Backup to Basics: Essential Backup Strategies

Backup to Basics: Building a Resilient Backup Strategy

Tom Hynes - Cloud Technical Design Architect, Telefónica Tech, July 2025

The 3-2-1 Rule: The Golden Rule

The most commonly known backup rule is the “3-2-1” backup rule, this is the baseline that all backup infrastructure should at least meet:

3 copies of your data (including the original)
2 stored on different types of media
1 copy kept off-site

At first glance, it might sound excessive, but this rule is a time-tested data protection and disaster recovery risk mitigation strategy.

Let’s look at a few real-world scenarios where it proves its value:

Scenario 1: A user deletes a file.
No problem. The original is gone, but you’ve got two more copies.
Scenario 2: The primary backup repository is offline.
Again, you’ve got additional copies to restore from.
Scenario 3: The entire production site is unavailable.
This is where the “1” in 3-2-1 matters. Your off-site copy allows for recovery even in major incidents.
Scenario 4: Simultaneous hardware failure in production and backup.
It’s not uncommon for hardware purchased together to fail concurrently. Using two different storage types reduces this risk significantly.

As you can see, it doesn’t take much to fall back to your last good copy, so that copy needs to be there, intact, secure and recoverable.

Data Security and Validity: Enter the 3-2-1-1-0 Rule

As the data security landscape in IT has changed over the years, especially with the threat of ransomware, backup security and validity have become more crucial than ever. That’s why Veeam evolved the traditional 3-2-1 rule into the 3-2-1-1-0 backup rule.

3 copies of the data
2 types of media
1 off-site copy
1 immutable or offline copy (to prevent tampering)
0 errors during backup verification

Let’s break down why this matters:

The second “1”: Immutable or offline copy
- Immutable storage (like S3 Object Lock) ensures your backup data can’t be altered after it’s written.
- Air-gapped storage (e.g. tape or offline disk) physically separates backups from the network — the most secure defence against ransomware.
The “0”: Backup Verification
- If your backups aren’t tested, you’re gambling with your recovery. Regular backup verification and restore testing, even partial or automated, is critical.
- Many assume a green checkmark means safety. But silent corruption, misconfigured schedules, or expired retention policies can render backups useless without warning

Security Best Practices

The 3-2-1-1-0 rule enforces redundancy and validation, but it doesn’t replace standard infrastructure-level security controls:

Role-Based Access Control (RBAC) — only authorised users should have access, and at appropriate privilege levels.
Multi-Factor Authentication (MFA) – Confirms user identity through a second verification step.
Dual Authorisation – Ensures that any admin action requires two admins to perform that action, such as a delete operation.
Principle of Least Privilege – Only granting the permissions necessary for that role.

These security layers help protect not just your production data, but also your backup data too.

Data Availability: Restoring When It Matters Most

Backups exist for one purpose: to restore. If they’re not accessible when you need them, or can’t restore the way you need, they’re not doing their job.

This is where you start seeing Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) being mentioned:

RTO: How quickly you need systems back online.
RPO: How much data your business can afford to lose.

These define your availability requirements, shaping where your backups live and what technologies are used. Whether that’s disk-based, storage snapshots, deduplicated appliances, cloud repositories, or even tape (yes, still relevant!).

Backup Portability and Platform Independence

Crucially, your backup platform must be independent of your production platform. If your production environment goes offline (due to failure or attack), your backups must still be:

Accessible — ideally hosted in an alternate domain or location
Portable — capable of being restored to a different environment, such as a new cloud tenant, alternate region, or on-prem infrastructure

Data mobility and platform-agnostic restore capabilities are increasingly important. For example, if an attack locks you out of your admin environment during a ransomware attack, can you restore to private cloud, public cloud, or an alternate region? That’s the litmus test for true portability.

Avoid vendor lock-in and ensure your backup solution supports multiple restore targets not just the source environment.

Wrapping Up

Backup fundamentals aren’t outdated, they’re timeless. The rules may evolve (as Veeam’s 3-2-1-1-0 shows), but the core principles remain the same: redundancy, security, validity, and availability.

Whether you’re building cloud backup or on-premises backup from scratch or refining an enterprise-grade solution, these pillars should form your disaster recovery strategy’s foundation.

In the next post, we’ll dive deeper into the Telefónica Tech UK&I Backup-as-a-Service (BaaS) and how it simplifies these core principles for modern environments.

A man smiles at the camera while sitting with a laptop

Ready to strengthen your backup strategy?

Get in touch with our experts at Telefónica Tech to discover how we can help you implement secure, scalable, and cost-effective backup solutions.

About the author

Tom Hynes

Tom Hynes is a technology professional at Telefónica Tech UK&I, specialising in cloud infrastructure, data protection, and backup solutions. With extensive experience in helping organisations design resilient and secure backup strategies, Tom focusses on simplifying complex IT challenges and enabling businesses to safeguard their critical data. Connect with Tom on LinkedIn to learn more about his expertise in backup and disaster recovery.