1. Executive Summary
The 3-2-1-1-0 backup strategy is the current gold standard for data resilience. It requires three copies of data, on two different media types, with one copy offsite, one copy offline or air-gapped, and zero errors after verification. Most backup vendors claim to meet this standard through software-defined immutability, but their storage remains network-attached and reachable via management planes, APIs, and administrative interfaces.
Firevault is the only commercial storage platform that fulfils the offline requirement through physical disconnection at OSI Layer 1. When not in use, Firevault storage has no electrical connection to any network. No standby power. No wireless interface. No management plane. This whitepaper explains how Firevault meets 3-2-1-1-0 requirements and aligns with Critical National Infrastructure (CNI) standards including NIS2, CAF 4.0, IEC 62443, and NCSC guidance.
2. What 3-2-1-1-0 Means
| Element | Requirement | Purpose |
|---|---|---|
| 3 | Three copies of data | Redundancy against single-point failure |
| 2 | Two different media types | Protection against media-specific failure |
| 1 (offsite) | One copy stored offsite | Geographic separation from primary site |
| 1 (offline) | One copy offline or air-gapped | Isolation from network-based attacks |
| 0 | Zero errors after verification | Confirmed recoverability |
The fourth element (1 offline) is where most organisations fail. Placing a backup in a separate cloud region or behind a firewall does not satisfy this requirement. The storage must be unreachable through any digital path.
3. The Problem with Software-Defined Air Gaps
Software-defined immutable storage solutions from vendors such as Veeam, Commvault, Cohesity, and Rubrik provide important protections against accidental deletion and basic ransomware. However, they share a fundamental architectural limitation: the storage remains network-attached.
Attack vectors that bypass software-defined immutability:
- Management plane compromise: administrative interfaces can be exploited to disable immutability settings, delete snapshots, or modify retention policies.
- Credential theft: compromised admin credentials can override WORM policies through vendor support channels or emergency break-glass procedures.
- Zero-day exploits: vulnerabilities in the storage platform software can bypass immutability controls before patches are available.
- Supply chain attacks: compromised updates to the storage platform can introduce backdoors that circumvent immutability.
- Insider threat: a privileged administrator with management plane access can modify or destroy data regardless of immutability flags.
A physical air gap removes all of these vectors simultaneously. If there is no network connection, there is no management plane, no API, no login page, and no attack surface.
4. How Firevault Fulfils the Offline Requirement
Firevault implements disconnection at OSI Layer 1 (the physical layer). This means:
- The storage hardware has no electrical connection to any network when in its default (disconnected) state.
- No standby power is supplied to network interfaces between access sessions.
- No wireless, Bluetooth, or radio frequency communication is available at any time.
- Connection is established only after identity verification, and only for a time-limited window.
- Upon session completion, the physical connection is severed and the hardware returns to its default disconnected state.
Every access session is logged with the identity of the accessor, the time and duration, and what data was accessed. This creates documented evidence of appropriate technical measures under GDPR Article 32, NIS2, and CAF 4.0.
5. Comparison: Firevault vs Immutable Backup Vendors
| Capability | Firevault OSS | Software-Defined Immutable Storage |
|---|---|---|
| Physical disconnection | Yes (Layer 1) | No |
| Network-attached when idle | No | Yes |
| Management plane access | None | Always available |
| API access when idle | None | Available |
| Vulnerable to credential theft | No | Yes |
| Vulnerable to zero-day exploits | No (no software surface) | Yes |
| Meets 3-2-1-1-0 offline requirement | Yes (physical) | Partial (logical only) |
| Identity-locked access | Yes (biometric + MFA) | Password/SSO |
| Audit trail of physical state | Yes | No |
| Hardware encryption | AES-256-XTS on device | Varies |
6. CNI Compliance Alignment
6.1 NIS2 Directive
NIS2 requires essential and important entities to implement appropriate technical measures including risk analysis, incident handling, business continuity, and supply chain security. Physical disconnection provides the strongest form of data isolation, satisfying measures under Articles 21(2)(a) through (d). The identity-verified audit trail addresses Articles 21(2)(e) and (g) on access control and security monitoring.
6.2 CAF 4.0 (Cyber Assessment Framework)
The NCSC Cyber Assessment Framework version 4.0 assesses operators of essential services across four objectives: Managing Security Risk, Protecting Against Cyber Attack, Detecting Cyber Security Events, and Minimising the Impact of Cyber Security Incidents. Firevault directly supports Objective B (Protecting Against Cyber Attack) by removing data from network-accessible systems, and Objective D (Minimising Impact) by providing physically isolated backup copies for recovery.
6.3 IEC 62443
IEC 62443 defines security requirements for industrial automation and control systems. Firevault supports Zone and Conduit modelling (IEC 62443-3-2) by providing a physically isolated zone with no conduits when disconnected. This represents Security Level 4 (SL4) for data at rest, the highest level defined in the standard.
6.4 NCSC Guidance
The NCSC recommends organisations maintain offline backups as part of their ransomware resilience strategy. NCSC guidance explicitly states that backups should be kept offline where possible, disconnected from the network and from the systems they back up. Firevault is purpose-built to meet this recommendation.
7. RPO and RTO Characteristics
| Product | RPO | RTO | Access Model |
|---|---|---|---|
| LUV (300 GB) | Last scheduled upload | Same-day remote access | 2 access windows per month |
| Vault (300 GB - 8 TB) | Last session sync | Minutes (remote access) | On-demand, identity-verified |
| Storage (8 TB+) | Last session sync | Minutes to hours | On-demand, identity-verified |
| Enterprise (10-300 TB+) | Configurable | Configurable | 24/7 managed access |
RPO and RTO depend on the product tier and access configuration. All products guarantee physical disconnection between sessions.
8. Architecture Overview
The Firevault architecture separates storage from all networks using a physical disconnection layer:
| Layer | Component | State When Disconnected |
|---|---|---|
| Application | Firevault Portal / API | No path to storage |
| Network | Identity Verification Gateway | No session active |
| Physical Disconnect | Layer 1 Air Gap Controller | Electrically severed |
| Storage | AES-256-XTS Encrypted Drives | No power to interfaces |
| Audit | Tamper-Evident Access Log | Sealed, read-only |
When a verified owner initiates an access session, the Layer 1 Air Gap Controller establishes a physical connection for the duration of the session. Upon completion, the connection is severed, returning all layers above storage to their default disconnected state.
9. Compliance Mapping
| Standard | Clause | How Firevault Meets It |
|---|---|---|
| GDPR | Article 32 | Physical disconnection as an appropriate technical measure; identity-verified access logs |
| NIS2 | Article 21(2)(a-d) | Air-gapped data copies for recovery; no network exposure during incidents |
| CAF 4.0 | Objective B | Data removed from network-accessible systems; no management plane when disconnected |
| IEC 62443 | Zone/Conduit (3-2), SL4 | Physically isolated zone with zero conduits when disconnected |
| NCSC | Ransomware guidance | Purpose-built offline storage with physical disconnection |
| ISO 27001 | Annex A.11 | Dedicated hardware in secure bunker; tamper-evident environments |
| Cyber Essentials Plus | Secure configuration | Zero standing privileges; identity-locked access |
| DORA | ICT risk management | Physically isolated backup for operational resilience |
| PCI DSS | Requirement 9 | Identity-verified access to dedicated hardware |
| SOC 2 | Security criteria | Documented access controls; audit trail evidence |
10. Conclusion
The 3-2-1-1-0 backup strategy requires one genuinely offline copy. Software-defined immutability does not satisfy this requirement because the storage remains network-attached and reachable through management planes, APIs, and administrative interfaces.
Firevault is the only commercial storage platform that meets the offline requirement through physical disconnection at OSI Layer 1. When not in use, there is no network path, no management plane, no API, and no attack surface. This provides the strongest form of data isolation available and directly supports compliance with GDPR, NIS2, CAF 4.0, IEC 62443, NCSC guidance, and other CNI frameworks.
For organisations operating critical national infrastructure or handling sensitive data, the distinction between logical and physical air gaps is not academic. It is the difference between data that can be reached and data that cannot.
Download This Whitepaper
Get the full PDF version with all tables and compliance mappings.