Data immutability: the forgotten component of defence in depth

Defence in depth is a basic tenet in security. It means putting multiple layers of protection in front of an asset to minimise an attacker’s chances of compromising it. We see it all the time as companies employ everything from cyber security awareness training to malware protection. The final layer of defence is the backup — if all else fails, you can always restore from that.

But what protects the backup?

Anything that damages your files could eventually affect backed up data. That’s especially true of enterprise replication services that simply copy data to the cloud. These aren’t backups at all, and any changes to primary files will quickly propagate.

Some dangers, such as hackers, rogue admins, or ransomware criminals, will deliberately target your backups.

Why organisations need to take charge of Office 365 backup and recovery

Shai Nuni, vice-president of Metallic EMEA at Commvault, discusses why organisations need to take charge of backup and recovery for their Office 365 environments. Read here

So how do you protect them against damage or deletion?

Many companies turn to offline backups, using tape or disk media that they disconnect from the network after copying their data. These are cumbersome to use, and often unreliable. As a physical media that backup systems use repeatedly, tape degrades, and it isn’t easy to verify its integrity. You also have to reconnect it manually every time you want to update the backup. This isn’t viable for frequent backups that enable you to recover recently-created data.

The other alternative is to use write-once-read-many systems. These use physical media, typically disks, that only support a single write. Worm media is immutable, meaning that you can’t change what’s been written. You can only add to what’s already there. But it’s expensive, slow, and often relegated to archival use cases, which are different to backups.

Why immutability is important

The ideal solution is an immutable backup that is fast and constantly connected. When implemented properly, there are several advantages to this model:

  • No tampering: Even though they’re connected to the network, immutable backup systems include controls that prevent any changes to backed-up data. This enables you to keep your backup systems online to support frequent writes while protecting them from unauthorised tampering.
  • Flexible recovery point objectives (RPO): Many transactional applications need to recover data created just minutes ago. Online snapshots make that highly feasible because they’re always available to take a snapshot of the latest changes and add them to what’s already there.
  • Fast recovery time objectives (RTO): An administrator must manually connect offline backup storage systems to the network to begin the process. That’s time-consuming in any situation, and even more so if your staff are locked down during a disaster. A connected immutable system enables you to start recovery quickly.

Accelerating IT disaster recovery with unified backup

Joe Noonan, product executive, backup and disaster recovery for Unitrends and Spanning, discusses how unifying backup can ensure quick recovery from IT disasters. Read here

How immutable backup architecture works

What makes an immutable backup solution? One thing is certain: it isn’t built on vanilla network storage devices with default configurations. Standard file systems running on commodity storage system operating system software are designed for access from multiple accounts, making them susceptible to change. All a hacker needs is access to the right login, and they own your backups.

A good immutable system is hardened from the ground up, with tamper-proof controls baked into the architecture. It secures all parts of the backup system: the storage devices themselves, the communications between them and other systems, and the files that they store.

Your storage devices themselves should also be locked down. Network attached storage devices are small computers in their own right, and an attacker breaking into one could run their own malicious software on it.

Immutable files from top to bottom

Perhaps the most important immutability factor is the backup data itself. An immutable file system should prevent changes at the file level. You must ensure that new writes to the system never touch existing data. That means even if an attacker managed to initiate a new, malicious backup that encrypted data, it wouldn’t overwrite existing backup data.

Proper file fingerprinting is another important aspect of immutability. A mathematical fingerprint of a file is unique; change just one bit of that file, and the fingerprint would be completely different. It’s an excellent way to tell if something has been tampered with.

Not only is an immutable backup system part of a broader defence in depth strategy, but it also uses multiple layers of defence itself to ensure that only the right applications and people get access to your data. If you’re going to rely on backups to restore your operations when disaster strikes, isn’t it worth giving them the protection they deserve?

Written by James Blake, field CTO security at Rubrik

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at