All Tutorials


3-2-1 Backup, Air-Gap and immutable backups against ransomware



For those in a hurry

  • 3-2-1 backup strategy: Keep 3 copies of your data, on 2 different media , with 1 off-site copy . Iperius Backup supports this strategy through hybrid backups : on local destinations (disks/NAS), cloud and tape, ensuring redundancy and security.
  • Air-gapped backup : A backup copy isolated from the network is inaccessible to ransomware. Iperius allows you to create air-gapped backups by saving data on removable devices (e.g. USB, LTO) that can be disconnected after the backup, adding an additional layer of protection.
  • “Air-gapped” software: Iperius itself does not require a continuous internet connection to function. Thanks to the perpetual license and independence from cloud services, it can also operate in closed networks, reducing the attack surface and effectively being an “air-gapped” software.
  • Immutable backups (Object Lock): Iperius supports the immutability of cloud backups such as Amazon S3. By activating Object Lock , the data is stored in WORM ( Write Once Read Many ) mode, that is, written once and unmodifiable for a defined period, preventing accidental or malicious deletions or alterations.
  • Immutability and WORM: Keeping immutable backups with WORM policies is essential to defend against ransomware and meet compliance regulations. Iperius Backup offers modern tools to define retention policies that ensure that backups remain unalterable over time, ensuring data integrity and recoverability even in the worst-case scenarios.

3-2-1 backup strategy

One of the foundations of data security is the 3-2-1 backup strategy . This approach involves keeping at least 3 copies of your data, on 2 different types of media , of which at least 1 copy is off-site . In practice, in addition to the original data, you should have two backups: for example, one on a local disk/NAS and another on a cloud or tape in a remote location. This way, even in the event of hardware failure, human error or local disaster, there will always be a recoverable copy.

Iperius Backup greatly facilitates the adoption of the 3-2-1 strategy thanks to its support for hybrid and multi-destination backups. With a single software it is possible to configure backups to different types of destinations in parallel:

  • Local backups: save to external USB drives, network NAS, local folders or shared drives.
  • Tape backup (LTO): archiving on tape media, still widely used today for their reliability and longevity. Iperius fully supports any Tape LTO unit, allowing you to use tapes as part of the 3-2-1 strategy.
  • Cloud backup: sending data to public or private cloud services via protocols such as Amazon S3, Azure Storage, Wasabi, Google Drive, OneDrive, Backblaze, Dropbox, or to FTP/SFTP servers. Iperius supports numerous providers and any storage compatible with the S3 protocol, offering great flexibility in choosing the off-site copy.

Thanks to this versatility, you can, for example, simultaneously perform a backup on a local NAS and on a remote cloud space with a single scheduled job. In this way, you immediately comply with the 3-2-1 rule (local + off-site backup) without having to manage separate processes. Iperius also manages backup compression and encryption , ensuring that copies on external destinations are optimized in size and protected from unauthorized access.

Implementing the 3-2-1 strategy with Iperius means adding a robust layer of resilience: even if a ransomware hits the primary data, you would have a local copy quickly to restore and an additional intact off-site copy in case of a major disaster. This layering is the basis of a solid business continuity .

Air-gap backup : the ultimate anti-ransomware weapon

In recent years, with the rise of ransomware attacks, the importance of air-gapped backups has become more widespread . An air-gapped backup is a backup that is kept offline or otherwise isolated from the rest of the network, so that no malware or attacker can reach it through traditional channels. In other words, there is a real “gap” (interruption) between the system where the production data resides and the media where the backup is stored, preventing the propagation of any infections.

The advantages of an air-gap backup from an anti-ransomware perspective are notable:

  • Total Isolation: If ransomware infects servers or PCs on the network, it cannot encrypt or erase what it cannot see and reach. A disconnected media is undetectable and unattackable by malware.
  • Protection from malicious deletions: In the event of a targeted attack, an attacker may try to delete backups as well. A physically disconnected backup cannot be compromised in any way.
  • Resilience to network or infrastructure failures: By keeping copies disconnected and perhaps in buildings other than the company’s, data is also safe from any network problems, blackouts, fires, natural disasters, theft or other events that could compromise both production systems and online backups.

Traditionally, the air-gap approach was implemented using magnetic tapes : the backup was performed on tape and then removed and stored in a safe. Today, in addition to tapes, devices such as removable USB disks or removable drives in general are used. The important thing is that at least one backup copy is not constantly connected to the system. Even the cloud can be part of an air-gap strategy if used with due caution (for example, keeping credentials well isolated and using immutable backup modes when supported), but by definition a cloud service is always reachable via the network; for this reason, the real air-gapped copy often remains the one on disconnected physical media.

Iperius and air-gap backups on removable devices (USB, LTO)

Iperius Backup allows you to put the air-gap concept into practice in a simple and effective way. Thanks to the backup support on removable devices , you can save your data on units that are then disconnected or deactivated when not in use, effectively creating isolation.

Here are some ways Iperius makes air-gapped backups easier :

  • Backup to USB disks: You can configure automatic backups to external USB disks. For example, using multiple units in rotation (Monday disk A, Tuesday disk B, etc.), you will always have at least one disk offline and stored in a safe place while the other is connected for the current backup. Iperius allows you to schedule backups on specific days/times, so you can connect the device only in that time window and disconnect it immediately after. Iperius can also run a script at the end of the backup that disconnects the USB disk automatically.
  • LTO Tape Backup with Ejection: Iperius supports automatic tape ejection at the end of the backup. This means that, once the copy is complete, the software can eject the LTO cartridge from the drive. The ejected tape is physically isolated from the system until someone reinserts it, creating a perfect air-gap. This feature is invaluable for implementing fully automated and secure tape backup routines: each backup ends with the tape out of the drive, ready to be archived offline.
  • Notifications and custom scripts: Iperius offers the ability to run custom scripts or commands before or after the backup. This allows, for example, to mount/unmount network drives or disks via script, creating a temporary connection only for the duration of the backup. Similarly, end-of-backup email notifications remind the operator to disconnect the removable media if he or she needs to do so manually.

Another crucial aspect is that Iperius itself is an “air-gapped” software . Thanks to the perpetual license and total operational autonomy, Iperius does not require constant connections to the Internet or to any external management server. Many modern backup software depend on cloud services or periodic online activations; Iperius, however, once installed and activated, can work indefinitely even in a completely isolated environment (for example a closed corporate network without Internet access). This means fewer vulnerabilities: the software does not open external communication channels that could be exploited by hackers, and continues to protect data even in infrastructures segregated for security reasons. In short, you can rely on Iperius in contexts where security requires segmentation and isolation, certain that your backups will be performed and protected without depending on external factors.

Immutable Backups with Object Lock on Amazon S3

In addition to physical isolation, another pillar of advanced data protection is the immutability of backups. An immutable backup is one that, once created, cannot be modified or deleted for a specified period of time (or indefinitely). This feature ensures that the backup copy remains intact and available even if someone attempts to alter or destroy it, either intentionally or due to malware.

Iperius Backup fully embraces this concept thanks to the support of the Object Lock functionality on compatible cloud storage, such as Amazon S3 . In practice, when sending your backups to the cloud via Iperius, you can activate the immutable backup option (if the provider supports it): the software will set the data in WORM (Write Once Read Many) mode directly on the remote storage.

What does this mean in a real-world scenario? Suppose you back up your business-critical data in the cloud every week and set an immutable retention period of 30 days. Every backup you upload to S3 with Object Lock will remain unaltered for 30 days: no one – not even a user with administrative access to the cloud – will be able to delete or modify it during that time. If ransomware were to compromise your cloud login credentials or a malicious operator were to try to delete your backups, those Object Lock-protected files would still be safe , because the storage system will refuse any deletion operations until the set period expires.

Iperius makes it easy to configure this protection: the user simply needs to enable the immutability option and choose the desired retention period when configuring the backup to Amazon S3. From that moment on, each backup sent will follow the specified WORM rules. It is worth noting that Amazon S3 offers two Object Lock modesGovernance Mode and Compliance Mode – which differ in the level of protection (Compliance Mode is more restrictive, not even an AWS administrator could delete objects until they expire). Iperius is compatible with these modes, allowing companies to align with even stringent regulatory requirements.

In short, with Iperius Backup you have the possibility to easily implement immutable backups in the cloud: a formidable defense against ransomware that tries to delete backups and an additional guarantee that your critical data is always recoverable. This feature places Iperius among the modern backup solutions that offer not only the copy of data, but also the intrinsic security of the backup copies themselves .

Immutability and WORM preservation: why they are crucial

Why is there so much emphasis on immutability and WORM policies in data protection? Because these features directly address the destructive tactics of modern attacks and the requirements of long-term data integrity.

When ransomware strikes, it often does more than just encrypt primary data: many attacks also attempt to delete or compromise backup copies, precisely to prevent the victim from restoring files without paying the ransom. Having immutable backups means that ransomware (or any malicious actor) is denied the ability to delete your lifeline. Once written, data cannot be deleted until the retention period expires: this ensures that even if the entire network were compromised, backups on immutable media would remain intact.

WORM (Write Once Read Many) preservation originated in the field of optical and tape storage, and has historically been used to comply with industry regulations (finance, healthcare, public administration) that require that certain documents be kept unalterable for years. Today the same principle is applied to backups: being able to demonstrate that a certain backup has not been altered since its creation date is not only a security best practice, but often a legal obligation . Let’s think for example of system logs or archived financial data : with Iperius you can keep this information in immutable backups compliant with WORM policies, satisfying audit and compliance requirements (e.g. GDPR, PCI-DSS regulations, or specific regulations such as those for the banking sector) without having to resort to special hardware – all you need is the right software and storage.

In a more general perspective, immutability also introduces a concept of trust in backups : knowing that a copy is protected in WORM, those who manage IT can have the peace of mind that that backup will be usable when needed, because nothing and no one has been able to alter it. This allows disaster recovery plans to be respected with greater certainty , having the guarantee that there is at least one copy that is certainly clean and recoverable.

In summary, the integration of immutability and WORM in Iperius Backup offers key benefits:

  • Tamper-proof security: Immutable backups cannot be sabotaged by malware or human error as long as the set WORM policy lasts.
  • Verifiable integrity: Data remains exactly as it was when it was backed up; this is essential so that you can use it in future restores knowing that it is intact.
  • Compliance and audit trail: Unalterable retention helps meet regulatory obligations and provides a reliable history of backups, with the ability to prove that they have not been tampered with.

Conclusion

Between consolidated best practices and innovative technologies , Iperius Backup positions itself as a cutting-edge solution for data security. Supporting the 3-2-1 strategy, offering customized air-gap backups and implementing immutable backups with ease, Iperius provides all the tools needed to keep your data safe from modern IT nightmares. All with the simplicity of a lightweight but powerful software, a perpetual license with no recurring costs and the flexibility to adapt to the needs of any environment (from small offices to large enterprises).

In an era where ransomware and cyber threats are constantly evolving, a modern backup solution must do much more than copy files: it must guarantee resilience , integrity and recoverability in every scenario. Iperius Backup responds to this challenge by integrating the best protection strategies – from copy diversification to their temporal immobility – in a single complete platform. By relying on Iperius, you choose 360-degree data protection, knowing that even in the unfortunate event of a ransomware attack, you will have solid tools on your side to quickly restore operations without giving in to any blackmail.

In conclusion, Iperius Backup represents a modern, complete and reliable solution for data protection: a true ally in the silent war against data loss and ransomware threats, which combines proven practices and advanced features to keep safe the most precious asset in the IT field, your data.



For any questions or doubts regarding this article, Contact us