Backup Strategy
3-2-1 Rule + Immutable Backup Against Ransomware
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
A backup strategy defines backup frequency, storage location, retention period, and test procedures. Industry standard 3-2-1: 3 copies, 2 media, 1 offsite.
What is a Backup Strategy?
Backup minimum standard 2026:
- 3 copies of the data (original + 2 backups)
- 2 different media (e.g., local SAN + cloud)
- 1 offsite (cloud, alternate location)
- Immutable (against ransomware) - Veeam Hardened Repos, Object-Lock S3
- Quarterly restore tests
Practical example
SME with 5 TB of data volume: daily incremental backup to NAS, weekly full backup to tape cartridge + immutable S3 backup. RTO 4h, RPO 24h.
Frequently asked questions
How long should backups be retained?
At least 90 days operational + archive backup for statutory retention (10 years for tax purposes).
Is the cloud secure?
Yes, with encryption + access control. Providers: AWS S3, Azure Blob, Backblaze B2.