to a secure cloud location.

Immutable Storage is an alternative to Air-gapping your backups. Immutable means that once data is written to a device, it can not be edited, modified or corrupted in any way. The ultimate Immutable Storage Solution is the Arcserve OneXafe Appliance which locks away data in a stream of continuous snapshots every 90 seconds. Using the OneXafe as your backup target can guarantee against Ransomware destroying your backups.

Some Backup Vendors offer immutable storage as part of the solution. Veeam touts "Hardened Repositories" - though they do not supply one. StarWind SAN & NAS offers a Veeam Certifed Hardened Repository. Nakivo Backup & Replication offers an Immutable Backup Repository by default and options to copy incremental backups to Immutable Cloud Storage such as Amazon S3 and Wasabi.

Storing Backups on Immutable Media guarantees that your data is entirely immune to online threats, making it an invaluable asset in the fight against ransomware. Immutable Media can be used as a convenient alternative to isolated media.

Examples of a 3-2-1-1 Backup Strategy for Enterprise & Small Business

Following the 3-2-1-1 strategy can significantly enhance your defences against ransomware attacks. Don't wait until it's too late – take proactive measures to protect your valuable data today.

Let's delve into some examples of the 3-2-1-1 backup strategy:

Enterprise Scenario using Arcserve Solutions:

In a large enterprise that operates multiple data centres, the 3-2-1-1 strategy might look like this:

  • Three copies of critical data are created and held – the original data, a primary backup on an Arcserve 9000 Series Appliance and a 2nd Backup stored on an Arcserve OneXafe Appliance (featuring immutable storage), and a third copy stored on a second Arcserve 9000 Series Appliance at a different data centre.

  • The data is stored on two different media – disk and immutable.

  • One of these copies is off-site – stored in a geographically separate data centre.

  • One backup is stored on immutable storage – the Arcserve OneXafe takes immutable snapshots every 90 seconds with the ability to instantly promote any snapshot to become the live version of the data.

Small Business Scenario using Nakivo:

In a small business with limited resources, the approach might be slightly different:

  • Three copies of vital data are maintained – the original data, a primary backup on a Nakvio Backup Repository, and a 2nd Backup stored a Nakivo Backup Repository in a cloud-based service like Wasabi Hot Cloud Storage.

  • The data is stored on two different media – the Nakivo internal disk and cloud storage.

  • One of these copies is off-site – the cloud storage solution.

  • Both backups are immutable – the Nakivo VA's internal repository is Immutable by default, and data stored in Wasabi can be set to be immutable, ensuring that it cannot be edited or deleted.

Small Business Scenario using Veeam:

A small business using Veeam might employ some StarWind Software solutions such as StarWind SAN & NAS & StarWind VTL

  • Three copies of vital data are maintained – the original data, a Primary Backup StarWind SAN & NAS Veeam Harded Repository, and a third in on Starwind VTL - with copies being synchronised to a cloud-based service like S3/Glacier/Azure Blob etc.

  • The data is stored on two different media – the StarWind SAN & NAS and VTL.

  • One of these copies is off-site – the Virtual Tapes are copied to the cloud storage solution.

  • One backup is made immutable – the StarWind SAN & NAS's internal repository offers immutability for Veeam Backups.

These examples demonstrate how the 3-2-1-1 strategy can adapt to different situations, always keeping data security at the forefront.

For more information on:

Veeam - see

Cloud Ready Solutions is your trusted partner for comprehensive technical resources, support, and data storage management.

Contact us today to fortify your data protection strategy and build a technology roadmap aligned with your business goals!



bottom of page