Immutable backup
Summary
An immutable backup is a copy of data that cannot be altered, encrypted, or deleted — by anyone, including administrators — ensuring a clean, recoverable version of data is always available when needed. Immutability has become a critical defense against ransomware because cybercriminals now routinely target backup repositories alongside production systems, encrypting or deleting them to eliminate an organization's ability to recover without paying. Unlike mutable backups, which can be modified or destroyed by attackers, an immutable backup stored in a read-only state serves as a final, untouchable line of defense that enables organizations to recover to their last healthy state without paying a ransom.
Table of Contents
What is immutable backup?
An immutable backup file cannot be altered in any way — immutable means incapable of change. Immutable backups ensure that data is locked in its original state: it cannot be encrypted by ransomware, deleted by a malicious insider, or accidentally overwritten by an administrator error.
Having an immutable copy of your data is critical to ensuring a recovery point is always available — whether the threat is a natural disaster, a hardware failure, or a sophisticated ransomware attack.
Why is immutable backup important?
A ransomware attack hits a business every few seconds. The costs are enormous — whether you pay the ransom or not. Ransomware recovery can take months, revenue is lost, and reputational damage lingers long after systems are restored.
What makes the modern threat landscape uniquely dangerous is that cybercriminals no longer just encrypt production data. They specifically target backup repositories first — deleting or encrypting backup snapshots to eliminate the organization's ability to recover without paying.
Immutable backup systems are architected to remove this leverage entirely. Because the backup data cannot be altered, ransomware actors gain nothing by targeting it — the clean recovery point remains available.
How does immutable backup work?
Immutable backup systems enforce data integrity through a combination of storage policies, access controls, and architectural design:
- Write-Once, Read-Many (WORM) storage: Once data is written, the storage layer prevents any modification or deletion until the retention period expires.
- Read-only snapshot locking: Backup snapshots are immediately placed in a read-only state. Any incremental updates write to a zero-cost clone, not to the original snapshot.
- Trusted API access only: Writes to internal backup views are permitted only via authenticated, trusted internal services — external applications and users cannot modify backup data.
- Encryption at rest and in transit: Data is encrypted independently of immutability, ensuring confidentiality alongside integrity.
- Air-gap and cyber vault options: For maximum protection, immutable backups can be isolated in an air-gapped vault, physically or logically separated from the main network.
Why deploy an immutable backup solution?
Data is essential to your business. Imagine a healthcare provider suddenly losing access to all its patient files due to a ransomware attack. A university as the victim of targeted attacks that take away its ability to process student financial aid data.
These are real events that happen daily. You want to ensure that your backup and recovery solution is an immutable backup and recovery system, creating an immutable copy of your data. This ensures that there is an untouched—and untouchable—version of that data always recoverable and safe from any kind of disaster.
Mutable vs. immutable backup: key differences
The key difference between mutable and immutable backup is whether data can be tampered with after it is written:
Feature | Mutable Backup | Immutable Backup |
Can be modified after creation | Yes | No |
Ransomware-proof | No | Yes |
Supports compliance (WORM) | Rarely | Yes |
Air-gap compatible | Sometimes | Yes |
Recovery point integrity | Not guaranteed | Guaranteed |
Mutable backups can be encrypted, altered, or deleted — which is exactly what ransomware does. Immutable backups eliminate that attack surface entirely.
Can ransomware infect or delete backups?
Short Answer: Yes — ransomware can and does target traditional (mutable) backups. Modern attacks routinely delete or encrypt backup repositories before triggering the main payload. Immutable backups are specifically architected to prevent this.
In the past, a backup and recovery solution was sufficient insurance against cyberattacks. But cybercriminals adapted. Recognizing that organizations with backups would simply refuse to pay ransoms, attackers evolved their tactics to target backup data and administrator functions first.
In numerous documented incidents, attackers deleted or encrypted backup repositories and snapshots before activating the primary ransomware payload — leaving organizations with no recovery option other than paying.
An immutable backup eliminates this scenario. Because the backup cannot be modified, encrypted, or deleted — even by a compromised administrator account — the organization always retains a clean recovery point.
Why immutable backup is the last line of defense against ransomware?
When a ransomware attack is detected, the organization's immediate priority is restoring operations from a known-good state. Immutable backups make this possible because:
- The backup data is in a guaranteed clean state — it cannot have been modified since it was written.
- Recovery time is predictable — there is no need to assess whether backups themselves were compromised.
- Ransom payment becomes unnecessary — with an intact immutable backup, organizations can recover without engaging attackers.
By deploying an immutable backup solution, your organization retains a clean copy of data that can restore business operations — and eliminates the leverage that ransomware attackers rely on.
What to look for in an immutable backup solution?
When evaluating immutable backup providers, prioritize solutions that offer the following capabilities:
1. WORM-based architecture
The solution should enforce write-once, read-many storage at the infrastructure level — not just via policy settings that a compromised admin could change.
2. Read-only snapshot locking
Backup snapshots should be immediately locked in a read-only state upon completion. Incremental backups should write to zero-cost clones, leaving the original snapshot untouched.
3. Authenticated API-only access
Any writes to backup views should be restricted to trusted internal services operating via authenticated APIs. No external application or user should have write access to backup data.
4. Encryption at rest and in transit
Data encryption should be applied independently of immutability to ensure confidentiality. Look for AES-256 encryption and TLS in transit as baseline requirements.
5. Role-based access controls (RBAC)
Granular RBAC ensures that no single user — including administrators — can unilaterally modify or delete backup data. Multi-person authorization (quorum-based approval) adds an additional layer.
6. Air-gap and cyber vault capabilities
For critical workloads, the ability to store immutable backups in a logically or physically isolated environment (cyber vault) provides defense-in-depth against even the most sophisticated attacks.
7. Compliance and regulatory alignment
Immutable backup supports compliance with regulations that require WORM storage or data integrity guarantees, including SEC Rule 17a-4, HIPAA, FINRA, and GDPR. Verify that the solution supports your specific compliance obligations
Immutable backup and regulatory compliance
Many regulatory frameworks explicitly require organizations to maintain data in a tamper-proof, write-once format. Immutable backup satisfies these requirements:
- SEC Rule 17a-4 (financial services): Requires broker-dealers to retain records in a non-rewriteable, non-erasable format — a standard that immutable, WORM-based backup directly fulfills.
- HIPAA (healthcare): Requires integrity controls that prevent unauthorized alteration of protected health information (PHI). Immutable backups provide a verifiable audit trail that PHI has not been modified.
- FINRA: Requires electronic records to be preserved in WORM format for defined retention periods.
- GDPR: While GDPR focuses on deletion rights, organizations must also demonstrate data integrity. Immutable backups support audit and integrity obligations.
- DORA (EU Digital Operational Resilience Act): Mandates robust backup and recovery capabilities for financial entities. Immutable backup is a key component of DORA-compliant resilience strategies.
Organizations subject to these or similar regulations should confirm that their backup provider can produce documentation and audit logs demonstrating the immutability of stored data
What can happen when inevitable ransomware meets an immutable backup?
A backup is your final line of defense against today’s sophisticated ransomware attacks. If your organization is attacked, immutable backups effectively provide an original copy of data that is unchangeable. Should a company detect a ransomware attack, it can use an immutable backup to instantly recover to its last healthy state when it was unaffected by the malware.
Cohesity and immutable backup
Cohesity's AI-powered data security and management platform is built with immutability as a foundational design principle, not an add-on feature. Key capabilities include:
- Immutable backup snapshots: All backup snapshots are stored in a read-only state. Any incremental backup writes to a zero-cost clone, ensuring the original snapshot is never modified.
- AES-256 encryption at rest and TLS in transit: Data is protected both against unauthorized access and unauthorized modification.
- Role-based access control (RBAC): Granular access policies prevent any single user from modifying backup configurations or data.
- Cyber vaulting with FortKnox: Cohesity FortKnox provides an isolated, cloud-based cyber vault with immutable backup copies, adding air-gap protection for critical workloads.
- Multi-factor authentication and quorum approval: Sensitive operations require multi-person authorization, protecting against compromised credentials.
Frequently asked questions about immutable backup
Is immutable backup the same as air-gap backup?
No, but they are complementary. An air-gap backup is physically or logically isolated from the network, preventing attackers from reaching it. An immutable backup cannot be altered even if it is reachable. For maximum protection, organizations should deploy immutable backups with air-gap or cyber vault isolation.
How long should immutable backups be retained?
Retention periods depend on organizational policy and regulatory requirements. Most organizations retain immutable backups for 30–90 days for operational recovery purposes, with longer retention (1–7 years) for compliance. Policies should be set in coordination with legal, compliance, and IT teams.
Can an administrator delete an immutable backup?
In a properly architected immutable backup system, no single user — including administrators — can delete or modify a backup during its retention period. Solutions that enforce multi-person authorization (quorum approval) provide the strongest protection against insider threats.
What is the difference between immutable backup and immutable storage?
Immutable storage refers to the underlying storage technology (e.g., object storage with WORM policies). Immutable backup refers to the broader backup solution that uses immutable storage — along with access controls, encryption, and recovery orchestration — to protect backup data end-to-end.
Does immutable backup work in the cloud?
Yes. Cloud providers including AWS, Azure, and Google Cloud offer object storage services with WORM (write-once, read-many) policies. Cloud-native immutable backup solutions leverage these capabilities to protect backup data stored off-premises, often as part of a 3-2-1 or 3-2-1-1-0 backup strategy.
