4-3-2 Scheme vs 3-2-1 and 3-2-1-1-0: What's the Difference

Backups used to be the last line of defense. Now they are the first attack target: modern ransomware operators access backup storage before touching working data, because a company without copies will almost certainly pay a ransom. The classic 3-2-1 rule no longer works in this reality — and the 4-3-2 scheme is exactly the industry's response

Translator's Note

This is the third and final piece in our mini-series on the evolution of the 3-2-1 backup rule. In the first article, we broke down the classic framework and noted that modern industry has added two extensions to it: 3-2-1-1-0 and 4-3-2. In the second article, we translated an in-depth AvePoint piece covering 3-2-1-1-0 and promised a standalone text dedicated to 4-3-2. This is that text.

The original Backblaze article covers both extensions upfront. To avoid duplicating prior content, we have provided a shortened version of the 3-2-1-1-0 section with a link to the full version, while the 4-3-2 section has been translated in full — this is the core purpose of this publication.

All judgments and assessments in the main text belong to the original author. Comments from the Cloud4Y team are presented in callout boxes and marked as "Translator's note" or "From Cloud4Y".

US special forces have a saying on this topic: "Two is one, and one is none". They rarely end up in a situation where they have only a single critical item, but in the world of computer backups, two copies are never enough. Until recently, the 3-2-1 rule remained the gold standard: three copies of data stored on two different media, with one copy kept offsite.

The 3-2-1 rule still holds value, especially for those who do not create backups at all. But today, the gold standard is evolving. This text covers why 3-2-1 is giving way to more robust, well-considered strategies, the differences between the classic rule and its successors — 3-2-1-1-0 and 4-3-2 — and how to select a backup scheme tailored to a specific use case.

Why the 3-2-1 rule is losing popularity

When the 3-2-1 strategy was first gaining traction, the technological landscape looked very different. The rule is believed to have originated in the photography industry: Peter Krogh formulated it in his 2009 book *The DAM Book: Digital Asset Management for Photographers*. At that time, tape drives were still widely used at the corporate level due to their low cost, high capacity, and media longevity.

The 3-2-1 scheme improved on the prevailing practice at the time of "one copy on tape, just stash it somewhere far away". It required keeping three copies of data (one working copy and two backup copies) on two different types of media (for example: internal drive + tape + external HDD, or a second tape), with one copy stored outside the primary site (usually that very tape).

Before cloud storage became mainstream, to take a third copy "offsite", you had to hire an offsite service that would collect tapes and transport them to a storage facility, or transport them to another location yourself (one of our co-founders used to mail backup copies to his brother). This meant offsite tapes were «air-gapped» — literally physically disconnected from the network where the primary data instance was hosted. If primary data or local backups were damaged or compromised, you could recover from the offsite copy.

As storage technologies evolved, the 3-2-1 backup rule got a little… cloudier. A company can deploy local backup storage — a network-attached storage (NAS) or a specialized storage area network (SAN) — and replicate its contents to cloud object storage. An individual can implement the same scheme using an external drive and a cloud service.

Everything would be fine, but with cloud offsite copies, the 3-2-1 rule loses the very air gap that tape storage provided. Cloud backups are often connected to the corporate work network — meaning they are vulnerable to digital attacks.

Ransomware — the driver of stricter security strategies

After the high-profile incidents of recent months, few people are still surprised that ransomware attacks are on the rise. Ransom amounts hit a record $50 million in 2021, and attacks on Colonial Pipeline and JBS Foods threatened fuel and food supplies. In its 2021 report Detect, Protect, Recover: How Modern Backup Applications Can Protect You From Ransomware Gartner forecasted that by 2025, at least 75% of IT organizations will face at least one ransomware attack.

Backups should be the last resort during a ransomware attack — but they only work if they themselves are not compromised. And attackers know this. Well-known ransomware gangs — such as Sodinokibi (also known as REvil), the group behind attacks on JBS, Acer and Quanta — now target not only operational data, but also backup copies.

Cloud backups are often tied to corporate Active Directory and are effectively not isolated from the work network. As soon as an attacker gains a foothold on a machine connected to the network, they begin moving laterally across it to obtain admin credentials — via keyloggers, phishing, or simply from documentation left lying around on servers. If they get their hands on AD admin credentials, all backups protected by that Active Directory become vulnerable.

Is the 3-2-1 strategy still viable today?

Despite technological changes, the core principles of 3-2-1 remain valid:

  • You should have multiple copies of your data.

  • Copies should be stored in geographically separate locations.

  • At least one copy should be easily accessible to enable fast recovery after a physical failure or accidental deletion.

The only thing missing is an additional layer of protection: one or more copies must be physically or virtually isolated in case of a digital disaster such as ransomware, which targets all of your data, including backups.

What replaces 3-2-1?

3-2-1 is still a functional framework, but more comprehensive strategies have emerged that address vulnerabilities introduced by constant network connectivity. They don’t have the same snappy ring as 3-2-1, but they offer greater protection in the era of cloud backups and ransomware. These are 3-2-1-1-0 and 4-3-2.

What is 3-2-1-1-0 (in brief)

Translator’s note This section is quite detailed in the original, but we broke down the 3-2-1-1-0 framework in detail in our previous translation of an AvePoint article. Here we only provide a brief summary. If you want to learn more, it’s best to read that full article.

The framework mandates:

  • store a minimum of 3 copies of your data,

  • on 2 different types of storage media,

  • 1 copy stored off the primary site,

  • an additional 1 copy stored offline or with an air gap (this can be tape or an immutable cloud copy),

  • and ensure 0 errors: daily backup monitoring, immediate error correction, and regular test restorations.

The core idea: 3-2-1-1-0 revives the concept of an "out-of-reach" copy — the one that ransomware cannot access even if it gains admin access to all other systems. The easiest way to implement immutability in the cloud is via Object Lock, a setting that prevents a file from being modified or deleted until a specified date, even for the account owner or a hacker with that account’s credentials.

What is 4-3-2

This is the section we prepared our material for.

If your data is managed by a specialized disaster recovery service provider like Continuity Centers, your backups most likely follow the 4-3-2 rule:

  • 4 copies of data,

  • data stored across 3 locations (on your own on-premises site, at a service provider's site such as Continuity Centers, and with an external cloud provider),

  • 2 of these locations are located outside of your primary on-premises site.

Warning

Some cloud service providers like to imply that using multiple vendors is a sign of distrust in their own reliability. In reality, backup redundancy measures should always be in place. The fact is, anything can fail. Hard drives break down. Good employees make costly mistakes. Bad employees make even worse ones. Even the largest cloud providers regularly experience major outages that take down a significant portion of the internet and popular services. Sensible people operate with this in mind, regardless of which provider they choose.

What strategy is right for you

First and foremost: any backup is better than no backup at all. As long as you adhere to the core 3-2-1 rule, you will be able to recover from natural disasters, lost laptops, or accidental deletions. To summarize the core rule:

  • Multiple copies of data — at least three.

  • Copies stored in geographically dispersed locations.

  • At least one copy stored on-premises, for fast recovery.

With tools like Object Lock, you can expand on the core rule with the 3-2-1-1-0 or 4-3-2 principles: add an extra layer of protection for your data by virtually isolating it so it cannot be deleted or encrypted for a set period of time. Even if a ransomware attack still reaches your systems, an Object Lock-protected backup will let you recover.

From Cloud4Y. If you’ve already outlined a 4-3-2 setup on paper but are missing one of the “three locations” — we are exactly the ones to fill that role. Cloud4Y is a Russian cloud provider with its own data centers across the Russian Federation; you can host that very second offsite copy on our infrastructure. There is a special offer for tekkix readers: 20% discount on rental of cloud servers with promo code HABR20. Terms and conditions are available on the promotion page. On the rented infrastructure, you can set up your own backup target and test the 4-3-2 scheme on production data before rolling it out into your permanent architecture.

Comments

    Also read