More copies do not create resilience, they create more targets.
The architecture below is the one that has issues. The architecture
beneath that is the one that does not.
One pays. One has nothing to pay for.
93% of ransomware attacks target the backups first.
Your safety net is the primary objective.
93%
of cyber-attacks attempt to compromise backup repositories.
Veeam · 2023 Ransomware Trends
75%
of victims lose at least some of their backups in the attack.
Veeam · 2023
49%
of ransomware victims still pay the ransom. Second-highest rate in six years.
Sophos · State of Ransomware 2025
47%
of organizations take longer than a week to recover fully.
Sophos · 2025
When copies were all we had
For decades, more copies was the only defense against data loss.
3-2-1-1-0 descends from a 2005 photography-era backup rule, formalized in a 2012 US-CERT advisory.
It was designed for a threat model where attackers did not target backups. That threat model no longer exists, and the strategy built on it no longer works.
Replica: encrypted too
Cross-region replication is fast. So is ransomware. By the time the attack is detected, the DR bucket mirrors the damage.
Glacier: stale & slow
Deep Archive lifecycle runs nightly at best. Last known-good snapshot is hours old, and retrieval can take 12+ hours.
Vault: never actually restored
Object Lock protected the data. But the restore runbook is out of date, IAM keys expired, and nobody rehearsed it.
Verifier: checkbox, not safeguard
Monthly checksum sweeps catch bitrot. They do not catch ransomware encryption that happened three weeks ago.
The real cost
Mean remediation cost hit $1.53M in 2025, on top of any ransom. The copies existed. The outcome was the same.
And the threats this model does not even attempt
Backup theft & exfiltration
Encryption at rest does not stop credential theft, misconfigured ACLs, or double-extortion exfil. Every copy is a full-fidelity copy of the breach.
Vendor outage
All four copies depend on the same provider's control plane, IAM, and billing entity. If AWS has a bad day, your DR has a bad day too.
Insider attack
A privileged admin can reach every copy. Object Lock in governance mode can be bypassed by root. Stolen credentials look identical to legitimate ones.
Regional outage
Cross-region DR helps, but failover is a runbook with humans in the loop. The cold tier may be in the failed region. Production stops while you fail over.
Supply-chain compromise
A weaponized backup agent or dependency writes poisoned data to every destination. The system designed to save you becomes the delivery mechanism.
Shifting regulations
When residency rules change (GDPR, PIPL, sectoral), full copies in the wrong region become a compliance liability. Re-architecting copy placement is a quarterly project, not a config change.
The Resiliency Layer
Keep running, no matter what.
Myota sits between the application and storage as a resiliency layer.
Data is encrypted, split into fragments via Shamir's Secret Sharing,
and spread across S3-compatible buckets at different providers.
The business keeps serving reads and writes through every threat below,
simultaneously. Recovery is not a restore. It is a rewind to any
prior moment, in seconds.
Definition · § 01
Resiliency, defined.
Resiliency is the ability to withstand every threat the business faces
simultaneously, without the business stopping. Not just
surviving a single attack, in a single region, with a single clean backup
sitting somewhere. Surviving all of it at once, and continuing to serve
reads and writes while it happens.
Redundant copies do not deliver this. They reduce the probability that
some version of the data exists somewhere, but they do nothing
to keep the business running during the event. A backup you can eventually
restore from is not the same as a system that never stopped working.
The resiliency threat modelall of these, simultaneously, without downtime
01
Ransomware
Attacker encrypts production, then reaches replicas before detection. Backups become part of the hostage set.
Backup-only: 49% pay
02
Backup exposure & data theft
An attacker does not need to encrypt your backups. They just need to read them. Misconfigured buckets, stolen IAM keys, or double-extortion exfiltration turn every backup copy into an intelligence asset.
Every copy is a copy of the breach
03
Vendor outage
A single provider has a control-plane failure, region-wide incident, or policy change. Everything in their buckets becomes unreachable.
Single provider = single failure
04
Insider attack
A privileged user deletes, exfiltrates, or tampers with data. Legitimate credentials defeat most perimeter controls.
Credentials bypass immutability
05
Regional outage
A whole cloud region goes dark. Power, network, or natural disaster. Data that lives there is offline for hours or days.
Cross-region ≠ always-on
06
Supply-chain compromise
A backup tool, agent, or dependency is itself weaponized. The thing meant to save you writes poisoned data to every copy.
The tool becomes the vector
07
Sovereignty & residency
GDPR, data-localization laws, and contractual residency terms restrict where data can live. Full-copy replication forces trade-offs between jurisdictions.
Copy location = compliance risk
0
Replicas to manage
∞
Restore points
k/n
Threshold recovery
0s
Rewind latency
Dimension
Classic 3-2-1-1-0
Myota resiliency layer
Operating model
Redundancy. Keep more copies, hope one survives.
Resiliency. Data is mathematically recoverable by design.
Recovery action
Restore from a backup (hours to days)
Rewind to any prior write (seconds)
Recovery point
Last good snapshot. Often hours or days stale.
Any prior version. Effectively continuous.
Copies of full data
3 complete copies across tiers
Zero. No store ever holds the full dataset.
Ransomware
Backup racing the attacker. 49% pay in 2025.
Rewind past the attack window. Nothing to ransom.
Backup exposure & data theft
Every copy is a full copy. Every leaked bucket is a full leak.
Stolen fragments are mathematical noise. No bucket holds a readable record.
Vendor outage
If the provider goes down, your copies in it go with it.
Keep serving from the remaining k-of-n buckets. No single provider is critical.
Insider attack
Privileged user can reach production and most copies.
No single admin holds enough buckets to reconstruct or destroy data.
Regional outage
Cross-region DR helps, but fails over slowly. Cold tier is offline.
Buckets span providers and regions. A region loss is just missing fragments.
Supply-chain compromise
Backup agent writes poisoned data to every copy.
Prior immutable versions remain. Rewind past the compromise.
Blast radius of a breach
Any compromised copy leaks everything.
A stolen bucket fragment is mathematically useless below k threshold.
Storage overhead
~3× (production + replica + cold + vault)
~1.5 to 1.7× depending on k/n ratio
Restore testing
Periodic. Often untested until needed.
Every read is a reconstruction. Verified continuously.
SIDEBAR · ROI.01
THE ECONOMIC CASE
Better security, lower cost
Fewer copies, fewer of everything else.
Every full copy of production has a second life as a line item. Eliminating replicas doesn't just cut storage, it compounds across the stack. Less to secure, less to license, less to power, less to patrol.
Storage footprint.
Three full copies become ~1.5 to 1.7× fragments.
Every TB not replicated is a TB not billed, backed up, or indexed.
−50%
Attack surface.
Fewer full-data targets means fewer buckets to harden, fewer IAM policies to audit,
fewer Object Lock configurations to get right.
−4 targets
Human work.
No replication jobs to monitor, no restore drills against stale snapshots,
no 3 AM pages from a DR pipeline that silently drifted.
ops time
Power & footprint.
Less storage provisioned is less power drawn, less cooling,
less rack space, fewer disks ever manufactured.
sustainability
Licenses & contracts.
Backup software, DR tooling, second-region cloud commits,
and per-TB support tiers all scale with copy count.
tier down
Risk profile.
Mean ransom payment is $1M; mean remediation cost $1.53M.
Removing the payout path changes the expected-loss math entirely.
−ransom
The trade is not security vs. cost. It's both, together.
Stronger resiliency removes the copies that were driving cost and complexity in the first place.
SIDEBAR · DS.01
DATA SOVEREIGNTY
Useless bytes can cross borders
No single jurisdiction holds anything.
Under Shamir's scheme, a single ciphertext fragment contains no information about the original data. Five fragments scattered across five countries add up to random noise unless k of them are assembled together with the key shards.
Because no bucket holds a complete copy and no single location holds a complete key, the reconstruction threshold itself becomes the sovereignty boundary. Customers can pin the reassembly perimeter to a specific country while letting ciphertext fragments live globally for durability and latency.
This inverts the traditional model. Instead of choosing between "one region for compliance" and "many regions for resilience," both become possible simultaneously.
Regulatory note: data-localization laws vary in whether they treat encrypted ciphertext as "personal data." Always confirm with counsel; the architecture enables compliant designs but does not replace legal review.
SIDEBAR · QR.01
FUTURE-PROOF CRYPTOGRAPHY
Harvest now, decrypt later
Quantum is already a design constraint.
Adversaries are exfiltrating encrypted data today with no way to read it, and warehousing it for decryption when quantum capability arrives. For regulated data with 10-, 20-, or 30-year retention, a breach in 2026 can still be a breach in 2040.
Myota pairs AES-256 symmetric encryption with Shamir's Secret Sharing, a scheme that is information-theoretically secure: no amount of computation, classical or quantum, can reconstruct the secret from fewer than k shares. Capturing four of five buckets yields nothing. Capturing all five yields nothing without the distributed key shards.
The cryptographic algorithms are also upgradable in place. As post-quantum standards evolve, the system can rotate ciphers without re-encrypting the full dataset.
Shamir's Secret Sharing (1979) is proven information-theoretically secure: below the threshold, shares reveal zero information about the secret regardless of attacker capability.
Compliance crosswalkmapping architecture to regulation
HIPAA
Health Insurance Portability & Accountability Act
§ 164.312(a)(2)(iv)
Encryption of PHI at rest. AES-256 + dispersed shards exceeds the addressable standard; no single location holds recoverable PHI.
PCI DSS 4.0
Payment Card Industry Data Security Standard
Req 3.5 · 3.6 · 10.5
Cardholder data encryption, key management, and tamper-evident audit logs. Key shards distributed; logs immutable by design.
SEC 17a-4
Broker-dealer records retention
§ 17a-4(f)
WORM storage with verifiable retention. Cryptographic WORM satisfies the non-rewriteable, non-erasable requirement.
FINRA 4511
General recordkeeping requirements
Rule 4511(c)
Records preserved in a format and media compliant with SEC 17a-4. Same cryptographic WORM guarantees apply.
FDA 21 CFR Part 11
Electronic records in FDA-regulated industries
§ 11.10(c)
Protection of records to enable accurate retrieval. Immutable versioning + point-in-time rewind satisfy audit-trail requirements.
FISMA
Federal Information Security Modernization Act
NIST SP 800-53 · SC-28, CP-9
Protection of information at rest and system backup. Fragment dispersion and threshold recovery align to Moderate/High baselines.
SOX
Sarbanes-Oxley Act
§ 302 · 404
Integrity of financial records and internal controls. Cryptographic immutability provides auditable, tamper-evident history.
GDPR
EU General Data Protection Regulation
Art. 32 · Art. 17
Security of processing & right to erasure. Pseudonymized fragments and key-shard destruction support both mandates.
CCPA / CPRA
California Consumer Privacy Act
§ 1798.150
Reasonable security and breach safe-harbor. Encrypted, dispersed data generally falls outside breach-notification triggers.
01 / STAKES · The threat surface widened
Why now
The threat surface widened.
Traditional infrastructure security layers focused on network and endpoint are no longer enough to prevent cyberattacks and minimize data loss.
Gartner
01
Ransomware has outpaced recovery.
96% of attacks now target backup repositories. 57% succeed. 1.7 million attacks per day. The system you built to recover from failure is the first thing attackers compromise.
Veeam · 2024 · Sophos · 2024
02
Cloud outages are a concentration risk.
Organizations centralized data in single providers expecting availability. When that provider goes down, everything dependent on it goes with it. Resiliency that depends on one infrastructure provider is not resiliency.
03
Legacy infrastructure cannot support what is coming.
AI workloads, analytics pipelines, and data lakes require continuous availability at massive scale. The traditional answer is more replication, more copies, more regions. That multiplies cost at the exact moment organizations are investing in compute.
02 / THE FLAW · Redundancy became the attack surface
Diagnosis
When copies were all we had
The industry's answer to resilience was redundancy. 3-2-1, replication, DR sites: all designed to create resilience, all creating copies.
Attackers learned that copies are the recovery mechanism, and that the recovery mechanism is where to strike first.
More copies does not create more resilience. It creates more attack surface.
03 / DEEPER CAUSE · Access is not data
Why every wall eventually fails
The deeper cause
Every security tool protects access
to your data. Not the data itself.
Firewall, IAM, EDR, DLP, SIEM, backup. All of them assume the data
exists in a complete, readable form somewhere, and try to stop the
attacker reaching it. The data is always on the other side of the
wall, waiting.
When the walls fail, the data is exposed. The walls were never protecting the data. They were protecting access to it.
Today · access control
A wall around the data.
Firewall, IAM, EDR, DLP, SIEM, backup vault. Each is a wall. Each is bypassable. Behind every wall, the data still sits whole, plaintext, waiting.
The shift · data as the security
The data itself is the security.
Encrypted at write-time, split mathematically, and spread across independent locations. Nothing reconstructable sits anywhere for a wall to need to protect.
04 / THE POSTURE · Assume the breach
A different question
The posture
We assume the breach will happen. When it does, there is nothing there to take.
Every other security vendor is selling a better wall. Myota's
posture is that the wall will fail, and the architecture is
designed around that assumption. The data at any storage location
is mathematically useless to the attacker.
The right question is not how the breach is prevented. It is what the breach produces when it happens.
05 / THE ARCHITECTURE · Shard and Spread
The data itself is the security
STEP 0 WRITE BEGINS · the architecture in continuous flow
t=0 / 7
06 / THE OUTCOMES · Three things follow
Click any cloud · proof of ransom immunity
live proof
01
Ransom immune
Not because the breach is prevented. Because what the attacker finds is mathematically useless. Double extortion has no leverage when the data cannot be read.
02
Instant rewind
Not faster recovery. No recovery. Reconstruction from remaining fragments is automatic. No backup window. No RPO gap. No recovery workflow.
03
50% storage cost cut
Not a discount. The copies maintained to compensate for data that was not intrinsically secure no longer have a job.
Compromise any cloud. Watch the math.
N=4 · T=2 · auto-rebalance
Recoverability
Intact · 4 of 4 reachable
No compromises yet. Quorum holds at any T=2.
What the attacker has
Nothing.
Each location holds only encrypted, sub-quorum shards regardless of attacker presence. Keys never co-resident.
07 / CONCLUSION · The tagline as the conclusion
Resiliency Without Redundancy
Resiliency Without Redundancy.
Zero breaches since inception. Every recovery instant and complete.
The architecture refused the breach because there was nothing
reconstructable for the breach to take.