Building a Backup and Disaster Recovery Strategy That Actually Works

The 3-2-1-1-0 rule

The classic 3-2-1 backup rule — three copies, two media types, one off-site — has evolved. The modern rule is 3-2-1-1-0: three copies, two media, one off-site, one immutable, zero unverified restores.

The two additions matter. Immutability defeats ransomware that targets backup repositories. Verified restores defeat the most common operational failure: backups that have been running successfully for years and are unreadable when needed.

RPO and RTO drive the design

Recovery Point Objective is how much data you can afford to lose. Recovery Time Objective is how long you can afford to be down. Both are business decisions, not technical ones. Drive them out of the business before you choose tools.

A 24-hour RPO and 4-hour RTO is achievable with nightly snapshots and a documented restore runbook. A 1-minute RPO and 5-minute RTO requires synchronous replication and active-active infrastructure — an order of magnitude more expensive.

Immutable backup tier

At least one copy of your backup must be immutable for its retention period. S3 Object Lock in compliance mode, immutable Veeam repositories, write-once optical media, or a properly air-gapped tape vault all qualify.

Immutability defeats the ransomware attack pattern where attackers spend weeks inside your network deleting backup history before triggering encryption. Without an immutable tier, the attacker controls your recovery path.

Application-consistent versus crash-consistent

A crash-consistent backup is what you get when you snapshot a running system without coordinating with the application. An application-consistent backup is what you get when you flush database buffers, quiesce writes, and then snapshot.

For databases, application-consistent backups via the database's native tooling (pg_basebackup, mysqldump, native SQL Server backup) are non-negotiable. Crash-consistent snapshots may restore to a state the database cannot recover from.

Test restores or it does not exist

Run a documented restore at least quarterly. Restore to a separate environment, verify the data, and document the timing. The first time you discover your backups have been silently corrupting should not be during an outage.

Automate the test where possible. Veeam, Rubrik, and Cohesity all support scheduled restore verification. For self-built backup systems, write the verification step into your runbook.

Disaster recovery is not the same as backup

Backups handle data loss. Disaster recovery handles capability loss — datacenter on fire, region down, ransomware locking the production environment. DR requires a documented runbook, a tested failover environment, and a regular exercise.

The DR exercise should include the people, not just the technology. The first time your team rebuilds the production environment from backups should not be at 3 a.m. with the business losing money per minute.