The 3-2-1 backup rule, in the cloud era

Where the rule came from

The 3-2-1 rule was popularized in the early 2000s by photographer Peter Krogh in his book The DAM Book, originally as advice for managing a digital photography library. It wasn't invented for enterprise IT, which is why it survived being repackaged for everything from sysadmin best practices to consumer cloud-storage marketing.

The reason it endured: it's a heuristic that prevents the three most common ways data is lost. Hardware failure (one drive dies). Local disaster (fire, flood, theft, drink spilled on the laptop). Human error (deleted, overwritten, encrypted by ransomware). Cover all three and you survive 99% of real-world data-loss events.

What 3-2-1 actually means

• 3 copies of your data total. The original counts as one of the three. So: original + 2 backups.
• On at least 2 different storage media. Two partitions on the same hard drive don't count — when that drive dies, both die. The point is independent failure modes.
• At least 1 copy offsite. Geographically separate from the originals. House fire shouldn't destroy your only backup.

The genius of the rule is that it's three independent dimensions of redundancy. Lose one dimension, you still have the other two. It works for film negatives, hard drives, tape libraries, and cloud storage equally well — because it's about independence, not specific technology.

Why it's still good in 2026

Almost every "the 3-2-1 rule is dead!" article over the last 20 years has been wrong. New threats (ransomware, supply-chain attacks, cloud account suspensions) didn't make the rule obsolete — they just shifted what each of the "3", "2", and "1" needs to mean.

The core insight is timeless: independent failure modes are the only thing that beats the sum of small probabilities. If your house fire and your cloud account ban are independent events, the chance of both happening to the same backup at the same time is the product of two small probabilities — astronomically small. That's still the best protection money can buy.

Where 2026 quietly broke the rule

The original "1 offsite copy" usually meant a tape mailed to a vault, or a hard drive at a relative's house. By the late 2010s, "offsite" became shorthand for "in the cloud". And in the late 2010s, "the cloud" usually meant one cloud — Google Drive, OneDrive, Dropbox, iCloud.

That substitution looked equivalent. It wasn't. Tape in a vault and Google Drive have very different failure modes:

• Account bans. Google has banned legitimate user accounts for "policy violations" — sometimes triggered by AI scanning false positives, sometimes for unclear reasons, sometimes after appeals fail. When the account dies, the encrypted vault you carefully synced to it dies with it.
• Provider shutdowns. Mozy (RIP 2018), MyHabit, Wuala, JustCloud, Bitcasa, Crashplan Home — all dead now. Customers had hours to weeks of warning to migrate. Some had less.
• Subscription lapses. Forget to update your card; one provider deletes everything after 90 days. The vault inside is meaningless if the provider stops serving it.
• Ransomware via sync. Modern strains specifically target cloud-synced folders to ensure your "backup" gets encrypted along with the originals.
• Geopolitical / legal action. Government demands, corporate restructuring, regional service withdrawal. Cloud accounts are quasi-property at best.

None of these were realistic threats to a tape sitting in a fire safe. All of them are realistic threats to a single Google Drive folder. Calling that single Drive "1 offsite copy" satisfies the letter of 3-2-1 while quietly violating its spirit — because the failure mode of "this provider is gone" wasn't on the original list of risks the rule was designed to handle.

The cloud-era version of 3-2-1

The fix isn't to abandon the rule. It's to read "offsite" as "outside any single point of failure" rather than literally "in some other building" — which now means outside any single cloud provider, account, or jurisdiction.

Practical updated reading:

• 3 copies — including the original. Same as ever.
• 2 different media — typically local + cloud now. Same as ever.
• 1 offsite, distributed across multiple providers. The new interpretation. The "1 offsite copy" should itself be split across N cloud providers, with redundancy such that losing any one provider doesn't lose the copy.

This is exactly what erasure-coded multi-cloud backup tools (including ShardHex) do at the cloud layer. The total storage cost goes from "1× across one provider" to "1.5–2× across many providers" — a small price for the resilience improvement.

A concrete modern setup

Typical knowledge worker / amateur photographer

Goal: never lose family photos, important documents, or work files even if any single thing goes wrong.

• Working copy — laptop SSD. Edited daily.
• Local backup — external HDD or NAS, automated nightly via Time Machine / Duplicati / restic.
• Cloud backup, distributed — multi-cloud via something like ShardHex. Snapshot weekly or monthly, with N=5 K=3 across 5 different cloud accounts.

Result: 3 copies (laptop + HDD + cloud), 2 media (local + cloud), and the "1 offsite" survives losing any 2 of your 5 cloud providers. You've satisfied 3-2-1 in its original spirit, not just its letter.

More paranoid setup (for irreplaceable archives)

• Working copy — laptop SSD
• Local backup — NAS (RAID 1 inside the NAS)
• Local cold backup — external SSD in a fire safe, refreshed quarterly
• Trusted-third-party copy — encrypted external drive at a family member's house, refreshed annually
• Multi-cloud distributed — N=7 K=4 across 7 different cloud accounts (including 2 cheap object-storage providers)

Total: 5 copies, 4 media types, "offsite" surviving N − K = 3 simultaneous cloud failures plus 1 in-person disaster. Overkill for most people, but the marginal cost is minimal once you have the discipline of the basic 3-2-1.

What 3-2-1 still doesn't cover

The rule is great at the things it was designed for. It doesn't automatically protect against:

• Ransomware that propagates through versioned backups. Mitigation: use immutable storage tiers (S3 Object Lock, Backblaze B2 Application Keys with restricted permissions) for your offsite copy.
• Long-term bit rot. Magnetic media degrades; cloud providers have rare but real silent corruption events. Mitigation: tools that compute and verify checksums periodically (ShardHex, ZFS, btrfs all do this).
• Account-level identity theft. Mitigation: hardware 2FA (YubiKey or equivalent) on every account that holds backups.
• Forgetting passwords or losing keys. Mitigation: print critical recovery info (master keys, manifest hashes) on paper, store with the offline backups. Yes, paper. It survives EMP.
• Heir access after you die. Mitigation: documented procedure, password manager with emergency-access feature, or a sealed envelope with a trusted relative.

Cheat sheet

Summary

The 3-2-1 backup rule wasn't broken by the cloud — it was misread. The original framers couldn't have known that "in the cloud" would shrink down to "on Google's servers" for most people, and that Google would occasionally erase legitimate accounts overnight.

If you read the rule as "3 copies, 2 media, 1 location-redundant copy that survives any single point of failure" — including the cloud you trust — you have a backup strategy that holds up to 2020s threats. That redundancy at the cloud layer is the single biggest backup improvement most people can make today, because it's the layer where most people are quietly under-protected.