As the number of places where we store data increases, the basic concept of what is referred to as the 3-2-1 rule often gets forgotten. This is a problem, because the 3-2-1 rule is easily one of the most foundational concepts for designing data protection. It’s important to understand why the rule was created, and how it’s currently being interpreted in an increasingly tapeless world.
The 3-2-1 rule says there should be at least three copies or versions of data stored on two different pieces of media, one of which is off-site. Let’s take a look at each of the three elements and what it addresses.
An air gap is a way of securing a copy of data by placing it on a machine on a network that is physically separate from the data it is backing up. It literally means there is a gap of air between the primary and the backup. This air gap accomplishes more than simple disaster recovery; it is also very useful for protecting against hackers.
If all backups are accessible via the same computers that might be attacked, it is possible that a hacker could use a compromised server to attack your backup server. By separating the backup from the primary via an air gap, you make it harder for a hacker to pull that off. It’s still not impossible, just harder.
Everyone wants an air gap. The discussion these days is how to accomplish an air gap without using tapes.Back in the days of tape backup, it was easy to provide an air gap. You made a backup copy of your data and put it in a box, then you handed it to an Iron Mountain driver. Instantly, there was a gap of air between your primary and your backup. It was close to impossible for a hacker to attack both the primary and the backup.
That is not to say it was impossible; it just made it harder. For hackers to attack your secondary copy, they needed to resort to a physical attack via social engineering. You might think that tapes stored in an off-site storage facility would be impervious to a physical attack via social engineering, but that is definitely not the case. (I have personally participated in white hat attacks of off-site storage facilities, successfully penetrated them and been left unattended with other people’s backups.) Most hackers don’t resort to physical attacks because they are just too risky, so air-gapping backups greatly reduces the risk that they will be compromised.
Many things that pass for backup systems now do not pass even the most liberal interpretation of the 3-2-1 rule. A perfect example of this would be various cloud-based services that store the backups on the same servers and the same storage facility that they are protecting, ignoring the “2” and the “1” in this important rule.
For example, it is very common for customers of public cloud vendors to backup their systems by creating snapshots/images of the resources they are using. The images are typically stored in object storage in the same account that is running the primary systems. If hackers gain privileged access, they could easily delete both the primary and all secondary copies of the data. The 3-2-1 rule still applies to the cloud. Keep a copy somewhere else – in a different account, in a different availability zone – just keep it somewhere else.
The 3-2-1 rule is also ignored by a lot of people using hundreds of SaaS services. Consider, for example, the advent of Kubernetes and the reality that many people store their Kubernetes configuration in GitHub. Important backups are stored in a system that you may or may not be backing up. Consider other services like email providers or filesharing services where even the primary copy of your data is stored only in a third-party vendor’s platform. The backups in many of these services are simply additional copies of data in the same location. Be sure to ask your vendors how they would help you recover if your entire account was hacked by a third-party.
A purist would say that the only way to have a true air gap is to put backups on removable media such as tape and then physically separate them from the primary. Others acknowledge that many companies have moved on from tape as a protection mechanism and might use it only for long-term storage if they use it at all. The question is how to make sure a hacker can’t access the primary and the secondary via an electronic hack.
The current best answer is to separate these two copies in as many ways as possible. Consider doing as many of the following as you can:
The 3-2-1 rule is a good rule that has served the data-protection world well for a long time. Always ask how well you are complying with it; it just might save your bacon one day.