--- title: "Multi-Tier Backup Architecture: Best Practices 2026" date: 2026-03-20T10:05:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/mehrstufige-backup-architektur-best-practices-2026" section: "Entries: Articles" --- ### The 4‑Tier Model [\#](#the-4-tier-model "The 4-Tier Model") #### Tier 1: Online Backup (Daily) [\#](#tier-1-online-backup-daily "Tier 1: Online Backup (Daily)") **Technology:** Deduplicating backup system (Veeam, Commvault, and others) writing to fast secondary storage in or near the data center. **Characteristics:** - High frequency (daily, hourly possible) - Fast RTO (restores can start in minutes) - Integrated deduplication (saves storage space) - Network-connected: Tier 1 is online and synchronizes continuously **RPO:** 1 to 24 hours, depending on backup frequency. **Ransomware resilience: weak.** If an attacker compromises your network, they can delete or encrypt Tier 1 backups. The fast availability that makes Tier 1 useful is also its security weakness. **Use:** Primary recovery point for minor failures (hardware failure, accidental deletion, application error). Not sufficient against ransomware on its own. #### Tier 2: Air Gap Backup [\#](#tier-2-air-gap-backup "Tier 2: Air Gap Backup") **Technology:** Air-gapped disk storage (Silent Brick System), separated from the network outside controlled backup windows. With Silent Brick Pro, the bricks are physically removed from the Controller X (physical air gap). With Silent Brick Max Air, galvanic separation disconnects the storage electrically, with no physical removal needed. **Characteristics:** - Daily or weekly air-gapped copies, automated rather than dependent on manual media rotation - Each copy is unreachable from the network while separated - Integrity verification by the system, so the copy is known to be restorable - Disk-based: restores start immediately, with random access **RPO:** 1 to 7 days, depending on copy frequency. **Ransomware resilience: strong.** The attacker can delete Tier 1, but Tier 2 is not addressable. This is the insurance tier and the foundation of cyber resilience. **Why automation matters:** Architectures that rely on someone manually rotating offline media every Friday fail in practice: media handling gets skipped, copies age, and nobody notices until the restore. An automated hardware air gap removes that human dependency. #### Tier 3: WORM Archive (Long-Term) [\#](#tier-3-worm-archive-long-term "Tier 3: WORM Archive (Long-Term)") **Technology:** Hardware WORM storage (Silent Cubes). **Characteristics:** - Write Once Read Many (WORM) enforced at the hardware level - Cannot be deleted with admin rights; the immutability is not a software policy - Long-term archiving (retention periods of 6 to 30+ years) - Low access frequency (not for daily recovery) - Compliance-ready for regulatory retention requirements **RPO:** Monthly to annual, depending on archiving frequency. **Ransomware resilience: extremely strong.** Hardware-level WORM cannot be deleted even by system administrators. Even if the attacker has root or admin access, the archived data stays intact. **Use:** Long-term archiving and final recovery fallback. If Tier 2 is also damaged in an unlucky window, Tier 3 still holds the archived state. Note the division of labour: the Silent Brick System handles backup, Silent Cubes handle the immutable archive. #### Tier 4: Geo-Redundancy [\#](#tier-4-geo-redundancy "Tier 4: Geo-Redundancy") **Technology:** A second on-premises location (different building or city) or, as a supplement, cloud archive storage. **Characteristics:** - Geographically separated from the primary data center - Automated or periodic replication - Longer recovery time (network latency or physical transport) **RPO:** Daily to monthly. **Ransomware resilience: medium to strong, depending on implementation.** A cloud copy is only as safe as its credentials and object lock configuration. Treat cloud as a supplementary copy, not as the primary strategy: the decisive offline layer belongs on premises. **Use:** Geographic redundancy against regional disasters (fire, flood, site loss) and a final layer of redundancy. --- ### Which Data Belongs in Which Tier? [\#](#which-data-belongs-in-which-tier "Which Data Belongs in Which Tier?") Not all data requires all tiers: - **Production systems (AD, ERP):** Tier 1 daily, Tier 2 weekly or daily, Tier 3 optional, Tier 4 monthly - **Critical business data:** Tier 1 daily, Tier 2 weekly, Tier 3 monthly, Tier 4 monthly - **File server:** Tier 1 daily, Tier 2 weekly, Tier 3 optional, Tier 4 monthly - **Long-term archives (regulatory retention):** Tier 3 monthly, Tier 4 monthly; Tier 1⁄2 not required - **Email:** Tier 1 daily, Tier 2 monthly; archive duties go to Tier 3 where retention rules apply - **Development data:** Tier 1 daily only **Logic:** Critical data requires multiple tiers. Non-critical data can work with fewer. Long-term archives require Tier 3 (hardware WORM) for compliance, but not Tier 1. --- ### Recovery Scenarios [\#](#recovery-scenarios "Recovery Scenarios") **Scenario 1: Hardware failure of a file server** - Recovery from Tier 1 (online backup) - RTO: 1 to 2 hours, RPO: under 1 day - Cost: low (IT time) **Scenario 2: User-deleted data (from a week ago)** - Recovery from Tier 1 or Tier 2 - RTO: 2 to 4 hours, RPO: under 1 week - Cost: low to medium **Scenario 3: Ransomware destroys production and Tier 1** - Recovery from Tier 2 (hardware air gap) - RTO: hours, because the air gap layer is disk-based - RPO: under 1 week (data since the last air-gapped copy) - Cost: high (large restoration, validation effort) **Scenario 4: Ransomware destroys production, Tier 1, and the most recent Tier 2 copy window** - Recovery from Tier 3 (hardware WORM archive) - RTO: longer, since archive recovery is a fallback path, not an operational one - RPO: under 1 month (data since the last archive run) - Cost: very high (including forensic analysis) --- ### Best Practices for a 4‑Tier Setup [\#](#best-practices-for-a-4-tier-setup "Best Practices for a 4-Tier Setup") 1. **Tier 1 and Tier 2 separation is critical:** Tier 2 must be unreachable from the network outside controlled windows, enforced by hardware, not by configuration. 2. **Use hardware WORM for the archive tier:** Silent Cubes as Tier 3 enforce immutability at the storage level, which is stronger than software WORM at the filesystem level. 3. **Geo-redundancy for catastrophic scenarios:** Tier 4 (second site, optionally cloud as a supplement) for worst-case situations. 4. **Retention policies:** Tier 1: 7 to 14 days. Tier 2: 4 to 12 weeks. Tier 3: per regulatory requirement, often 6 to 30 years. Tier 4: 1 to 5 years. 5. **Test regularly:** Perform a real recovery from Tier 2 at least quarterly, and from Tier 3 annually. The 3−2−1−1−0 rule ends with zero errors in the restore test for a reason. --- ### Cost Logic [\#](#cost-logic "Cost Logic") Exact figures depend on data volume, retention, and RTO targets, but the structure is consistent: - **Tier 1** carries the highest operating cost (performance hardware, licences). - **Tier 2** adds the air gap layer; with automated disk-based systems, the operating effort is minimal because there is no media handling. - **Tier 3** has low cost per terabyte over its lifetime, because hardware WORM archives run for many years with minimal administration. - **Tier 4** is comparatively cheap as a periodic replication target. Set against this: industry reports consistently put the full cost of a ransomware incident (downtime, recovery, forensics, reputational damage) at a multiple of any backup architecture investment. Under NIS2, essential entities additionally face fines of up to EUR 10 million or 2 percent of global annual turnover if required risk measures are missing. --- ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Can we combine Tier 2 and Tier 3?** They solve different problems: Tier 2 (Silent Brick System) is the fast-recovery backup layer, Tier 3 (Silent Cubes) is the immutable long-term archive. Keeping them separate keeps both roles clean: backup is for recovery, archive is for retention. **Do we really need all 4 tiers?** For cyber resilience: at minimum Tier 1 plus Tier 2. Tier 3 is mandatory wherever regulatory retention applies and strongly recommended otherwise. Tier 4 depends on your risk profile. **How long does recovery from Tier 3 take?** The archive tier is a fallback, not an operational recovery path. Plan for a longer recovery window and treat any scenario that reaches Tier 3 as a major incident. --- ### Further Resources [\#](#further-resources "Further Resources") → IT Resilience Guide (/en/blog/it-resilienz-leitfaden/) → Air Gap as a Resilience Layer (/en/blog/air-gap-resilienz-layer/) → Isolated Recovery Environment (/en/blog/isolated-recovery-environment/) → The 3−2−1−1−0 Backup Strategy (/​en/​blog/​3 – 2‑1 – 1‑0-backup-strategie/) → Silent Brick System: Air Gap Backup (/en/produkte/silent-brick-system/) → Silent Cubes: Hardware WORM Archive (/en/produkte/silent-cubes/) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)