Resilient Backup Strategy

Best practices and resources to help implement a full-fledged backup strategy at your organization, such as "3-2-1"



Whether by human error or cyber attack, if your system goes down, you are only as good as your backups. As ransomware persists, a fundamental security measure organizations should take to both protect their data and ensure a quicker recovery after an incident is a resilient backup strategy following the popular 3-2-1-1-0 method.

How to Get Started:

  • Do a Business Impact Assessment (BIA).

    • A BIA is used to identify an organization’s most critical systems and predict the impact a disruption would have on business operations. It’s also necessary for developing recovery strategies in the event of an outage or cyber incident. 
    • Expect to answer questions such as: What functions, if unavailable, would have the greatest impact? What resources do we need to recover? 
  • Determine your Recovery Time Objective (RTO)

    • The maximum amount of time a system can remain down before the impact on your business is severe (and surpasses the Maximum Tolerable Downtime). Four hours may be an organization’s RTO. 
  • Determine your Recovery Point Objective (RPO)

    • What is the maximum amount of data, measured by time passed, that can be lost in an outage or incident before creating significant harm at your organization. One hour or 24 hours since the last backup may be an organization’s RPO. 
  • Develop Business Continuity and Disaster Recovery Plans

    • Be able to showcase how your organization will get back up and running in the event of an outage or cyber attack. 

What is a 3-2-1-1-0 Backup Strategy?

The most effective security measures typically involve a layered approach. The 3-2-1 backup strategy is a tried and true solution for protecting your data, but we advocate going above and beyond with the 3-2-1-1-0 method for improved risk mitigation. 

As we dive into the stages of backups, consider the risk of something going wrong. The closer we are to your internal systems — think your production data, for example — the higher chance that your backups could be lost. However, the further we get from the core, the safer it should become from threat actors or internal missteps. 

💡Your life support is tied to the production data. The further away the data is from the core, the safer it becomes (but the longer it takes to reel your data back in).

3 Copies of Data

  • Production Data

    • This is the original copy of data, which is also the most likely to be impacted in an incident. Beyond just being production data, additional steps can be done in virtual environments to have an initial layer of backup.
      • Utilize snapshots for a built-in second copy of this data. While this isn’t a full copy of the data itself, but just an actual snapshot (or picture in time) of what the system is, it can at least give you a place to start if your production data is negatively impacted. Snapshots should never be stored along with your production data, so you don’t risk losing both at once
  • On-site backups

    • The first true backup solution is an on-site backup server. Given it's the initial line of defense, we suggest you implement security controls and follow all best practices to protect your data given they are so close to the original source of data.
      • Ensure your backup server is not on the Windows domain. Leverage unique credentials for access to your backup server.
      • Security controls include MFA for access to your backup console, as well as the principle of Least Privilege. Only allow the most necessary accounts access to these systems. 
      • We recommend utilizing immutable backups — so they cannot be deleted — as a resource if anything occurs to your production data. 
      • Off-site backups. 

        • Tape backups and cloud backups. 

        [BLOG] The ABCs of 3-2-1 Backup Plans

        2 Different Media Types

        The more media types your organization utilizes, the greater chance that you’ll be able to preserve your backups in a ransomware scenario. Below are several examples, from snapshots preserved on your own environment to hosted backups provided by a managed service provider, to diversify exactly how you store (and protect) your data. 

        • Disks 

        • Snapshots

        • Tapes

        • Cloud

        1 Offsite Copy

        • Tape Backups

          • This is a physical copy of your backups, stored on a cassette type. While this is slowly being replaced by the more convenient (and quicker) cloud storage, the benefit of the physical backup is the legitimate distance from your production data. However, this introduces a slower recovery process.
        • Cloud Storage

          • Cloud software allows for seamless integration and an easy setup. Through different vendors, you can access their own cloud software that is easy to maintain. 

        1 Air-gapped or Immutable Copy

        As mentioned above, an immutable copy of your data can protect it from being deleted or encrypted during a ransomware attack. An on-premise solution gives more immediate recovery options while a cloud based solution offers longer term storage and greater distance from the source of the data.

        0 Errors After Testing and Recovery Verification

        Everything we’ve covered so far won’t be useful unless you’ve verified it is up-to-date and works! Best practice: We recommend running through a recovery procedure once a year, if not more. 

        Encrypted Backups

        All of these work as a crucial backstop for the step before it. However, you may have noticed none of these involve encrypting your backups. While this is an important measure to take for protecting sensitive data (and a best practice!) it is not an effective defense against threat actors negatively impacting your backups.

        Looking for hands-on help to secure backups? Our consults with blue-chip vendors can help. 

        Corvus policyholders can access support services through the Vendor Marketplace in their Policyholder Dashboard.

        Brokers, request a Security Controls Consult.