“Immutability means that data, once written, cannot be deleted or altered for a pre-determined length of time. In the last few years, developments in encryption and security technology have made it possible to create immutable storage from ordinary computer disk drives.”
"Immutable backup of storage implies that your data is fixed, unchangeable and cannot be deleted for a period of time or sometimes, forever. Having an immutable backup is important for industries so that their data is secured from undesired accidents or circumstances."
"Immutable backups have gained traction with the rise in ransomware attacks. However, there are different approaches to immutability and external factors that come in to play." - Use immutable backups to prevent data loss, boost compliance - TechTarget
"Immutable backups are an important component of cybersecurity and compliance, and they ensure backups are secure, accessible and recoverable. However, they are not the only piece of the equation. Authentication and access control tools and policies are important additional safeguards, as are isolating or air gapping immutable backups and encryption."
On-prem example: Veeam offers a native hardened Linux repository compliant with SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d) regulations. The hardened repository prevents encryption by ransomware, accidental or malicious deletions; based on general-purpose servers, without any hardware lock-in.
On-prem Example: “ExaGrid’s Retention Time-Lock for Ransomware recovery is in addition to the long term-retention of backup data and utilizes 3 distinct functions: Immutable data deduplication objects, non-network-facing tier (tiered air gap), delayed delete requests.”
On-prem example: “Cloudian HyperStore and Veeam Availability Suite v10 includes S3 Object Lock, a feature that protects data at the storage system level. With Object Lock, data cannot be deleted or changed for a set period of time.” - Veeam + Cloudian = Ransomware Lockout
BaaS example: Service Providers such as Backblaze often offer Immutability: "Enhanced Ransomware Protection: Announcing Data Immutability With Backblaze B2 and Veeam"
Hardware-integrated Veeam Immutability...
HPE - HPE 3PAR Virtual Lock Software - Overview - "HPE Virtual Lock is a 3PAR/Primera/Alletra 9000 primary storage feature. Once locked by the Virtual Lock Software, specified storage volumes and copies cannot be deleted, even by an HPE Storage system administrator with the highest user privilege level."
NetApp - "NetApp Object Lock"
*CHECK IMMUTABILITY HERE* (look for "Veeam Ready Object Immutability")
"Protection against malicious intent or accidental deletion of backup data has become critical in anyone’s data protection strategy– and with immutable backup functionality for Amazon S3 and S3-compatible object storage repositories, data that is shifted or copied into the Capacity Tier is further protected. This feature relies on the S3 API to set a period of time on each block of data uploaded to Object Storage where it cannot be modified or deleted by anybody. Yes, we mean anybody: intruders, malicious actors, accidental deletion by admins and more." - Veeam
Forrester analysts write:
“Implementing an immutable file system with underlying WORM storage will make the system watertight from a ransomware protection perspective.”
Air-gapped backups with object storage immutability - 11 min read
V11: Immutable primary backup storage with a hardware-agnostic touch - "Veeam Backup & Replication v11 enables you to store your short-term retention backups locally onsite for fast recovery with the protection of immutability. In addition, you can now tier those backups into an immutable object storage offering offsite, giving you additional protection against unforeseen malicious activity or accidental deletion."
Double-Play Immutability Made Easy to Beat Ransomware with Veeam - "Double-play or even triple-play Immutability is where the implementation has two backup copies that are ultra-resilient."
Veeam ONE 11a Immutability Metrics...
Be immediately aware of any changes to a backup’s immutability status
Generate documentation to report end-to-end on immutability status for your backup repositories and backups themselves
Awareness throughout the immutability lifecycle further mitigates the threat from ransomware and other cyberthreats to your backup data
Maintain and generate documentation for internal or regulatory compliance purposes
Immutability is a key component of a layered Ransomware strategy
WHAT IS: "Offline", "Immutable", and "Air-Gapped"?
Tape Media - Completely offline when not being written to or read from and WORM
Replicated VMs - Powered off and, in most situations, can be a different authentication framework
Primary Storage Snapshots - Can be used as recovery techniques and usually have a different authentication framework.
Veeam Cloud Connect Backups + Insider Protection - Not connected directly to the backup infrastructure and use a different authentication mechanism along with different API.
Rotating Hard Drives / Media - Offline when not being written to or read from.
Immutable Backups - SEE ABOVE
Hardened Linux Repository - Linux immutable flag on Veeam backups.
"To reduce I/O operations and associated costs, Veeam Backup & Replication will automatically add from 1 to 10 days to the immutability expiration date. This period is called Block Generation. You do not have to configure it, the Block Generation setting is applied automatically.
For example, if you set your immutability period to 30 days, Veeam Backup & Replication will add from 1 to 10 days to specific objects to reduce I/O operations with the storage over time. This will not change the retention and their effective immutability. It is a background optimization. Thus, if you need 30 days immutability period, set the period to 30 days.."