One of the things that were drilled into my head when I was starting out in my IT career was the backup philosophy of 3-2-1. This stood for you should have 3 copies of your data (the production data and two backups), on 2 different media types and 1 of them being offsite. This is still the recommended method of CERT (see here). Yet I found it conflicted with other information that I’ve learned over time, So why the 3-2-1 method is better than none, you really want to use that as the base of your backup plan, add some extra steps to it.
It’s not that the 3-2-1 method doesn’t have a place anymore, but was heavily used in the area of tape backups and you only needed to take 1 thing offsite and store it. Yet maybe it was during my time as an Emergency Manager, where there was always a thought of disaster, that I started to modify my thought process.
3-1-2 Method: This one I’ve come closest to seeing nowadays, where you have 3 copies of your data (one production and 2 backups) and it’s all on disk (1 media type), and the backups are stored in two geographic locations. Ideally, these locations would be on opposite sides of the world or even your country, but some locations just focus on different parts of a city/town or state. The idea behind this is that if a disaster happens, think flooding or tornado, then the data would be in a different local and still be safe.
3-2-2 Method: This is one that I personally love, but honestly not everyone has the staff or money to pull it off. 3 copies of your data, on 2 media types, and the backups in 2 different locations. So this one you need to have the ability to save data to a tape. Usually, the tape is sent to a local storage location and your disk backup is sent to the cloud or backup facility in another local.
As you can see as long as you understand the basic 3-2-1 backup methodology, you can and should tweak the numbers to best suit your backup strategy. The 3-2-1 method has been around for a while and now is the time to start thinking of ways of adding redundancy and attempting to disaster-proof your plans. While it costs a lot to implement a decent backup plan, the cost of not having one can be worse. When I started, we only worried about natural disasters, now your backup strategy needs to include cyber disasters as well. What happens if your cloud backup is infected by ransomware, then an offline backup helps.
For another article on backups by me: Backups: Tape vs. Replication