How MSPs Are Fulfilling the 3-2-1 Backup Rule with Axcient BDR

Without a standardized regulatory board for the channel, MSPs are left to their own devices to strategize backup and disaster recovery (BDR) for clients. Luckily, the 3-2-1 backup rule provides some guidance, but how easy is it to implement, and how comprehensive is it for today’s cybersecurity landscape?

Most MSPs and IT professionals are familiar with the 3-2-1 rule which outlines a simple backup maintenance and security formula. It’s advantageous for MSPs to highlight their ability to meet the 3-2-1 backup rule as proof of their data security capabilities. However, with the recent introduction of a new principle and changing threat vectors, how long can a practice like this hold up? And what’s the price MSPs pay to follow the strategy?

In this article…

  • Get an update on the 3-2-1 backup rule and how it’s recently been expanded to include an additional “1”.
  • Learn how to use this easy-to-digest concept to highlight your commitment to security with prospects and existing clients.
  • Discover the business and security benefits of using a comprehensive business continuity and disaster recovery (BCDR) solution to fulfill the 3-2-1 backup rule and to go beyond it for uninterrupted data availability.

What is the 3-2-1(-1) Backup Rule?

You’re probably familiar with the rule, but do you know where it came from? Peter Krogh, a photographer, writer, and consultant, introduced the 3-2-1 backup rule in his 2005 book, The DAM Book: Digital Asset Management for Photographers. While he’s not the first to realize the benefits of data redundancy onsite and in the cloud, Krogh did an excellent job distilling the security tactic into a simple formula. The rule says that to increase the chances of recovering lost or corrupt data, you should do the following:

3 – Maintain at least 3 copies of your data: 1 production version + 2 backups

2 – Store the backup copies in 2 different locations

1 – Store 1 backup copy offsite

And in recent years, an additional “1” was added to accommodate the growing number of successful ransomware attacks and industry-led data compliance requirements.

1 – Create 1 immutable or air-gapped backup copy

The 3-2-1 policy became so widely adopted that in 2012 the Cybersecurity & Infrastructure Security Agency (CISA) released a publication summarizing the pros, cons, and security considerations of the backup options commonly used to fulfill the policy.

“All computer users, from home users to professional information security officers, should back up their critical data on their desktops, laptops, servers, and even mobile devices to protect it from loss or corruption. Saving just one backup file may not be enough to safeguard your information.


Why is it important for MSPs to Follow the 3-2-1 Backup Rule?

Back in the day, one backup might have been good enough, but today’s cybersecurity landscape demands reinforced security. Bad actors are not only targeting SMBs – which includes MSPs – but they’re focused on corrupting backups for maximum ransomware success and system destruction. Due to that threat, at least two backups in addition to your production data is the new normal. With three copies, there’s a better chance that despite the attack or location of the disaster, you will have at least one backup available for recovery.

Similarly, storing backup copies at different locations – both on an appliance and in the cloud – safeguards your opportunities for data restoration. At the same time, it takes care of the “1” component of the 3-2-1 plan while also satisfying the “2” requirement. Of course, you have options, including internal hard disk drives and various removable storage media, but Axcient recommends using the cloud and a device managed by your BDR vendor. Depending on what your vendor and their solution are capable of, you may also achieve the additional “1” – an immutable or air-gapped copy – without requiring another vendor and extra management costs.

The clear advantage for MSPs who decide to follow the 3-2-1 backup policy is data redundancy for recovery regardless of cyberattack, accidental loss, or natural disaster. Ultimately, from a business perspective, MSPs delivering “no matter what” data availability can also meet competitive service level agreements (SLAs). In addition to the competitive edge of a stringent SLA is gaining the confidence of clients and prospects.

Utilize your adherence to the 3-2-1 policy in marketing and sales strategies to prove your commitment to security. Since BDR is generally just a promise until disaster strikes, and most SMBs aren’t interested in learning the dirty details of data security, the 3-2-1 backup rule is an easy-to-digest guide for people to understand how you’re protecting their business.

>> Download: MSP Marketing Playbook Bundle   

How is Axcient Fulfilling the 3-2-1-1 Backup Rule for MSPs?

As a 100% MSP-only solution provider, Axcient makes it easy for MSPs to follow the 3-2-1 and 3-2-1-1 backup rule with a single, comprehensive BCDR platform. Here’s how:

#1: Flexible deployment options meet multiple use cases – including endpoint backup, hardware-free BDR, full-service BDR, and public or private cloud – with just one vendor and one solution to lower recurring costs and labor requirements while simplifying stack management.

#2: BYOD and BYOC – or Bring Your Own Device and Bring Your Own Cloud  – lets MSPs and their SMB clients decide how they want to meet the 3-2-1-1 backup rule:

Device options:

  1. Build or repurpose existing hardware and use it as a local BDR appliance.
  2. Purchase a turn-key hardware and software bundle direction from Axcient.
  3. Lease the hardware from Axcient.

Cloud options:

  1. Use the secure and compliant Axcient Cloud.
  2. Use your own private cloud through your data center.
  3. Use the public cloud.
  4. Use both the Axcient Cloud and their private cloud to retain multiple offsite copies of data.

#3: AirGap anti-data deletion technology delivers immutable backup storage by saving and protecting a snapshot of your data so it can be restored in the event of malicious or accidental deletion. AirGap separates data deletion requests from data deletion mechanics so that backups are always recoverable – even after a bad actor believes they’ve successfully completed their attack. For proven security, AirGap is independently tested and always on by default in the x360Recover BDR solution.

Is the 3-2-1-1 Backup Rule Enough?

Simply put, no. As you know, threat vectors are constantly changing, and so must cybersecurity, data protection, backup, business continuity, disaster recovery, and so on. While the 3-2-1-1 backup rule provides a good skeleton for backup alone, delivering uninterrupted business continuity is more complicated. Furthermore, for MSPs to thrive in the marketplace, they must provide these critical capabilities efficiently for operational maturity and profit growth.

“To defeat ransomware, IT organizations need to architect a system that assures data recovery without paying a ransom. Such a system should include encryption, immutability, air gap, a 3-2-1-1 backup strategy, and the ability to scan backups for malware.”


Axcient x360Recover combines best-in-class security with automation in a user-friendly single portal that lowers recurring costs with stack consolidation and simplicity. Our proactive, security-first approach to BCDR assumes that data will be lost, so we’re continually innovating, launching new tools, and improving our solutions to help MSPs keep businesses moving. The 3-2-1-1 backup rule is a good start, but with Axcient, MSPs get a complete BCDR solution for today and whatever comes next.

See Axcient for Yourself!

Schedule a 1:1 Demo or Start Your Free 14-Day Trial Now!

About the Author: Carissa Johnson // Product Marketing Manager, Axcient

Carissa Kohn Johnson AxcientCarissa Kohn-Johnson has a background in healthcare technology and information technology, and is now the Product Marketing Manager for Axcient. She has a lot of MSP Channel experience from planning and attending hundreds of conferences and tradeshows, and found her passion in IT. Carissa is also an elected official in Cary NC, a town chock full of technology-forward people. Connect with her on LinkedIn – perhaps you can contribute to the Axcient blog?

How well could you sleep with reliable cloud-based backups and recovery?

Take a deep dive into Axcient’s proprietary, automated security features to see how we’re ensuring uninterrupted business continuity — no matter what:

Axcient Solutions


Protect Everything.
Access Axcient Now!

Axcient Logo
Gartner Peer Insights Reviews