Backup You Can Actually Restore From
Ransomware-resistant, compliance-aligned backup and disaster recovery built around the 3-2-1-1-0 rule, immutable object storage, segregated credentials, and quarterly restore tests we actually run. We design, deploy, and verify the recovery path before you ever need it.
Most backup conversations start in the wrong place. The questions that matter are not "do we have backups?" but "when did we last restore from them, how long did it take, and did the data come back intact?" Petronella Technology Group has been answering those three questions for North Carolina businesses since 2002. We design backup and disaster recovery as a verified recovery path, not a checkbox on a vendor invoice. Every engagement is shaped by your RPO, RTO, regulatory framework, and the hard reality that ransomware now actively targets backup repositories before encrypting production.
The 3-2-1-1-0 Rule, Explained
The original 3-2-1 rule was written before ransomware operators learned to hunt backups. The modern version adds two layers that exist because real-world incidents proved the old version insufficient. Here is what each digit actually means and why it exists.
Three Copies
Production plus two backups. A single backup correlates failure modes with production storage when both sit on the same array or vendor cloud.
Why: Failure IndependenceTwo Media Types
Distinct storage tech. SSD plus object storage, NAS plus cloud, disk plus tape. A firmware flaw or supply-chain attack against one media class cannot take both copies.
Why: Defeat Common-Mode FailuresOne Copy Offsite
Geographically separated. Fire, flood, theft, regional outage, and physical seizure are single-site failure modes. The offsite copy lives in a different data center, region, or cloud provider.
Why: Survive Site DisastersOne Immutable or Air-Gapped
A copy that cannot be modified, encrypted, or deleted by production credentials. Object Lock, tape rotation, or separate-tenancy cloud with hardware MFA. The copy that survives a ransomware operator.
Why: Ransomware Targets BackupsZero Errors After Restore
Every backup regularly restored to validate integrity, recovery time, and application functionality. A backup never restored is not a backup. It is a hope. The zero turns hope into evidence.
Why: Untested Equals UnprovenThe discipline that distinguishes a real backup program from a vendor invoice is the final zero. Every Petronella Technology Group backup engagement includes scheduled restore testing as a contractual deliverable. The cadence varies with workload tier, but the principle is non-negotiable: if you have not restored from it, you do not own it. We have inherited environments where the backup software reported "success" for years while the chain was corrupt, the encryption keys were lost, or the restore process took twelve times longer than the business could survive. The only way to find those failures is to restore. On purpose. On a schedule. With a stopwatch.
Why Modern Backups Need Hostile Architecture
Ransomware groups changed the threat model. The 2014-era backup design that assumed IT failure or a hardware crash collapses when adversaries have domain admin and 72 hours before detonation. Backups now require their own security boundary, identity, immutable storage layer, and active tamper monitoring.
Immutable Object Lock
Backups land in object storage with Write-Once-Read-Many semantics. Once written with a retention period, even the tenant admin cannot delete or overwrite until the lock expires. The foundation that survives credential compromise.
Snapshot Retention Windows
Recovery points sized to dwell-time reality. Adversaries often live inside networks 60 to 90 days before encrypting. Daily for 30 days, weekly for 12 weeks, monthly for 12 months, older tiers in immutable storage.
Segregated Credentials
Backup accounts are not domain accounts, not production cloud accounts, not shared with day-to-day admin. Hardware MFA, dedicated tenancy where supported, break-glass procedures that do not depend on production directory services.
Segregated Backup Network
Backup traffic on its own VLAN or VPC, strict egress filtering, no inbound paths from production. A compromised endpoint cannot reach the backup management plane through normal network paths.
Malware Scanning of Backups
Backups themselves scanned for known signatures and anomalous file patterns. Pre-staged encryption tooling inside a backup set is detected before that recovery point is offered to a restore.
Backup Job Anomaly Alerts
Retention-policy changes, unusual deletion attempts, off-hours admin logins, and job failures all alert to the same channel as production security telemetry. We see preparation to neutralize backups before detonation.
Keys Held Separately
Backup encryption keys stored outside the systems being backed up. Customer-managed keys in a dedicated KMS with rotation policies and access logs. Production compromise does not deliver decryption keys.
Documented Runbooks
The restore procedure is written down. Step-by-step with screenshots, credential locations, vendor contacts, decision points. Stored online and as a printed offline copy. Rehearsed during quarterly restore tests.
Realistic Recovery Targets by Workload Tier
RTO is how long the business can survive a workload being down. RPO is how much data the business can survive losing. These are business decisions that drive every architectural choice. The table shows realistic targets we deploy, not vendor brochures.
Tier assignment is the conversation that surfaces everything important. When leadership claims every system is Tier 0, the architecture becomes wildly expensive or quietly impossible. A real tier exercise puts dollar values on downtime and data loss, then matches those values to a budget that can deliver. We run this as part of every engagement because technical decisions only make sense after tiering is honest.
A note on RPO vs backup interval. Interval is how often a backup runs; RPO is how much data loss the business will accept. If you back up every 24 hours, your RPO is at best 24 hours, often worse if the most recent backup failed silently. RPO under one hour generally requires continuous data protection, replication, or log shipping rather than scheduled jobs.
What We Back Up, and the Pitfalls per Class
Different workloads have different recovery semantics. A VM snapshot is not the same as a SQL transaction-consistent backup. Microsoft 365 native retention is not a backup. The matrix shows what we cover and the pitfall that catches most teams.
The most common preventable disaster we walk into is a Microsoft 365 tenant where someone deleted a Shared Mailbox, SharePoint site, or OneDrive folder past 93 days and assumed it was recoverable. It is not. Same applies to Google Workspace. Hyperscalers are explicit that data backup is a customer responsibility, and platform retention is designed for soft-delete, not point-in-time restore. Independent backup is the only answer.
Which Controls Require Backups and Tested Restores
Backup is an explicit, named requirement across every major regulatory framework we cover. The cards map each framework to its control language and the evidence an auditor will ask for.
HIPAA Contingency Plan
The Security Rule requires a data backup plan, disaster recovery plan, and emergency mode operation plan. Backups must be tested; documented test results are inspected during OCR audits. Maps to our HIPAA compliance program.
45 CFR 164.308(a)(7)(ii)(A-D)CMMC Levels 1, 2, and 3
Backup obligations apply across all three levels. Level 1 covers basic safeguards; Level 2 adds MP.L2-3.8.9 (back up CUI) and RE.L2-3.11.2 (regular backups). Level 3 layers in enhanced protection and explicit testing. See CMMC compliance.
MP.L2-3.8.9 / RE.L2-3.11.2 / 32 CFR 170PCI DSS Backup Requirements
PCI DSS v4.0 requires backup media be physically secured, encrypted, and integrity-verifiable. Also addresses inventory and off-site storage location. See our PCI DSS compliance coverage.
PCI DSS v4.0 Req 9.4 + 12.10SOC 2 Availability + Recovery
Common Criteria CC9.1 and the Availability TSC require documented backup procedures, recovery testing, and disposal of backup media. Auditors expect restore-test evidence sampled across the audit period.
SOC 2 CC9.1 + A1.2 + A1.3NIST SP 800-53 CP Family
Contingency Planning covers CP-9 Information System Backup, CP-10 Recovery and Reconstitution, and CP-4 Plan Testing. Frequency, off-site storage, and verification are explicit subcontrols. Aligns with our NIST 800-171 baseline.
NIST 800-53 CP-4 / CP-9 / CP-10FTC Safeguards Rule
The amended Safeguards Rule (2023) requires non-banking financial institutions to maintain secure disposal of customer information plus documented response and recovery from security events. Backups are the recovery substrate.
16 CFR 314.4(c)(8) + 314.4(h)Cyber Insurance Carriers
Applications now ask whether backups are immutable, segregated from production credentials, and regularly tested. Carriers have started denying or sub-limiting claims when application answers were not factual at incident time.
Carrier-specific application controlsState Breach Notification Laws
States including North Carolina require timely breach notification when PII is exposed or rendered unavailable. Documented backup and recovery shortens the unavailability window and limits notification scope.
NC G.S. 75-65 + multi-state equivalentsThe Most-Failed Backup Control Is the One Nobody Runs
Across environments we have inherited, the single most common failure pattern is not missing backups. It is backups that exist on paper, run on schedule, report green, and have never been restored. The restore test is the only evidence the chain works. Here is the cadence we run as a contractual deliverable.
Single-File Spot Check
Random user file pulled from a random recovery point. Restored to isolated location, checksum verified, deleted. Minutes. Catches silent corruption early.
Full System Restore Test
One Tier 1 or Tier 2 system per quarter restored to isolated infrastructure. Application started, functionality validated. Stopwatch documents actual recovery time, anchoring the RTO commitment in evidence.
Tabletop DR Exercise
Scenario walk-through with leadership, IT, and key business users. No systems touched. Tests the runbook, decision-making, and communication path. Surfaces gaps only humans-under-pressure surface.
Full DR Failover Test
Tier 0 and Tier 1 failed over to disaster recovery site or warm standby. Production load redirected. Real recovery time measured end-to-end. The audit evidence that satisfies HIPAA, CMMC, SOC 2, and cyber carriers.
The test report is the deliverable. Every restore exercise produces a written record with date, system, recovery point, actual RTO, actual RPO, anomalies, and remediation. Those reports become the audit evidence package and next runbook revision. When an auditor asks "show me your most recent backup test," we hand them the file. When a carrier asks "are backups tested," we send the binder. When the CEO asks "if ransomware hits tonight, how long until we are running," the answer comes from the stopwatch.
Cold, Warm, and Hot Recovery Sites
The DR site model is a direct expression of the RTO. Faster recovery costs more in standing infrastructure and operational complexity. We design the right model per workload tier, often blending all three.
Backups Plus a Rebuild Plan
No standing infrastructure. Recovery requires provisioning compute, restoring from backup, reconfiguring networking, and bringing apps online from scratch. Lowest ongoing cost. Highest actual RTO, often measured in days.
Pre-Provisioned Infrastructure
Compute, storage, networking pre-deployed at a secondary location or cloud region. OS and applications installed but not serving production. Failover requires data restoration or replication catch-up plus DNS or load-balancer cutover. Sweet spot for Tier 1 and Tier 2.
Active Replication, Near-Zero Cutover
Continuous replication or active-active across primary and secondary sites. Failover is automatic or near-automatic, sub-minute RPO. DRaaS offerings deliver this model with cloud-hosted infrastructure billed during recovery, not steady-state.
Most real environments are not all-or-nothing. A typical Petronella Technology Group DR design places Tier 0 on hot-site replication, Tier 1 and Tier 2 on warm-site DRaaS, and Tier 3 and Tier 4 on cold-site restore-from-backup. The blend optimizes cost-per-tier rather than paying hot-site economics for archival data. The runbook documents which path each workload follows, who authorizes failover, and how the cutover decision is communicated.
Cloud-hosted DRaaS has changed the economics of warm and hot tiers. Where a decade ago a secondary data center required physical real estate, hardware refresh, and staff, modern DRaaS deploys recovery on demand in a hyperscaler and bills primarily during failover or testing windows. We design DRaaS architectures with multi-region failover paths so a single hyperscaler outage does not also take out the recovery destination.
Common Failures We Fix on Day One
Every backup-discovery engagement surfaces a recurring set of failure patterns. They show up in environments managed by competent people who inherited the previous design or never had budget to harden it. Here is what we find and how we close it.
The Pattern We Walk Into
- Single-Copy SyndromeOne backup copy on the same storage array as production. A controller failure or ransomware event takes both.
- No True Offsite"Offsite" turns out to be a NAS across the building. Same fire, same flood, same power event.
- Unencrypted BackupsWritten without encryption-at-rest, sometimes on a NAS share domain users can browse. Loss of media equals breach.
- Shared Admin CredentialsThe same domain admin that manages production manages backup software. One compromise neutralizes both.
- No Integrity VerificationSoftware reports success but no checksum or restore test confirms the data is actually readable.
- Third-Party Managed With No Restore TestA vendor runs the backups but has never proven a restore. First test happens during an actual incident.
- Microsoft 365 Treated as Backed UpOnly platform-native retention. A user-deleted Shared Drive after 93 days is gone, and litigation hold is not a backup.
- No Documented RunbookThe person who set up backups left two years ago. Nobody on staff knows how to run a restore.
How We Close It
- Deploy 3-2-1-1-0 ArchitectureThree copies, two media classes, one offsite, one immutable, restore-tested. Not negotiable.
- True Geographic SeparationOffsite copies in a different region or cloud provider. Same metro, different fire zone OK; same building is not.
- End-to-End EncryptionEncryption in transit and at rest. Customer-managed keys in a dedicated KMS outside the backed-up environment.
- Segregated Backup IdentityBackup admin accounts are not domain accounts. Hardware MFA. Dedicated tenancy where supported.
- Restore Tests on a ScheduleMonthly, quarterly, semi-annual, annual. Written report each time. Audit-grade evidence maintained.
- Service-Level Agreement With TeethIf a third party manages backups, SLA includes scheduled, documented restore test as a contractual deliverable.
- Independent Microsoft 365 BackupThird-party tooling for Exchange, SharePoint, OneDrive, Teams, and any SaaS with a shared-responsibility model.
- Written and Rehearsed RunbookDocumented, stored online and offline, rehearsed during quarterly tests, owned by a named role rather than a person.
Engagement Scoping and Investment Range
Backup pricing is one of the few places where a custom-quoted model serves the customer better than a published bundle. The cost drivers vary widely across engagements.
Custom-Quoted After Discovery
Petronella Technology Group does not publish a backup price list because the right answer is shaped by your actual environment. A 5-person firm with one Microsoft 365 tenant and one file server is fundamentally different from a 50-employee manufacturer with on-premise ERP, three locations, and a CMMC obligation. Both deserve a real number, not a marketing tier.
Backup and Disaster Recovery, Answered Honestly
Is Microsoft 365 native retention enough for HIPAA, CMMC, or SOC 2?
No. Microsoft 365 native retention is built for human-error soft-delete, e-discovery, and litigation hold. It is not point-in-time backup. HIPAA contingency planning, CMMC media protection at Levels 1, 2, and 3, and SOC 2 availability criteria all expect independent backup with documented retention, restore testing, and recovery time evidence. We deploy third-party backup tooling for Exchange, SharePoint, OneDrive, and Teams as a default for any regulated tenant.
What is the practical difference between RPO and RTO?
RPO is the maximum data loss the business will tolerate, measured in time. RTO is the maximum downtime. If your RPO is 15 minutes, you can survive losing the last 15 minutes of transactions. If your RTO is one hour, the system must be back within 60 minutes of incident. RPO drives backup frequency and replication strategy; RTO drives the disaster recovery site model. Both are business decisions, not technical preferences.
How often should backups actually run?
Backup frequency is determined by RPO, not by tradition. Tier 0 workloads with sub-15-minute RPO require continuous data protection or log shipping. Tier 1 and Tier 2 typically run hourly or every-four-hour incrementals. Tier 3 endpoints are usually daily. Tier 4 archival can be weekly or monthly. The right answer is whatever the tier exercise produced during discovery.
Can ransomware encrypt my backups?
Yes, if the architecture allows it. Modern ransomware operators specifically hunt backup repositories before detonating production. Backups reachable by the same credentials, on the same network, without immutability, are routinely encrypted in the same attack. The defense is immutable storage with Object Lock or air-gapped media, segregated identity, segregated network paths, and active alerting on backup-job anomalies. That is the architecture we deploy by default.
How do you actually prove a backup will restore?
You restore from it. Petronella Technology Group runs scheduled restore tests at four cadences: monthly single-file spot checks, quarterly full-system restores, semi-annual tabletop DR exercises, and annual full failover tests for Tier 0 and Tier 1 workloads. Each produces a written report with actual recovery time, anomalies, and remediation actions. That document is the only credible evidence a chain is real.
What is the 3-2-1-1-0 rule, and why did the original 3-2-1 stop being enough?
The original 3-2-1 rule called for three copies on two different media with one copy offsite. It assumed the threats were hardware failure, fire, and accidental deletion. It did not anticipate ransomware operators actively targeting backup repositories with privileged credentials. The modern version adds two requirements: one copy must be immutable or air-gapped, and the chain must have zero errors after restore testing.
Do you support hybrid environments with on-premise servers, cloud workloads, and SaaS?
Yes. Our standard architecture covers on-premise servers and VMs, public-cloud workloads in AWS or Azure, Microsoft 365 and Google Workspace, and major SaaS platforms like Salesforce, QuickBooks Online, and HubSpot. Each workload class has its own optimal tooling. We blend solutions rather than force a single platform that handles some workloads well and others poorly.
What happens if our backup vendor goes out of business or gets acquired?
Backup architecture is designed for portability. Customer-managed encryption keys, open backup formats where possible, and contractual rights to extract backup data on demand all protect the customer if a vendor relationship ends. We have migrated environments between backup platforms many times. The data is yours; the platform is replaceable.
Is cyber insurance affected by backup posture?
Increasingly, yes. Carriers now ask explicit questions about backup immutability, segregated credentials, and restore testing on the application. Some carriers will deny or sub-limit claims when application answers were aspirational rather than factual at the time of loss. A documented, tested, audit-grade backup program is now a meaningful factor in premium pricing and coverage scope.
How do CMMC Levels 1, 2, and 3 each treat backup?
CMMC backup obligations scale across all three levels. Level 1 establishes basic safeguarding of FCI including foundational backup hygiene. Level 2 introduces MP.L2-3.8.9 (back up CUI) and RE.L2-3.11.2 (regular backups of system-level information). Level 3 layers in enhanced protection of backup integrity, explicit testing cadence, and tighter cryptographic protection. We consult across all three levels. See our CMMC compliance page for the framework.
What is DRaaS and when does it make sense?
Disaster Recovery as a Service is a managed cloud-hosted recovery environment that activates during a declared incident or scheduled test. Steady-state cost is low. During failover, the service brings up replicas of protected workloads in a hyperscaler region. DRaaS makes sense for Tier 1 and Tier 2 workloads where a dedicated warm site would be uneconomical but a cold-site rebuild would take too long.
How fast can you stand up a backup program from scratch?
Discovery and tier exercise: one to two weeks. Architecture design and procurement: one to three weeks depending on hardware lead time. Initial deployment and runbook documentation: two to four weeks. First restore test: within 30 days of initial backups. A complete audit-grade program is realistically 60 to 90 days, and the recovery path is meaningfully better at every milestone.
Connected Coverage Areas
Backup and disaster recovery rarely live in isolation. The protection program is one pillar of a larger security and compliance posture Petronella Technology Group maintains across our managed environments.
Get a Backup Posture Review You Can Hand to an Auditor
Petronella Technology Group runs a structured discovery that surfaces silent failures in your current chain, maps gaps to your regulatory framework, and delivers a scoped remediation plan with realistic recovery targets. The review concludes with an actual restore test against your current backups, because that is the only evidence that matters.