What Are Immutable Backups?

To keep businesses running, a secure backup is a priority for the best data protection strategy. Data Security, one of Veeam’s core pillars for data protection, focuses on data accessibility and backup immutability. Immutability remains a hot topic, especially around ransomware, with many vendors and organizations adopting immutable technologies for cyber resiliency. So, what exactly are immutable backups and why should you use them in your data protection strategy?

What Are Immutable Backups?

Before implementing an immutable backup solution, you need to understand what an immutable backup is. Immutable means that something is unable to be changed or deleted. Usually, immutable backups can only be deleted once a set time period has expired. Immutable backup data is safe from potential changes or deletions, meaning that its original integrity stays intact. With the rise of Ransomware, having an immutable backup has become critical for recovery. This is because threat actors now routinely attack backups. With an immutable backup that data is protected from these types of attacks.

Why Are Immutable Backups Important?

Not only do immutable backups help you  recover after a ransomware event, but they serve other purposes when it comes to designing and implementing a resilient data protection strategy. An example of this is recovering after accidental deletion. A few years ago, a  government agency was in the news after deleting a large number of files that  affected multiple people outside their organization. After investigation, it was determined that this agency  had no backups to recover because these files had either expired or were deleted as part of a data cleanup exercise. Unfortunately, this was a highly public data loss event that drew national negative publicity, resulting in a few individuals losing their jobs. This organization is not alone, since many other companies have suffered from the same type of data loss event, whether accidental or malicious. These events just haven’t been publicized. Immutability strategies drive stakeholders to have direct conversations that outline what their business service level agreements (s) need to be in order to recover critical data successfully. So why not use immutability for everything and have it turned on forever to avoid accidental data deletion? Since immutability generally needs to have an agreed-upon availability window, there can be other risks involved.  Having immutable backups that are too long can endanger unnecessary storage consumption and drive-up cost for storing that data. This can also increase the chance  of data sprawl, which can create challenges when  managing overhead for your storage administrators/team. On the contrary, too-short retention periods can potentially risk the failure of an organization’s ability to recover critical data. This can have legal consequences and impact reputation, all of which cause employees to lose their jobs.

Immutable Backup vs Traditional (i.e., Mutable) Backups

Our organization currently uses traditional (i.e., mutable) backups. Are we at risk? According to the most recent Veeam Data Protection Trends Report,  85% of 4,200 surveyed organizations admitted to having suffered from at least one known cyberattack in 2022. Relying on traditional backup is no longer enough when it comes to cyber threats and having a layered defense with immutability will help to increase your chances of recovery.

So how can you leverage your current investment and still implement immutable backups? Fortunately, Veeam gives you many ways to adopt immutable strategies and technologies so organizations can have peace of mind knowing that their backups are secure.

Veeam gives you many ways to adopt immutable strategies and technologies so organizations can have peace of mind knowing that their backups are secureVeeam gives you many ways to adopt immutable strategies and technologies so organizations can have peace of mind knowing that their backups are secure

With Veeam, it’s possible to use immutable and traditional backups in conjunction with each other. While immutable backups may become the default for how most customers look to store their data, traditional backups can still be used to either extend a policy outside of the “recoverability zone” or for lower data classes like dev/test environments, where backups are nice to have, but aren’t critical for business operations.

So how do you decide what immutable strategy is best for you? The breakdown is quite simple and can be met while following a 3-2-1-1-0 backup strategy.

There should be 3 copies of the data

On 2 different media

With 1 copy being off site

With 1 copy being offline, air-gapped or immutable

And 0 errors with SureBackup recovery verification

Both immutable and traditional (i.e., mutable) backups are used together in an overall data protection strategy. Here, you can have backups on-premises by using traditional backups while a copy is stored on either offsite immutable storage or in the cloud. Veeam makes it easy to get started with adopting an immutable backup strategy since you can send backups directly to object storage. This provides a copy of your data that’s immutable and resilient against ransomware.

Benefits of Immutable Backups

There are many benefits of immutable backups beyond ransomware resiliency:

  • Data integrity and security
    • Data corruption prevention
    • Protection against malicious attacks
    • Compliance with data regulations (e.g., GDPR)
  • Reliable Disaster Recovery 
    • Faster RTOs – no need to search for intact backups after the attack
    • Higher RPOs – many known good recovery points
  • Preservation of historical data
    • Ensuring auditability and compliance
    • Facilitating forensic analysis

Immutable backups are safe to use and recommended to be used with encryption by the US Cybersecurity and Infrastructure Security Agency (CISA)  to help mitigate ransomware.

Implementing Immutable Backups

Implementing immutability can vary based on the technology that you want to leverage. This can range from on-premises solutions, cloud options and multi-layered immutability with encryption that depends on your technology vendor. This is where Veeam can help, since we have over 30 different immutable storage partners that can provide flexibility to our customers. This breakdown is as simple as following the  3-2-1-1-0 rule and highlighting the areas where you can add a layer of immutability and encryption to have an ultra-resilient data copy.

his breakdown is as simple as following the  3-2-1-1-0 rule and highlighting the areas where you can add a layer of immutability and encryption to have an ultra-resilient data copy

his breakdown is as simple as following the  3-2-1-1-0 rule and highlighting the areas where you can add a layer of immutability and encryption to have an ultra-resilient data copy

The first original data set is your production infrastructure. Here, primary storage providers can create immutable (i.e., read-only) volume snapshots of your workloads. This makes it easy to quickly recover from a recent data loss event. Veeam also supports taking backups and recovering from storage snapshots to ensure the highest RPOs and RTOs. Next, we have the Veeam infrastructure with proper access controls like multi-factor authentication. This is separated from backup storage, making backups portable so if your original data is compromised, your backup target will not be affected and you can have a  copy to recover from. Finally, you have an  autonomous backup data zone where you can find storage options that can take advantage of immutability. Let’s break this down further:

Technology and Infrastructure

  • Immutable on-premises storage solutions
    • Veeam Hardened Repository: A disk-based storage server. Server vendors can range from HPE, Cisco, Dell or Lenovo (Veeam Ready Vendors) and take advantage of Veeam’s deduplication, compression and XFS Block Cloning, including immutability.
    • On-premises S3 compatibility featuring object lock immutability with Veeam deduplication and compression. This includes vendors like ObjectFirst, Cloudian, Scality, IBM,Minio,Hitachi, SpectraLogic Black Pearl, etc.
    • Deduplication Appliances that are disk-based, but have their own deduplication and compression built in. Specifically, Veeam and HPE StoreOnce have an integration for controlled data immutability (ISV-DI) which requires dual authorization to be enabled. While others like Exagrid, Quantum, Infinidat, etc. leverage time retention locks or secure snapshot technologies for immutability.
    • Pure Storage FlashBlade//S is also an on-premises S3 -compatible vendor that leverages object lock immutability and SafeMode Retention Lock as an added layer to protect against insider threats or the compromise of administrator credentials.
  • Immutable cloud-based options
    • Public providers, including Amazon and Microsoft Azure, can provide immutability when you create an S3 bucket or an Azure container. Immutability can be extended long term via archive capabilities to tier data off to Amazon S3 Glacier or Microsoft Azure Archive respectively.
    • There are also cloud providers like Wasabi that provide offsite storage that leverage S3-compatible object lock.
    • Ecosystem providers, including IBM and Veeam Cloud & Service Providers (VCSPs) provide immutability on the backend. They can also be used as a DR site that extends capabilities to replicate the most critical workloads to achieve low RTOs.

Backup Strategies and Best Practices

Keep in mind that all the vendors listed above have knowledge base articles that link to best practices and validated architectures. This allows you to easily adopt an immutable strategy. Once immutability is set for certain vendors, it can be difficult to change, and is even permanent in some cases. Therefore, it is important to understand your organization’s business SLAs and have agreed-upon retention policies that prevent any mishaps for data storage. Here are the top three questions that you need to consider when choosing the best technology for you:

  • Duration: How fast would you be able to restore your business? <1 day, <1 week, <1 month or longer? Having multiple recovery strategies is critical to prepare for any type of data loss event. A traditional snapshot-based backup leaves too many holes unplugged. Adding at least one immutable backup copy increases your chances of successful data recovery.
  • How: Are manual or automated recovery processes in place, and in what order? An outage is not the time to figure out what workloads need to be recovered first and how long they could take. Having tested and updated documentation for business continuity/disaster recovery (BC/DR) is critical, and Veeam can help provide this with Veeam Data Platform — Premium Edition.
  • Where: Which location have you designated for recovery? Is it the cloud, a service provider or second datacenter? Offsite replication and geographical redundancy should be considered when creating a BC/DR plan. If there is no second site available, could you leverage a VCSP or a public cloud provider to get data off site and immutable? This has saved numerous organizations who needed to recover but didn’t have access to on-premises infrastructure. Restoring to the cloud was a last resort, but saved the day when it came to keeping the business running.

Below are customer success stories who are protecting their data against ransomware with immutable backups.



Protect Your Data With Veeam

Veeam continues to deliver when it comes to data security, data recovery and data flexibility. This provides options for all organizations, regardless of size, to be able to secure and defend their data from cyber threats and outages. You can get started by downloading a free trial today and joining the Veeam community for any FAQ!