Why 3-2-1 is now 3-2-1-1-0
The updated rule adds two critical properties: one copy must be immutable and air-gapped from the production domain, and the number of recovery-verification errors must be zero. Modern ransomware crews specifically hunt Veeam, Commvault, Rubrik and Cohesity consoles and delete or encrypt backup repositories before deploying the payload. If your backup admin uses the same Active Directory that the domain admin uses, an attacker with domain admin can wipe your backups. Immutability and air-gap eliminate this attack path.
What immutability actually means
S3 Object Lock in Compliance Mode: the object cannot be deleted or overwritten by anyone — not the storage admin, not root, not AWS support — until the retention timer expires. Azure Immutable Blob and Wasabi Object Lock provide the same guarantee. On-premises: hardened Linux repositories (Veeam Hardened Repository, Rubrik CDM) that expose only an API and enforce single-use immutable retention. LTO-9 tape ejected from the library is the ultimate air-gap — a robot cannot reach a cartridge sitting on a shelf.
Reference architecture
Primary backup: production data → Veeam / Rubrik / Commvault → local storage repository (fast restore, 14-30 days). Copy job → immutable object storage on-prem or public cloud (Wasabi, Backblaze B2, AWS S3 Object Lock) with 90-day retention. Tertiary copy → LTO-9 tape offloaded weekly, transported off-site, cataloged and tested. Backup infrastructure sits in its own security domain with separate credentials, MFA and network segmentation from production Active Directory.
The zero-error test discipline
The last '0' in 3-2-1-1-0 is zero backup errors after verification. Automated recovery testing (Veeam SureBackup, Rubrik Recovery Testing) boots a subset of VMs weekly in an isolated sandbox and validates OS boot, application service startup, and a scripted business-logic check. A backup you have never restored is not a backup — it is a hope. Insurers now request evidence of quarterly full-scale DR tests before binding cyber policies.
Key takeaways
- Adopt 3-2-1-1-0: three copies, two media, one off-site, one immutable, zero verification errors.
- Use S3 Object Lock (Compliance Mode) or hardened Linux repositories — no admin bypass.
- Isolate backup infrastructure from production AD with separate credentials and MFA.
- Automated weekly recovery testing is non-negotiable — untested backups are theoretical.



