The 3-2-1 rule was written for a world where the worst that happened to your backups was a server room fire. Three copies of the data, on two different media, with one copy offsite. For decades, this was the discipline that defined a competent backup posture.
Then ransomware learned to hunt backups.
Modern ransomware operators have one job: get to your backups before they get to your production data, and either delete them or encrypt them. They have automation that walks file shares looking for .vbk and .veeam and .tib and .dpa extensions. They have automation that maps and revokes admin tokens for backup consoles. They have automation that walks Active Directory looking for the backup service account and resets its password. By the time the production data is encrypted, the backups are already gone, and the only path forward is the wallet.
The 3-2-1 rule cannot defend against this. Two digits had to be added.
What 3-2-1-1-0 actually means
3 copies of the data. The production copy plus two backups. No change from the classic rule.
2 different storage media. Disk and tape. Disk and cloud object storage. NAS and offline LTO. No change from the classic rule.
1 copy offsite. Geographically separate from the production data. No change.
1 copy immutable or air-gapped. This is the new discipline. At least one of your copies must be on storage that cannot be modified or deleted by anyone — including a domain admin, including your backup service account, including an attacker who has full credentials to your backup console. Immutability is enforced by the storage itself, not by access control.
0 errors. Tested. Verified. Restorable. Not by a green light on a dashboard. By an actual restore drill performed at a known cadence by someone who has the runbook in their hand and a stopwatch.
The two new digits — the second 1 and the 0 — are what separate a backup strategy from a recovery strategy.
What immutability actually looks like
Immutability is not a configuration option you click in your backup console. It is a property of the underlying storage. If a sufficiently privileged user or attacker can call the storage layer and say delete this object, the storage is not immutable. It is access-controlled. The two are not the same.
Real immutable storage options, as of today:
S3 Object Lock in Compliance mode. Compliance mode — not Governance mode — is the discipline. Compliance mode means even the root AWS account cannot delete a locked object before its retention period expires. AWS staff cannot delete it. A subpoena cannot delete it. The retention period passes, or it persists. This is the strongest immutability available on commodity object storage. Setting it incorrectly is permanent; configure it deliberately.
Azure Blob immutability policies in Locked state. Equivalent guarantee to S3 Compliance mode. Once locked, the policy itself cannot be reduced or removed. Read the documentation carefully before applying.
Veeam Hardened Repository. A Linux server running XFS with file-system-level immutability flags set via the chattr +i mechanism. The Veeam Backup Server cannot delete the file. The repository host's root user cannot delete the file while the immutability flag is set, and the flag cannot be removed until the retention period elapses. Requires a Linux operator who understands the discipline.
Object First Ootbi. Purpose-built backup appliance with native S3 Object Lock. Designed for Veeam. Single-purpose, hardened, simple to deploy.
ExaGrid Tiered Backup Storage with Retention Time-Lock. Appliance-level immutability with delayed-deletion guarantees. Vendor-specific but mature.
Tape, written and physically removed. The boring answer. The discipline that has never lost to ransomware. Write the backup, eject the cartridge, lock it in a fire-safe, drive it to the offsite location. Tape is not air-gapped while it is in the drive. It is air-gapped when it is on the shelf. Most ransomware-resilient backup strategies still include tape because of this property.
Cloud archive tiers with policy-locked retention. Glacier, Coldline, Archive Storage. These tiers have lower cost per TB but the recovery time is measured in hours, not minutes. Acceptable for the offsite immutable copy; not acceptable for first-line recovery.
What does not count as immutable: a backup folder on a NAS, however carefully ACL'd. A backup target on a domain-joined Windows server. A read-only share that a domain admin can turn back to read-write in 90 seconds. Any storage where the deletion path includes a credential that an attacker can plausibly obtain.
What testing actually looks like
A backup that has never been restored is not a backup. It is a hypothesis.
The discipline:
Monthly partial restore. Pick a representative file or VM. Restore it to an isolated environment. Verify the data is correct. Document the time elapsed from start to verified-correct. Track the trend.
Quarterly full-stack restore drill. Pick a workload — a domain controller, a file server, a database — and restore it end-to-end from immutable backup, in an isolated network, with the production system still running normally. Measure recovery time objective (RTO) and recovery point objective (RPO) against your stated targets. Fix the gap or change the targets.
Annual tabletop incident. Walk through a full ransomware scenario with the team that would actually be running the recovery. Who calls the incident? Who isolates the network? Who decides whether to negotiate or restore? Who talks to the regulator? Who talks to the press? When you find the gaps, you find them in a meeting. Better than finding them at 3am on a Sunday.
The 0 in 3-2-1-1-0 is not aspirational. It is enforced by drills that you actually run.
Where teams cut corners and lose
The two most common shortcuts, in order:
"We have Veeam and the backups are in the cloud." Cloud backup is not the same as immutable backup. If the cloud account credentials are stored in a service account that the backup software can read, the cloud copy is reachable from the production environment. An attacker who pivots through your backup console can reach it. Cloud is offsite, not immutable. Enable Object Lock or move to a separate cloud account with separate credentials that are never used outside the backup console.
"We test restores annually." Annually is not enough. The annual test discovers issues that have been broken for months. The monthly partial restore catches the same issues within 30 days. The quarterly full drill catches the rest. If the team will not commit to a monthly cadence, the team has not actually committed to recovery; they have committed to the appearance of recovery.
The honest counsel
Backups protect against accident. Immutable backups protect against intent. The difference matters because the threat model has shifted, and the playbooks have not caught up.
The discipline of the operator is in the small things — the monthly drill, the locked retention policy, the air-gapped tape on the shelf — not in the appliance brand or the marketing slide. Pick any of the storage options above, configure it deliberately, test it monthly, and you have closed the gap that the classic 3-2-1 rule left open.
You will not need to negotiate with anyone. You will restore, and you will continue.