For decades, the 3-2-1 rule was the gold standard of backup: 3 copies of the data, on 2 different media, with 1 copy offsite. Simple and effective — until ransomware learned to encrypt the online backups too before detonating.
The industry’s answer was to evolve the rule into 3-2-1-1-0:
- 3 — three copies of the data (production + two backups).
- 2 — on two different media (disk and tape, disk and object/cloud).
- 1 — one offsite copy, geographically separated.
- 1 — one immutable or air-gapped copy: one that neither the admin nor the attacker can alter or delete within the retention window.
- 0 — zero errors on restore verification. A backup that was never tested doesn’t count.
The secret is in the last two digits. Immutability (WORM, S3 Object Lock, air-gapped vault) is what turns a backup into a copy that survives the attack. And the 0 is what separates those who have backup from those who have hope: if you’ve never run a real restore, you don’t know whether it works.
How this gets deployed in practice
You don’t need an expensive proprietary appliance to get there. Bacula and BareOS orchestrate the 3 copies, multi-media and offsite natively. PodHeitor Backup adds the immutable layer and global deduplication on top — and automated restore verification closes the zero.
I’m Heitor Faria, MSc in Applied Computing (UnB), author of the Bacula book and PodHeitor lead developer. I’ve designed 3-2-1-1-0 architectures for companies of every size.
👉 Want this architecture running at your company? We deploy it for you — and train your team in-company on Bacula / BareOS / PodHeitor, at low cost.
Disponível em: 
Português (Portuguese (Brazil))
English
Español (Spanish)
