Understanding the “3-2-1” backup rule and how to automate it with NAS

I’ve seen enough data loss over the years to know that complacency is the biggest threat. Just the other day, my own workstation’s primary SSD started throwing SMART errors. It wasn’t a total failure, but enough of a scare to make me double-check my own backup regimen, and specifically how I was handling the “offsite” part of my 3-2-1. It’s one thing to preach this stuff to clients; it’s another to ensure your own house is in order when the chips are down.

Most folks start with an external drive for backups, which is better than nothing, but it only solves part of the problem. A single point of failure – a fire, theft, or even just a corrupt drive – can wipe out everything. That’s where the “3-2-1” rule comes in. It’s not new, it’s not trendy, but it’s effective because it acknowledges real-world risks. And for automating it, a Network Attached Storage (NAS) device is a pretty solid cornerstone. They’re reliable, always on, and most have the software to handle the heavy lifting for the various copies and locations. It’s more resilient than just a local drive, and more controllable than relying solely on a cloud service that might change its terms or pricing.

How to Set Up Your 3-2-1 with a NAS

Here’s how I structured my own setup, which has served me well for years, keeping the 3-2-1 rule firmly in mind.

Understanding the “3-2-1” Rule in Practice

For my purposes, here’s how I break down the rule:

• 3 Copies of your data: This is your primary data (e.g., on my workstation), plus two separate backup copies.
• 2 Different media types: My workstation’s SSD is one. My NAS’s internal drives are a second. An external USB drive attached to the NAS (for the NAS’s own backup) or cloud storage would be a third media type, providing further isolation.
• 1 Offsite copy: This is key. Something physically separate from your primary location. For me, that’s cloud storage.

Setting up your NAS as the Primary On-Site Backup Target (Copy 1 & Media Type 2)

This is where your first automated backup lands. My NAS handles this beautifully:

1. Create Shared Folders: On your NAS (e.g., Synology DSM or QNAP QTS), navigate to Control Panel > Shared Folder and create specific folders for each workstation or data type you want to back up. I have one for “Workstation Backups,” another for “Documents,” and so on.
2. Set User Permissions: Create a dedicated backup user (e.g., “backup_user”) on your NAS and grant it read/write permissions ONLY to the shared folders meant for backups. This prevents ransomware from easily encrypting your backups if your workstation gets compromised.
3. Configure Workstation Backups:
   • Windows: I use `robocopy` in a scheduled task. It’s simple, powerful, and built-in. For example, a batch file running daily could be:
     robocopy "C:\Users\MyUser\Documents" "\\your_nas_ip\Workstation Backups\Documents" /MIR /FFT /Z /XA:H /W:5 /R:5 /NP /MT:16 /LOG:"C:\Logs\robocopy_documents.log"
     The /MIR switch is crucial; it mirrors the source to the destination, deleting files on the destination that no longer exist on the source. Be careful with this.
   • macOS: Time Machine works well, pointing it to a Time Machine-compatible share on your NAS. Alternatively, `rsync` via a cron job offers more control.
   • Linux: `rsync` is your friend here, also typically via `cron`.

   I stick with `robocopy` for my Windows machines because I like the fine-grained control and logging it provides. I set up these scripts as scheduled tasks to run nightly, logging everything to a local file.

Configuring NAS for Secondary On-Site/Off-Site Backups (Copy 2 & Media Type 3)

Now, to get that second backup copy and ensure it’s on a different medium, or even offsite.

1. Attach an External Drive (for On-Site, Different Media): If you want a physical, easily disconnectable backup, plug a large USB drive into your NAS.
2. Use NAS Backup Software:
   • For external USB backup: My Synology uses Hyper Backup. I create a new data backup task, choose the shared folders on the NAS that contain my workstation backups, and set the destination to the attached USB drive. I schedule this to run weekly. This gives me a physically separate copy I can unplug and store somewhere safe (like a fireproof safe).
   • For cloud backup (the “1” Offsite): This is my preferred method for the offsite copy. Still in Hyper Backup (or QNAP’s Hybrid Backup Sync), I create another task. This time, the destination is a cloud service. I personally use Backblaze B2, as it’s cost-effective for the volume of data I need to store. Configure your cloud provider credentials, select the same source folders, and schedule this to run daily or weekly, depending on how often your data changes and your upload bandwidth.

   This offsite copy ensures that even if my house burns down, or my NAS completely fails along with its attached USB drive, I still have my data safe in the cloud.

Things people often get wrong

I’ve seen these issues countless times, and even fallen victim to a few myself when I first started out or got a bit complacent.

• Not Testing Restores: This is probably the biggest oversight. The first time I set up my personal offsite backup to B2, I diligently configured everything, watched the first sync complete, and then promptly forgot about it for months. When I finally needed to retrieve a file that had been accidentally deleted from my local machine and primary NAS backup, I discovered a permission issue with the B2 bucket. The files were there, but retrieving them programmatically was a hassle because I’d used a slightly different set of credentials for the backup than I would for a restore, thinking I was being clever with least privilege. Always test your restores, from start to finish. Restore a single, non-critical file from each backup destination at least once a quarter.
• Confusing RAID with Backup: I see this all the time. RAID (e.g., RAID 5 or RAID 6) protects against drive failure within the NAS. It is NOT a backup. If you accidentally delete a file, or if malware encrypts your data, RAID does nothing to help you recover that original data. It just ensures the corrupted data is still accessible.
• Ignoring Permissions: It’s crucial that your backup user on the NAS has only the necessary permissions. Granting admin access to a backup account is a huge security risk. On the flip side, sometimes people make permissions too restrictive, leading to failed backups, and then don’t notice until it’s too late.
• Lack of Monitoring: Backup jobs often fail silently or with easily missed notifications. I always check my `robocopy` logs. My NAS also sends me email notifications for successful and failed backup jobs. If you’re not checking these regularly, you won’t know your backups stopped working three weeks ago.
• Forgetting Versioning and Retention Policies: Most NAS backup software offers versioning. Don’t just keep the latest copy. Keep multiple versions (e.g., 30 days of daily backups, then weekly for a few months) so you can recover from accidental deletions that you only discover weeks later. Just be mindful of the storage space this can consume, especially with cloud backups.

Setting up a robust 3-2-1 backup strategy with a NAS isn’t overly complex, but it requires diligent setup and regular verification to ensure your data stays safe, no matter what.