The world is changing. Our backup practices should too. The criticality of an enterprise's data has never been more important than before. Everything is digital. Less and less paper. We're living in a truly digital age. What do we backup, how do we backup, and where do we backup? Those are questions everyone should be able to answer knowing that 1001 ransomware is waiting behind the corner to sneak into your LAN and destroy everything.
That's why 3-2-1 backup rule by Veeam is evolving into something up-to-date to today's conditions and today's risks.
The 3-2-1 Rule as we know it says the following:
- There should be 3 copies of data
- On 2 different media
- With 1 copy being off-site
Ransomware and security flaws, like the recent Apache's log4j Java vulnerability, can put many workloads out of service.
3 : Keep at least 3 copies of your data
When we say 3 copies, it means that in addition to your primary data, you should also have at least two more backups. This is because most likely you won't have problems on 3 hardware devices at the same time, right?
If something happens, you might lose the principal datacenter and the first set of backups (the fastest ones). That's where the secondary backup comes into play and it is very often off site backup (so not affected by the problems in the main datacenter).
With Veeam, you simply configure a backup-copy job is a perfect solution.
2 : Store the backups on 2 different media
You should store one of the copies on internal hard disk drives and the other copy on removable storage media (tapes, external hard disk drives, cloud-storage, …).
The primary backup is usually stored close to the workloads, internal hard disk drives of a physical server so you can have your secondary backup on internal hard disk drives of another server or SAN device. But those devices shall be separated physically (best not in the same room or building).
1 : Keep at least 1 copy at the remote site
Bad idea is to keep the second copy at the same physical location. If you have fire… all will be destroyed: primary data, primary backup, and secondary backup!
If your company does not have any remote or branch office (or another building, you can save a copy at your service provider in a private cloud (or saving a copy in the public cloud). If using VEEAM Cloud Connect at a certified Service Provider is a perfect option here.
You might be looking for a Tape alternative, and as such, this can be done the “old way” where you'll transport tapes somewhere to a bank locker on regular basis. You should of course, protect those backups with an encryption key.
1 : Store at least 1 of the copies offline
To keep one copy offline, it means that there is no connection (network, USB, tape must be ejected, …) anymore with anything. It's an isolated system. If a hacker has access to your environment and your LAN and WAN or cloud repositories, everything can be wiped out. With offline backup nobody can access it. Not even you. Only if you manually connect the system to the network. We also call this Air-Gapped backups.
It’s also recommended to protect those backups with an encryption key!
Any examples? Yes for sure: External USB-disks, tapes, object storage with immutability (yes, yes, Amazon).
Note: You could also do backups to the cloud with insider protection (like VEEAM Cloud Connect with insider protection). Check the info at the Veeam's site.
0 : ZERO Errors – you should only keep backups without errors
If you don't verify your backups, you are no longer sure that they are healthy. And on let's say weekly basis, you should perform restore tests where you restore your data from the backups and verify if everything is as expected.
Final words
The days that we considered backups only as second-class citizens are over. Today, if your organization does not invest enough money into top-notch backup protection, sooner or later after a hack strikes, someone will be in trouble.
I would not want to be in IT admin's position where all my infrastructure is hacked, encrypted by ransomware and all my backups wiped out because they were simply connected to the same IT infrastructure. Think of it twice before making a decision not good enough and not protecting your backups with all this above. Air-gaped backups and encryption is a must today.
More about Veeam on ESX Virtualization Blog
- Veeam Backup and Replication 11a Release (New ISO)
- How to Install and Configure Veeam Backup and Replication Community Edition
- Veeam Backup and Replication 11 Announced Today
- Veeam Backup and Replication v11 upcoming details and features
- Fight Ransomware with Veeam 10 Immutability Feature
[…] Veeam 321 backup rule becomes 3-2-1-1-0 Backup Rule – Check it out! […]