3-2-1-1 – The New Standard in Backup and Recovery
“3-2-1” Backups Are NOT Reliable in the Age of Ransomware
Most people in the world of IT will be familiar with the old “3-2-1” backup strategy, which had become a pretty standard data protection technique: Three copies of data (primary and two backups); two copies stored locally on two different formats (NAS, tape or local drive); and one copy stored offsite, preferably in the cloud.
However, as ransomware operators become more and more savvy and begin to focus greater effort on specifically targeting backup systems (which is significantly increasing their chances of a successful ransom payment), the old method doesn’t offer adequate protection – and industry experts are in agreement that now is the time to revise this approach under a new ‘best practice’ methodology.
What is the 3-2-1-1 Backup Strategy?
Let’s get straight to it, the extra “1” at the end of the 3-2-1-1 is for immutable storage. This addition adds an immutable, air-gapped copy of the data that is secured offline and segregated from the company network, where it is impossible for ransomware to reach.
In a 2021 technology review, trusted industry analysts DCIG noted that “placing backups on an immutable storage solution plays a critical role in recovering from a ransomware attack”.
Ransomware Recovery is completely different to Disaster Recovery, but the reality is that a ransomware attack is much more likely to occur than a traditional data disaster. In fact, an organisation is currently being hit by a successful ransomware attack every 11 seconds (Cybersecurity Ventures ‘Annual Cybercrime Report’ 2021).
When a ransomware attack occurs, the first question is “can we recover?”, which is shortly followed by “how quickly can we recover?”.
This requires a new mindset: preparing for inevitable breaches while also planning a way to return to normal operations as quickly as possible. This is where the new 3-2-2-1 rule really comes into play. Where offsite replication to the cloud or a second site is great for disaster recovery, it’s too slow for Ransomware, and you can’t guarantee that the replicated data isn’t compromised.
A Best Practice 3-2-1-1 Strategy would look like this:
- Retain at least 3 copies of your business-critical data.
- Store your data in at least 2 different formats or types of storage media.
- Keep 1 backup copy in an off-site location – for Disaster Recovery.
- Keep 1 immutable copy of the media offline/air gapped – safe from ransomware.
Why now for 3-2-1-1 Backups?
The dramatic surge in ransomware is not slowing down. In a recent 2021 report, tech analyst giants IDC warned that their research now shows that more than 90% of organisations have been attacked by ransomware.
That same IDC report identified the significant and evolving threat of backup data being targeted by ransomware groups. Cybercriminals know that attacking backup data first cuts off the organisation from recovering from an attack by restoring from uncompromised data. With backup data breached, the criminals then move on to primary sources of data at the scale and pace they wish.
Ransomware groups exploit flaws in detection systems to deliver their malware, and their methods are becoming much more sophisticated thanks to the rise of Ransomware-as-a-Service. Typically, monitoring software often looks for unusually high I/O activity in disk drives to spot unwanted encryption. However, ransomware gangs can now respond by slowing the encryption. They also use the strategy of triggering an attack long after the breach, beyond the period of retention cycles.
The report notes that one of the key reasons some enterprises fail at backup protection is that they are turning to a disaster recovery (DR) response. Unfortunately, according to IDC, very few organisations are protecting all their application data sufficiently, leaving them vulnerable to ransomware data loss.
With all that said, the IDC report highly recommends the 3-2-1-1 strategy for all organisations due to the growing importance of immutability when faced with the reality that it’s most likely no longer a matter of “if” but “when” they are targeted by a ransomware attack.
OK, So What Actually is Immutable Storage?
Immutability is a key element of successful ransomware protection because it means that data is converted to a write-once, read many times format which cannot be overwritten, changed, tampered with, or deleted — even by someone (or some malicious entity) with admin rights.
Unlike data encryption, there is no key, so there should be no way to “read” or reverse the immutability. Immutability is also key when paired with other data protection elements, such as continuous data protection, which can capture data on each write at very quick intervals measured in seconds. If that data is then stored in immutable form, an organisation can then have a “snapshot” of data which cannot be tampered with.
Backing up data this way simplifies ransomware and other disaster recovery efforts because it helps to guarantee there will be a clean, current copy of the data available that can be restored once remediation is complete. Organisations with the right technology and good restore/recovery practices can access unaltered data within minutes of a ransomware breach.
Adding immutable storage to your data protection strategy is critical, but it is important to remember that it’s the holistic approach of the 3-2-1-1 strategy that really provides complete peace of mind – and IT security teams must continue to review and adapt their defence techniques to keep up with rapidly changing and evolving ransomware strains and tactics.
The good news is that new technology and solutions can be mixed and matched to meet the specific needs of an organisation’s 3-2-1-1 strategy, and here at E-ZU our experts can work with you to help you understand your current levels of protection.
E-ZU’s Instant ‘Ransomware Risk Calculator’
A great way to get started is to take three minutes to assess your organisation’s current ransomware protection level using our Instant Ransomware Risk Calculator. It covers Ransomware Prevention, Security, and Recovery and you’ll receive a shareable report that delves deeper into the latest ransomware threat models and how to protect against them, whilst delivering a tailored breakdown of your current ransomware protection level, along with actions and recommendations to address any significant gaps in your defences.
Click the banner below to begin…