Privacy & Security / Dec 23 2022

Using the 3-2-1 backup rule to design your backup strategy

The 3-2-1 is a foundational backup strategy that has been upheld as a best practice for decades. Read on to find out how to improve on it by using the best of what current technology can offer!

The 3-2-1 backup rule is attributed to Peter Krogh, a photographer and author who came up with the concept over 20 years ago. The gist of the rule revolves around redundancy and how to ensure it by keeping backup copies on different media and in different locations.

Why is redundancy so important? Well, the whole point of having backups is to be able to restore your data in the event of sudden data loss. There are some causes of data loss that you can try to avert or reduce the risk of occurrence, like using the best security practices to prevent ransomware attacks.

Unfortunately, you can't control things like environmental disasters or device failure, but you can make sure that there's always a backup you can restore your data from. Having multiple backups in several different places is a smart way to do this.

What is the 3-2-1 backup rule?

The 3-2-1 rule is an acclaimed backup strategy which simply states that you should have 3 copies of your data stored on 2 different media and that you should keep one copy off-site, in a different physical location. This strategy has been around for a few decades now, and its core principles are just as applicable today as they were when it was first introduced.

The 3-2-1 rule is an effective and widely recommended backup strategy.

Having 3 copies of data simply means you have two backup copies beside your main/production copy. The copies should be stored on different media, which simply means that you should use two different storage types, like an external disk or a network-attached storage device in addition to your computer disk. One of these copies should be kept in a separate location (and this doesn't mean the room next door!).

Let's look at an example case:

You're working on a novel and you're using your laptop to write it. It would really, really suck to lose what you've written, so you're following the 3-2-1 recommendation. In addition to the main copy of your manuscript that lives on your laptop, you make sure to perform a backup every weekend. You save one copy of the manuscript to your external hard drive that's connected to your laptop. This satisfies the different storage media type. ✅ The third copy is saved to a USB drive, which you then move to your office for the rest of the week. The USB drive satisfies the off-site criteria. ✅

Ever since its inception, the 3-2-1 rule has been proselytised as a cornerstone best practice in the backup and security spaces. Naturally, as time passed by and technology progressed, the rule became, for many, too simplistic. If you've been reading us for a while, then we're sure that you can see a potential issue with the example given above, and you might already have some ideas on how to improve it!

Now that cloud storage and other digital storage options have become widely available, variations expanding the 3-2-1 rule have been developed and implemented by different experts.


A simple expansion to the 3-2-1 rule is by adding cloud storage as a medium for storing one or more copies of your backup. Cloud storage like Koofr satisfies two redundancy criteria at once: copies stored in the cloud are both off-site as well as on a different type of device (a datacenter).

In fact, depending on the provider, cloud storage can represent multiple copies stored in multiple locations. Cloud storage providers usually ensure a certain level of redundancy themselves. Koofr, for example, stores your data in three locations, in different data centers. You could say that a copy of data stored on Koofr actually represents 3 copies.

You could easily improve the backup strategy for our novel example by adding a cloud storage copy into the mix. You could do this either with a proper backup, or you could just sync your laptop manuscript to your cloud. If you did the latter with Koofr, you would gain the added benefit of being able to access and work on your manuscript remotely, but you could only recover the five latest versions of your file (which is not much if you're auto-saving).

Experts describe this strategy with different shorthands, depending on whether they count each copy and location maintained by the cloud storage. A 3-2-2 strategy just means that there are two off-site copies of the data without further specification. You could just as well have two cloud storage copies - whether in different accounts or with different providers - and consider the requirement fulfilled.


A variation on the 3-2-2 model specifies having a total of 4 copies of the data, with two copies stored locally on different devices, one copy on an off-site device, and one cloud copy. This is the essence of the 3-2-1+1 rule.

Put in practice, this strategy might include having two external storage devices that your rotate regularly between on-site and off-site (either daily, weekly, or monthly, depending on your requirements). In our example, we might add an additional USB or external drive and just switch them around each week. Add to that one cloud storage account with, ideally, an automated backup schedule, and of course your main working version of data, and you've got a simple and inexpensive, but robust backup system.


The 3-2-1-1-0 model adds to the mix the idea of an offline or air gapped copy of data. Years ago, this might have come in the form of tape backups stored off-site. In this century, we can get the same effect by using cloud backups stored with immutability. The point in both cases is that the data cannot be modified.

The zero in the strategy represents a zero error policy, which includes measures like daily data monitoring, regular restore tests, and correcting any identified errors immediately. If you're dealing with very sensitive and important data, especially when the data belongs to other people, this can be very important.

With this strategy, you then keep 3 copies of data stored on 2 different media types, with one copy stored off-site and one stored offline, with zero errors.

3-2-1-1-0 is a variation of the basic 3-2-1 backup strategy that introduces storing one backup copy offline and keeping a zero-error policy as additional rules.

Designing your backup strategy

We've described a few different backup strategies in this article to illustrate the different measures you can take and incorporate into your own backup strategy. Depending on your context, some of them may not be viable for you - if you're just backing up your personal computer data, you're probably not going to implement a zero error. If you work in a company that processes a lot of data, however, it might be smart to pursue a more robust backup strategy with more monitoring.

In any case, there's one final thing to keep in mind in relation to backups and cybersecurity. As long as your backups are in some way connected to your network, they could be susceptible to a ransomware attack. In such a breach, the attacker will usually encrypt the main copy of the data while deleting other backups they can get access to. Often, ransomware attacks will go for any attached external drives or other network devices, so having a copy that's completely separated from all the others can really be worth it. Or, going back to our example, just unplugging the external drive from the laptop when it's not in use makes the whole set up much more secure.

Whatever combination you choose for yourself, there's one thing that shouldn't be missing from your mix - a cloud backup. If you already have cloud storage like Koofr, you can use it to store a backup of your data there (remember, this is not the same as syncing). We've tested out a few ways to do this on this blog before. Here are a few suggestions you might want to try:

General backup

WordPress backups

NAS backups

Mobile backups

What's your backup strategy? Join the discussion on the Koofr subreddit!

Enjoyed this article? Why not check out what we do.

Related tags