Implement effective backup strategies
This article details recommended methods to implement the 3-2-1-1-0 backup strategy, helping you secure your data and ensure reliable recovery.
Evaluate the importance of all systems and data
Prioritize your digital assets based on their importance to your organization. To establish an effective backup strategy, evaluate each system and data using these metrics:
- Recovery Time Objective (RTO): Determines the acceptable downtime for data recovery after a disruption. A shorter RTO requires faster recovery methods.
- Recovery Point Objective (RPO): Defines the maximum amount of data loss that can be tolerated without significant business impact. A lower RPO needs more frequent backups. In ActiveProtect Manager, you can adjust backup frequency in a protection plan to meet your RPO requirements.
Create backup copies for your data
Create copies for your backup data and store them in offsite locations, adding an extra layer of protection. This provides redundancy and makes sure that your data is always recoverable. To enable backup copies of your data, refer to this article.
Auto-protect new workloads
Set up automated backup rules to protect your organization's virtual machines and SaaS accounts. This function ensures that any new resources added to your production environment will be automatically backed up, minimizing security gaps associated with digital expansion.
To create auto-backup rules for virtual machines and Microsoft 365, refer to the following articles:
Configure immutable backups
Immutable backups protect your data by making it unalterable and undeletable once written. This guarantees data accuracy and helps meet regulatory compliance requirements. ActiveProtect appliances employ a multi-pronged approach to protect your backup data against ransomware:
- Native operating system: ActiveProtect Manager (APM) embedded in every ActiveProtect appliance allows you to safeguard data from unauthorized or accidental modifications.
- Protection with Object Lock and WORM: When backing up data to remote storage (such as Amazon S3), ActiveProtect appliances leverage the storage's Object Lock or WORM (write once, read many) functionalities, ensuring data integrity and preventing compromise on remote storage.
- Automated retention locks: ActiveProtect appliances automatically adjust immutable or WORM lock periods according to your data retention policies. This approach optimizes your storage usage and simplifies configurations.
Create an immutable protection plan to achieve immutable backups. Refer to Manage your protection plans.
Deploy an air-gapped environment
To bolster ransomware defenses, we recommend setting up an air-gapped environment for your ActiveProtect site. Unlike traditional air gaps that rely on tapes for zero connectivity, ActiveProtect Manager lets you schedule the isolation of secondary backup servers (i.e., backup copy servers).1 This restricts network connectivity to essential data transfer periods, while ensuring that your backup data can be easily accessed and managed by IT administrators.
Use the following methods to set up an air-gapped environment while maintaining efficient site management.
Set up an isolated zone

Deploy your backup copy server in a zone physically and logically isolated from the production environment. This zone should have minimal connectivity to other environments, with only the following two Ethernet links:
Link | Description |
---|---|
Data transmission |
|
Site management |
|
Secure networks via firewall or VPN
To further secure connections to the isolated zone, we recommend applying a firewall or VPN tunnel to the network links mentioned above. Besides, only allow the required ports and protocols for external connections while blocking unnecessary access.
Set up a recovery host in the isolated zone
Deploying a recovery host in the isolated zone lets you regularly perform instant restorations, ensuring that your backup data can be correctly recovered when needed.
Regular restoration drills
Schedule restoration drills to assess the effectiveness of your backup and recovery processes. ActiveProtect appliances offer flexible restoration features that help you conduct these drills, ensuring that your IT team is well-prepared to respond to any critical situations.
Verify backups
To verify the bootability of backed-up workloads, you can enable backup verification, allowing your ActiveProtect appliance to record a video during a trial restoration for physical servers and virtual machines.
Instantly restore data to hypervisors
Instant restoration is ideal for implementing restoration drills. It allows you to bring back your physical servers and virtual machines within minutes using compressed and deduplicated backup files. In ActiveProtect Manager, you can instantly restore backup images to the built-in hypervisor, or your own ones. Refer to the following articles to learn more about instant restore configurations:
Restore SaaS data to test accounts
Conduct restoration drills for your SaaS services using test user accounts. For example, create several accounts on Microsoft 365 and make sure they have no data or customizations. Then, restore your backup versions to these test accounts to verify data recovery.