Artikel | 20. March 2026
Multi-Tier Backup Architecture: Best Practices 2026
The 4‑Tier Model #
Tier 1: Online Backup (Daily) #
Technology: Deduplicating backup system (Veeam, Commvault, and others) writing to fast secondary storage in or near the data center.
Characteristics:
- High frequency (daily, hourly possible)
- Fast RTO (restores can start in minutes)
- Integrated deduplication (saves storage space)
- Network-connected: Tier 1 is online and synchronizes continuously
RPO: 1 to 24 hours, depending on backup frequency.
resilience: weak. If an attacker compromises your network, they can delete or encrypt Tier 1 backups. The fast availability that makes Tier 1 useful is also its security weakness.
Use: Primary recovery point for minor failures (hardware failure, accidental deletion, application error). Not sufficient against ransomware on its own.
Tier 2: Air Gap Backup #
Technology: Air-gapped disk storage (Silent Brick System), separated from the network outside controlled backup windows. With Silent Brick Pro, the bricks are physically removed from the Controller X (physical air gap). With Silent Brick Max Air, galvanic separation disconnects the storage electrically, with no physical removal needed.
Characteristics:
- Daily or weekly air-gapped copies, automated rather than dependent on manual media rotation
- Each copy is unreachable from the network while separated
- Integrity verification by the system, so the copy is known to be restorable
- Disk-based: restores start immediately, with random access
RPO: 1 to 7 days, depending on copy frequency.
resilience: strong. The attacker can delete Tier 1, but Tier 2 is not addressable. This is the insurance tier and the foundation of cyber resilience.
Why automation matters: Architectures that rely on someone manually rotating offline media every Friday fail in practice: media handling gets skipped, copies age, and nobody notices until the restore. An automated removes that human dependency.
Tier 3: WORM Archive (Long-Term) #
Technology: Hardware storage (Silent Cubes).
Characteristics:
- () enforced at the hardware level
- Cannot be deleted with admin rights; the immutability is not a software policy
- Long-term archiving (retention periods of 6 to 30+ years)
- Low access frequency (not for daily recovery)
- Compliance-ready for regulatory retention requirements
RPO: Monthly to annual, depending on archiving frequency.
resilience: extremely strong. Hardware-level cannot be deleted even by system administrators. Even if the attacker has root or admin access, the archived data stays intact.
Use: Long-term archiving and final recovery fallback. If Tier 2 is also damaged in an unlucky window, Tier 3 still holds the archived state. Note the division of labour: the Silent Brick System handles backup, Silent Cubes handle the immutable archive.
Tier 4: Geo-Redundancy #
Technology: A second on-premises location (different building or city) or, as a supplement, cloud archive storage.
Characteristics:
- Geographically separated from the primary data center
- Automated or periodic replication
- Longer recovery time (network latency or physical transport)
RPO: Daily to monthly.
resilience: medium to strong, depending on implementation. A cloud copy is only as safe as its credentials and object lock configuration. Treat cloud as a supplementary copy, not as the primary strategy: the decisive offline layer belongs on premises.
Use: Geographic redundancy against regional disasters (fire, flood, site loss) and a final layer of redundancy.
Which Data Belongs in Which Tier? #
Not all data requires all tiers:
- Production systems (AD, ERP): Tier 1 daily, Tier 2 weekly or daily, Tier 3 optional, Tier 4 monthly
- Critical business data: Tier 1 daily, Tier 2 weekly, Tier 3 monthly, Tier 4 monthly
- File server: Tier 1 daily, Tier 2 weekly, Tier 3 optional, Tier 4 monthly
- Long-term archives (regulatory retention): Tier 3 monthly, Tier 4 monthly; Tier 1⁄2 not required
- Email: Tier 1 daily, Tier 2 monthly; archive duties go to Tier 3 where retention rules apply
- Development data: Tier 1 daily only
Logic: Critical data requires multiple tiers. Non-critical data can work with fewer. Long-term archives require Tier 3 (hardware ) for compliance, but not Tier 1.
Recovery Scenarios #
Scenario 1: Hardware failure of a file server
- Recovery from Tier 1 (online backup)
- RTO: 1 to 2 hours, RPO: under 1 day
- Cost: low (IT time)
Scenario 2: User-deleted data (from a week ago)
- Recovery from Tier 1 or Tier 2
- RTO: 2 to 4 hours, RPO: under 1 week
- Cost: low to medium
Scenario 3: destroys production and Tier 1
- Recovery from Tier 2 (hardware air gap)
- RTO: hours, because the air gap layer is disk-based
- RPO: under 1 week (data since the last air-gapped copy)
- Cost: high (large restoration, validation effort)
Scenario 4: destroys production, Tier 1, and the most recent Tier 2 copy window
- Recovery from Tier 3 (hardware archive)
- RTO: longer, since archive recovery is a fallback path, not an operational one
- RPO: under 1 month (data since the last archive run)
- Cost: very high (including forensic analysis)
Best Practices for a 4‑Tier Setup #
- Tier 1 and Tier 2 separation is critical: Tier 2 must be unreachable from the network outside controlled windows, enforced by hardware, not by configuration.
- Use hardware for the archive tier: Silent Cubes as Tier 3 enforce immutability at the storage level, which is stronger than software at the filesystem level.
- Geo-redundancy for catastrophic scenarios: Tier 4 (second site, optionally cloud as a supplement) for worst-case situations.
- Retention policies: Tier 1: 7 to 14 days. Tier 2: 4 to 12 weeks. Tier 3: per regulatory requirement, often 6 to 30 years. Tier 4: 1 to 5 years.
- Test regularly: Perform a real recovery from Tier 2 at least quarterly, and from Tier 3 annually. The 3−2−1−1−0 rule ends with zero errors in the restore test for a reason.
Cost Logic #
Exact figures depend on data volume, retention, and RTO targets, but the structure is consistent:
- Tier 1 carries the highest operating cost (performance hardware, licences).
- Tier 2 adds the air gap layer; with automated disk-based systems, the operating effort is minimal because there is no media handling.
- Tier 3 has low cost per terabyte over its lifetime, because hardware archives run for many years with minimal administration.
- Tier 4 is comparatively cheap as a periodic replication target.
Set against this: industry reports consistently put the full cost of a ransomware incident (downtime, recovery, forensics, reputational damage) at a multiple of any backup architecture investment. Under NIS2, essential entities additionally face fines of up to EUR 10 million or 2 percent of global annual turnover if required risk measures are missing.
Frequently Asked Questions #
Can we combine Tier 2 and Tier 3? They solve different problems: Tier 2 (Silent Brick System) is the fast-recovery backup layer, Tier 3 (Silent Cubes) is the immutable long-term archive. Keeping them separate keeps both roles clean: backup is for recovery, archive is for retention.
Do we really need all 4 tiers? For cyber resilience: at minimum Tier 1 plus Tier 2. Tier 3 is mandatory wherever regulatory retention applies and strongly recommended otherwise. Tier 4 depends on your risk profile.
How long does recovery from Tier 3 take? The archive tier is a fallback, not an operational recovery path. Plan for a longer recovery window and treat any scenario that reaches Tier 3 as a major incident.
Further Resources #
→ IT Resilience Guide (/en/blog/it-resilienz-leitfaden/) → as a Resilience Layer (/en/blog/air-gap-resilienz-layer/) → Isolated Recovery Environment (/en/blog/isolated-recovery-environment/) → The 3−2−1−1−0 Backup Strategy (/en/blog/3 – 2‑1 – 1‑0-backup-strategie/) → Silent Brick System: Backup (/en/produkte/silent-brick-system/) → Silent Cubes: Hardware Archive (/en/produkte/silent-cubes/)
Ransomware
Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.
Ransomware
Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.
Air Gap
An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
Ransomware
Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
Ransomware
Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
Ransomware
Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.
Ransomware
Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.
Air Gap
An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.
Air Gap
An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.