Is the 3-2-1 rule still relevant in 2026?

Yes. The underlying principle — multiple independent copies, including at least one off-site — is as relevant as ever. Modern variants (3-2-1-1-0) add an immutable copy to address ransomware specifically, but the core remains the same.

Does cloud backup alone satisfy 3-2-1?

It depends on how you count. If your original is on local hardware and you have one cloud backup, you have 2 copies on 2 media, with one off-site — that is 2-2-1, not 3-2-1. A second backup, on different media or in a different destination, gets you to 3.

Does an external USB drive count as the off-site copy?

Only if it is genuinely kept off-site — in a different building, ideally in a different jurisdiction. A USB drive in the same office as the production data does not satisfy the off-site requirement.

What is an immutable backup?

An immutable backup is one that cannot be modified or deleted for a defined retention period, even by the account that wrote it. Modern cloud backup destinations and some appliances support immutability. It is the most reliable defence against ransomware that targets backups.

Fundamentals Published May 2026 By the Managed Backup Asia team

The 3-2-1 Backup Rule Explained

The 3-2-1 backup rule is decades old and still the most useful one-line summary of how to protect business data. Three copies, two different media, one off-site. This guide explains what it means in plain language, why it works, and how to apply it in a modern hybrid environment.

What the 3-2-1 rule actually says

The 3-2-1 backup rule states:

3 copies of your data — the original, plus two backup copies.
2 different storage media or destinations for the backup copies.
1 of those copies kept off-site.

That is the whole rule. It was first popularised in the early 2000s by photographer Peter Krogh in the context of digital photo archives, and it has held up well as a general data-protection principle.

Why it works

The rule works because it forces independence between the copies.

Three copies means a single failure or accident does not lose your data. The original drive fails — you have two backups. One of the backups corrupts — you have the other.

Two different media means the same defect cannot take out both backups. If both copies are on identical hardware bought in the same batch and used in the same environment, a hardware defect or environmental issue affects both. Different media (local disk plus cloud, NAS plus cloud, etc.) means the two copies fail for genuinely different reasons.

One off-site copy means a single-site event — fire, flood, theft, ransomware that propagates through the local network — cannot take out everything. The off-site copy is the last line of defence.

Applying 3-2-1 in a modern environment

In the modern hybrid SMB environment, 3-2-1 translates to something like:

Copy 1 (the original): the live data on workstations, servers, NAS, M365, Google Workspace.
Copy 2 (local backup): an on-premises backup destination — a backup appliance, a NAS dedicated to backup, or local storage attached to a backup server. Fast recovery.
Copy 3 (cloud backup): an off-site cloud destination — in a different building, different jurisdiction, different failure domain. Disaster recovery.

For SaaS data sources (M365, Google Workspace), the "original" is the cloud platform. A managed M365 or Workspace backup stored in an independent cloud destination is itself one off-site copy. Adding a second destination is occasionally appropriate for high-stakes data.

3-2-1-1-0 and other modern variants

Veeam and others have extended the rule for the ransomware era:

3 copies
2 different media
1 off-site
1 offline, air-gapped, or immutable — the copy that ransomware physically cannot reach.
0 errors after backup verification — meaning the backup is tested, not assumed.

The immutable copy is the new important part. Modern ransomware actively seeks out backup destinations. A copy that is provably not modifiable by anything inside the production network is the cleanest defence.

A practical 3-2-1 setup for an SMB

For a typical small business in Singapore, a defensible 3-2-1 setup looks like:

Workstations: live data on the workstation, document backup to a cloud destination (see workstation document backup), snapshot backup of critical machines to a separate cloud destination (see workstation snapshot backup).
Server / NAS: live data on the device, local backup destination on-premises (different media), cloud backup off-site (see server file backup and NAS file backup).
Microsoft 365 / Google Workspace: live data in the SaaS tenant, dedicated managed backup to an independent cloud destination (see M365 backup and Google Workspace backup).

The key thing in every case is that the off-site copy is genuinely independent — a different account, a different provider where appropriate, and isolated from the production access path so that a compromise on the production side cannot reach it.

Talk to a backup specialist

Managed Backup Asia operates from Singapore and supports small businesses across Asia. If you would like to discuss your data protection needs, schedule a free 30-minute exploratory call.