3-2-1 Backup Rule for Identity Security

Muli Motola

Co-founder and CEO

Why 3-2-1, Air Gaps, and Immutability Are Essential for Identity Security

“Our backups were compromised along with our production environment.”

These words represent one of the most dreaded scenarios for IT and security teams. Unfortunately, this situation has become increasingly common, especially for identity systems like Okta that serve as the gateway to an organization’s entire digital estate.

According to Verizon's 2025 Data Breach Investigations Report, "credential-based attacks have risen by 63% over the past two years, with identity systems becoming primary targets for sophisticated attackers."

Even more concerning, the IBM Cost of a Data Breach Report 2024 found that "organizations with compromised backups experienced 47% longer recovery times and 72% higher costs compared to those with secured backup systems ."

When attackers gain access to your identity provider, they don’t just gain access to your applications—they often compromise your backup systems in the same stroke.

The result?
No clean recovery point and potentially catastrophic business impact.

In this post, we’ll explore why the fundamental principles of secure backup—the 3-2-1 rule, air gaps, and immutability—are not just best practices but essential requirements for protecting your identity infrastructure.

Understanding the 3-2-1 Backup Rule

The 3-2-1 backup methodology has been a cornerstone of data protection for decades, yet it’s surprising how many modern backup solutions fail to implement it properly for identity systems.

The rule is simple:

3 copies of your data (production plus two backups)
2 different storage types
1 copy stored offsite

While this approach may seem like overkill in an era of cloud services, the principle remains critically relevant. When your identity system is compromised, having multiple, diverse backup copies significantly increases your chances of recovery.

Consider what happens when an organization relies on a single backup copy stored in the same cloud environment as their production system. If an attacker gains administrative access to your identity provider (like Okta), they typically also gain access to your cloud storage through the same compromised credentials. In this scenario, both your production environment and your backup can be encrypted, deleted, or corrupted simultaneously.

The 2024 Sophos Impact of Compromised Backups on Ransomware Outcomes Report says that "94% of organizations targeted by ransomware report that cybercriminals tried to compromise their backups during the attack. Of these attempts, 57% were successful, affecting the ransomware recovery efforts of over half of the victims."

As one CISO recently told us:

“We discovered our backup wasn’t a backup at all—it was just another target.”

According to Veeam’s 2023 Data Protection Trends Report, “85% of the 4,200 organizations surveyed suffered at least one ransomware attack in 2022. What was even more startling was that 39% of an organization’s production data was either encrypted or destroyed during the attack.”

What True Air-Gapped Storage Means for Identity Security

The term “air gap” traditionally referred to physically disconnected systems.

In today’s interconnected world, a more practical definition is: storage that cannot be accessed through the same authentication mechanism as your production environment.

This is where many identity backup approaches fall short.

If you’re backing up your Okta tenant to AWS storage that’s accessible through your organization’s SSO, you’ve created a critical security vulnerability. The very system designed to simplify access (SSO) becomes a single point of failure during an identity-based attack.

IBM defines air-gapped backup as "a method of data storage used in cybersecurity and disaster recovery wherein critical data is copied and stored on media or machines that are 'offline' and not practically accessible over the internet." The key to this approach is that it creates an "air wall" between the data and any access points that might be vulnerable to hackers.

A true air gap means that even if an attacker completely compromises your identity system, they cannot access your backups using the same path. The access mechanisms must be entirely separate, with different credentials and authentication systems.

The Acsense approach implements this principle through a managed storage solution that exists outside your production environment, with entirely separate access controls that aren’t linked to your identity provider.

Immutability: Protecting the Golden Copy

Immutability is perhaps the most crucial yet most misunderstood aspect of secure backup.

An immutable backup is one that, once created, cannot be changed, deleted, or manipulated—even by administrators with high-level privileges.

This creates what’s known as a “golden copy”—a backup that remains pristine regardless of what happens in your production environment or other backup copies.

Why is this critical?

Because sophisticated attackers don’t just encrypt or delete data—they often attempt to cover their tracks by manipulating logs and backups to remove evidence of their activity. Without immutability, an attacker who gains administrative access can simply delete their tracks from both your production environment and your backups.

Immutability is implemented through versioning—creating new versions of objects whenever changes occur rather than overwriting existing data. The Acsense platform applies this principle at the database level, maintaining a complete version history of every identity object and relationship.

This creates an immutable audit trail that captures every change to your identity environment:

Who made changes to which users
When group memberships were modified
When application access was granted or revoked
Which administrator accounts performed which actions

This immutable history becomes invaluable during security investigations and recovery operations.

How These Principles Work Together

The 3-2-1 rule, air gapping, and immutability are not independent concepts—they work together to create a robust security foundation for your identity backups.

Multiple copies (3) protect against individual backup failures. Different storage types (2) prevent systemic vulnerabilities. Offsite storage (1) protects against location-specific disasters. Air gaps prevent an attacker from using compromised credentials to access backups. Immutability ensures that even if an attacker somehow reaches your backups, they cannot corrupt your recovery points.

The principles of 3-2-1 backup, air gapping, and immutability are not just best practices—they’re increasingly becoming regulatory requirements. The EU’s Digital Operational Resilience Act (DORA), which came into force in January 2025, explicitly requires financial entities to “set up backup systems that can be activated in accordance with the backup policies and procedures“.

Recent industry developments have even expanded the traditional 3-2-1 rule to include immutability as an explicit requirement.

As noted by Keepit, "In today's world, where businesses rely heavily on cloud software-as-a-service (SaaS) data... the 3-2-1-1-0 strategy takes the classic rule and adds further resilience. Here, you would still maintain three copies of your data on two storage types, but also include one copy on immutable storage."

The Acsense platform was designed from the ground up with these principles as foundational elements. Unlike solutions that treat backup as simply copying data from one location to another, our approach focuses on creating a truly resilient foundation for your identity infrastructure.

Beyond Basic Backup

The security principles described here represent just the foundation of a truly resilient identity backup solution.

In future posts, we’ll explore how these foundations enable advanced capabilities like:

Point-in-time recovery for compliance and investigation
Automated recoverability testing to ensure your backups actually work
Identity relationship preservation for security forensics
Tenant cloning for isolated investigation environments

The Perils of Unprotected Backups

What happens if you don’t follow these best practices?

In short: your backups might fail when you need them most.

Storing backups without proper isolation or immutability is akin to locking your spare keys in the same safe as your primary keys – if someone cracks the safe, both the primary and backup are gone. We’ve already seen how lack of an air-gap doomed Code Spaces.

More commonly, ransomware attackers who infiltrate an organization will seek out network-connected backup drives or servers and encrypt or delete them as one of their first objectives. Without immutability or offsite separation, it’s not hard for malware to locate and compromise backups, especially if they are simply sitting on a mapped network drive or in the same cloud IAM tenant.

The statistics are sobering: organizations that had their backups compromised in ransomware attacks faced 8× higher recovery costs on average than those whose backups stayed safe. They also experienced significantly longer downtime, because recovering without intact backups is slow and costly.

According to a Sophos report "Compromised backups put adversaries in a stronger position, as victims often have nothing to do but pay a ransom. So, they demand higher ransom payments. Victims with compromised backups face twice bigger ransom demands than those with intact backups, with median demands being $2.3 million for compromised backups and $1 million for unaffected backups."

For IAM systems, losing current data without a reliable backup could mean tens of thousands of employees or customers locked out, unable to authenticate, or critical application integrations breaking. The business impact can range from lost productivity and revenue to compliance violations (consider the regulatory wrath if you cannot recover audit logs or access records after an incident).

Compliance officers worry about this scenario too – many regulations mandate data retention and timely breach recovery. Failure to produce records (because backups were destroyed) or prolonged IAM downtime could result in fines or legal penalties, especially in regulated industries. Decision-makers should understand that backup resilience isn’t just an IT problem; it directly affects brand trust and operational continuity. A well-known case in point: when a major service suffers an identity outage or breach (for example, if an Okta tenant misconfiguration deletes users without backup), it often hits headlines, damaging customer confidence.

Thus, skimping on backup isolation is a risk no stakeholder would knowingly accept.

Evaluating Your Current Identity Backup Approach

As you assess your current identity backup solution, consider these key questions:

Does your backup implementation follow the 3-2-1 rule with true diversity of storage?
Is your backup truly air-gapped, or could an attacker with admin access to your identity provider also reach your backups?
Are your backups immutable, or could a privileged user modify or delete them?
How would you recover if both your production environment and primary backup were compromised simultaneously?

If you’re unsure about any of these answers, it may be time to reevaluate your identity resilience strategy.

Conclusion: A Unified Effort for IAM Resilience

Backup best practices form the bedrock of IAM resilience.

When done right, they ensure that no matter what incident befalls your identity platform – be it a cyberattack, configuration error, or cloud outage – your organization can quickly bounce back with minimal damage. However, achieving this requires a concerted effort and the right tools. It’s not just an IT checkbox, but a cross-functional priority.

Here’s what robust IAM backup resilience delivers for key stakeholders:

CISOs:
Reduced risk of catastrophic identity outages and breaches.
By eliminating IAM as a single point of failure, CISOs can align with cyber resilience frameworks and sleep easier knowing a ransomware attack on Active Directory or Okta won’t cripple the company. Immutable, offsite backups also support strategic risk management and cyber insurance requirements.
IT Administrators:
Clear guidance and reliable tools for protecting IAM data.
Automated backup processes and health checks lower the manual workload and chance of error. In an emergency, one-click recovery and point-in-time restore capabilities mean admins can rapidly undo damage – whether it’s rolling back an erroneous group policy change or restoring an entire identity provider tenant.
Compliance Officers:
Confidence that the organization meets regulatory mandates for data protection, retention, and recovery.
With immutable, air-gapped backups and documented test results, compliance teams can provide evidence for audits (ISO 27001, SOC 2, HIPAA, DORA, etc.) showing that even identity systems have strong continuity plans. This proactive stance helps avoid audit findings and penalties.
Business Executives (Decision-Makers):
Assurance of business continuity and resilience.
Identity is the new perimeter; its failure means business failure. Investing in best-practice backups safeguards revenue and reputation by minimizing downtime. The business case is clear – compare the minor cost of robust backups to the multi-million dollar losses that can accumulate from a major identity system outage or a compliance fine. Resilience features like built-in recoverability testing also demonstrate innovation and due diligence to boards and customers, reinforcing trust.

By speaking a language that resonates with each role, organizations can break silos and ensure everyone champions IAM resilience. In the next installment of this series, we will delve into recovery testing and “time machine” restoration – showing how to routinely validate your backups and effortlessly rewind your IAM environment when seconds count. Until then, remember: a backup is only as good as the worst day of your business. With 3-2-1 methodology, immutability, air-gapping, and solid testing in place, you’ll be ready for whatever that day brings.

Ready to learn more about how Acsense provides a secure foundation for your identity infrastructure?

Contact us for a demonstration of our resilient backup platform.

References:

Verizon. (2025). Data Breach Investigations Report (DBIR). https://www.verizon.com/business/resources/reports/dbir
IBM Security. (2024). Cost of a Data Breach Report.
https://www.ibm.com/security/data-breach
Veeam. “Air-gap vs Immutable Backups: Key Differences.” https://www.veeam.com/blog/air-gap-vs-immutable-backups-key-differences.html
Veeam. 2025 Ransomware Trends & Proactive Strategies. https://go.veeam.com/ransomware-trends
Sophos. The 2024 Sophos Impact of Compromised Backups on Ransomware Outcomes.
CISA (US-CERT) – Data Backup Options. https://www.uschamber.com/co/run/technology/3-2-1-backup-rule
Spin.AI – Can Ransomware Infect Backups? https://spin.ai/blog/can-ransomware-infect-backups
5 Companies That Were Forced to Shut Down Due to Data Breaches.
https://n2ws.com/blog/5-companies-shut-down-data-breaches
National Cybersecurity Center of Excellence. https://www.nccoe.nist.gov/projects/building-blocks/data-security
European Union. “Digital Operational Resilience Act (DORA).” 2025. https://www.digital-operational-resilience-act.com
National Institute of Standards and Technology. “Cybersecurity Framework 2.0.” https://www.nist.gov/cyberframework/framework-2-0

—–

P.S

Looking to stay in the loop on the latest IAM trends and updates?

Subscribe to the FiveNines IAM newsletter today and gain access to exclusive insights from industry leaders, groundbreaking companies, and global news outlets. Don’t miss out on the must-read monthly newsletter that delivers the juiciest edition yet of IAM resilience.

Subscribe on Linkedin now and stay ahead of the curve!