What's an Immutable Backup?

Ransomware resiliency is still top of mind because attackers are getting better at their game. Once access is gained into a network, bad actors will typically go after all data, including the backups, so the victim won't be able to recover without paying for the decryption key. How do you protect backups? Make them immutable!

An immutable backup is a way of protecting data that ensures the data is fixed, unchangeable, and cannot be deleted, encrypted, or modified. You can instantly make a backup immutable by taking it offline, which makes it impossible to tamper with or destroy without physical access. This is the ultimate in protection; however, it can be cumbersome to manage. Remember when everyone ditched tape in favor of online remote storage? Those who didn’t are feeling pretty smug (and protected right now, knowing that their air gapped backups are more resilient to ransomware.

There is also online immutable storage, and examples include Amazon AWS, or any of the cloud storage providers that support the AWS S3 API compatible “Object Lock” where data placed into the storage repository is unmodifiable and undeletable for the length of the object lock period. With these repositories, you can only write new data or read old, and there is no way to delete data outside of terminating your agreement with the provider. It’s also possible to deploy “hardened repository” backup appliances on your internal network that provide immutable backups; however, such devices can be cost-prohibitive when compared to the relatively low cost of cloud-based solutions, or even tape.

We understand that the above is a simplification of the topic, and there are other considerations such as network access controls, multi-factor authentication, multiple copies, testing, and more. This particular weekly security tip is to spark conversation within your environment where backups may or may not be "well-protected." If you haven't made offline or immutable backups part of your overall backup strategy, now is the time. It could be the difference between recovery success and failure.

Authored by: David Matt, CISSP, CBISO