A question I ask in all of my customer demos is, " Do you have a 3-2-1 backup strategy and most of the time, I get the answer yes. Other times, the answer is what is that? I’ll take that opportunity to educate them on what it is and how to protect themselves. In this article, I’ll go through what the 3-2-1 backup strategy is and how to implement the 3-2-1-1-0 strategy.
Introduction
You've probably heard the 3-2-1 rule a hundred times. Keep 3 copies of your data, on 2 different media types, with 1 copy offsite. It's been the gold standard of backup strategy for years — and for good reason.
But the threat landscape has changed. Ransomware doesn't just encrypt your production data anymore; it hunts for your backups too. That's why the industry evolved the rule to 3-2-1-1-0, and if you're running Veeam in your environment, you're actually in a great position to implement every digit of it.
In this post, I'll break down what each number means, why it matters, and — most importantly — exactly how to configure it in Veeam Backup & Replication.
What Does 3-2-1-1-0 Actually Mean?
| # | Meaning |
| 3 | Keep 3 copies of your data (1 production + 2 backups) |
| 2 | Store copies on 2 different media types (e.g., disk + tape/cloud) |
| 1 | Keep 1 copy offsite (different physical location) |
| 1 | Keep 1 copy offline, air-gapped, or immutable |
| 0 | 0 errors on backup recovery verification |
The last two digits are the modern additions. The extra 1 addresses the reality that ransomware can traverse network-connected backup repositories. The 0 addresses a painful truth: a backup you've never tested is a backup you can't trust.
Breaking Down Each Layer
3 — Three Copies of Your Data
This means your production data plus at least two backups. In Veeam, this is straightforward:
- Primary backup job writing to your on-premises backup repository (your first backup copy)
- Backup Copy Job replicating that backup to a second location (your second backup copy)
In Veeam:
- Create your primary Backup Job targeting a local repository (NAS, SAN, DAS)
- Create a Backup Copy Job that picks up from the primary job and writes to a secondary repository or cloud
2 — Two Different Media Types
The goal here is to ensure that a single media failure doesn't wipe out both copies. Common combinations include:
- Disk + Cloud (most popular today)
- Disk + Tape
- Disk + Object Storage
In Veeam:
Veeam supports a wide range of repository types out of the box:
- Scale-Out Backup Repository (SOBR) with capacity tier — extend local disk storage to S3-compatible object storage automatically
- Tape via Veeam Tape Server — write backups directly to tape from jobs
- Cloud repositories via Veeam Cloud Connect — backup directly to a service provider's infrastructure
Recommended setup:
- Primary repo: Local disk (fast, for operational restores)
- Secondary repo: S3-compatible object storage or cloud (different media, offsite = covers digits 2 and 3 simultaneously)
1 — One Copy Offsite
An offsite copy protects you against physical disasters — fire, flood, theft, or a regional outage. Your offsite copy needs to be in a geographically separate location.
In Veeam, your options are:
- Veeam Cloud Connect — Send backups directly to a Veeam-compatible Cloud Service Provider (CSP).
- Object Storage (S3/Azure Blob/GCS) — Use SOBR capacity tier or direct backup to object storage. Offsite by nature.
- Secondary physical site — If you have a DR site, target a repository there via a WAN-connected Veeam Backup & Replication instance.
1 — One Immutable or Air-Gapped Copy
This is the digit that ransomware attackers hate. An immutable backup cannot be modified or deleted — even by an admin account that's been compromised. An air-gapped copy is physically disconnected from the network.
Veeam supports immutability in several ways:
Option A: Hardened Linux Repository (On-Premises Immutability)
This is Veeam's most powerful on-prem option.
Option B: S3 Object Lock (Cloud Immutability)
If you're using AWS S3, Wasabi, Backblaze B2, or any S3-compatible storage with Object Lock:
Veeam will write backup files with an Object Lock retention period — they cannot be overwritten or deleted until the period expires.
Option C: Tape (Air-Gap)
Old school, but effective. A tape that's been ejected and stored off-site is completely air gapped. Ransomware cannot touch what isn't connected.
0 — Zero Errors on Recovery Verification
This is the discipline digit. A backup that's never been tested is just hope stored on disk. Veeam has two powerful features to automate this:
SureBackup
SureBackup automatically boots your backed-up VMs in an isolated Virtual Lab (sandbox network) and verifies:
- The VM powers on successfully
- Heartbeat is detected
- Application-specific tests pass (ping, VM heartbeat, or custom scripts)
Common Mistakes to Avoid
Setting your immutability window too short Ransomware can lay dormant for weeks before activating. A 7-day immutability window may not be enough. Consider 14–30 days minimum.
Never running a recovery test Set up SureBackup. Schedule it. Your future self will thank you.
Forgetting Microsoft 365 data Exchange Online, SharePoint, and Teams are not backed up by Microsoft to your standards. Add Veeam Backup for Microsoft 365 to your strategy and apply the same 3-2-1-1-0 thinking.
Final Thoughts
The 3-2-1-1-0 rule isn't just a checklist — it's a philosophy of defense in depth for your data. The good news is that Veeam gives you every tool you need to implement it, from Hardened Repositories and Object Lock integration to automated verification with SureBackup.
Start where you are. If you don't have an immutable copy today, get your Hardened Linux Repository set up this week. If you've never tested a restore, create a SureBackup job before the end of the month.
Because in disaster recovery, the only thing worse than having no backup is finding out your backup doesn't work when you need it most.
