Immutability

“Immutability means that data, once written, cannot be deleted or altered for a pre-determined length of time. In the last few years, developments in encryption and security technology have made it possible to create immutable storage from ordinary computer disk drives.”


  1. Example: Veeam offers a native hardened Linux repository compliant with SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d) regulations. The hardened repository prevents encryption by ransomware, accidental or malicious deletions; based on general-purpose servers, without any hardware lock-in.

  2. Example: Public cloud providers often offer Immutable data protection mechanisms such as Amazon S3 Object Lock" and "Wasabi Hot Cloud Storage".

  3. Example: “ExaGrid’s Retention Time-Lock for Ransomware recovery is in addition to the long term-retention of backup data and utilizes 3 distinct functions: Immutable data deduplication objects, non-network-facing tier (tiered air gap), delayed delete requests.”

  4. Example: “Cloudian HyperStore and Veeam Availability Suite v10 includes S3 Object Lock, a feature that protects data at the storage system level. With Object Lock, data cannot be deleted or changed for a set period of time.”

  5. Example: Service Providers such as Backblaze often offer Immutability: "Enhanced Ransomware Protection: Announcing Data Immutability With Backblaze B2 and Veeam"

  6. Example: "NetApp Object Lock"

Check Immutability (look for "Veeam Ready Object Immutability")

"Immutable backups have gained traction with the rise in ransomware attacks. However, there are different approaches to immutability and external factors that come in to play." - Use immutable backups to prevent data loss, boost compliance - TechTarget

"Immutable backups are an important component of cybersecurity and compliance, and they ensure backups are secure, accessible and recoverable. However, they are not the only piece of the equation. Authentication and access control tools and policies are important additional safeguards, as are isolating or air gapping immutable backups and encryption."

"Protection against malicious intent or accidental deletion of backup data has become critical in anyone’s data protection strategy– and with immutable backup functionality for Amazon S3 and S3-compatible object storage repositories, data that is shifted or copied into the Capacity Tier is further protected. This feature relies on the S3 API to set a period of time on each block of data uploaded to Object Storage where it cannot be modified or deleted by anybody. Yes, we mean anybody: intruders, malicious actors, accidental deletion by admins and more." - Veeam

"Immutable backup of storage implies that your data is fixed, unchangeable and cannot be deleted for a period of time or sometimes, forever. Having an immutable backup is important for industries so that their data is secured from undesired accidents or circumstances."

Forrester analysts write:
“Implementing an immutable file system with underlying WORM storage will make the system watertight from a ransomware protection perspective.”

V11: Immutable primary backup storage with a hardware-agnostic touch - "Veeam Backup & Replication v11 enables you to store your short-term retention backups locally onsite for fast recovery with the protection of immutability. In addition, you can now tier those backups into an immutable object storage offering offsite, giving you additional protection against unforeseen malicious activity or accidental deletion."

NOTE: Immutability is a key component of a layered Ransomware strategy

WHAT IS: "Offline", "Immutable", and "Air-Gapped"?

  1. Tape Media - Completely offline when not being written to or read from and WORM

  2. Replicated VMs - Powered off and, in most situations, can be a different authentication framework

  3. Primary Storage Snapshots - Can be used as recovery techniques and usually have a different authentication framework.

  4. Veeam Cloud Connect Backups + Insider Protection - Not connected directly to the backup infrastructure and use a different authentication mechanism along with different API.

  5. Rotating Hard Drives / Media - Offline when not being written to or read from.

  6. Immutable Backups - SEE ABOVE

  7. Hardened Linux Repository - Linux immutable flag on Veeam backups.

Block Generation

"To reduce I/O operations and associated costs, Veeam Backup & Replication will automatically add from 1 to 10 days to the immutability expiration date. This period is called Block Generation. You do not have to configure it, the Block Generation setting is applied automatically.

For example, if you set your immutability period to 30 days, Veeam Backup & Replication will add from 1 to 10 days to specific objects to reduce I/O operations with the storage over time. This will not change the retention and their effective immutability. It is a background optimization. Thus, if you need 30 days immutability period, set the period to 30 days.."