“Immutable backups” refer to backup copies that cannot be modified or deleted after they are written—either for a defined retention period or permanently—even by administrators or compromised accounts. This is typically implemented using WORM mechanisms (“Write Once, Read Many”), retention policies, and locking controls. The purpose is to reliably protect backups against tampering, accidental deletion, and especially ransomware, while also meeting compliance requirements related to integrity and auditability.
WORM / Immutability Mode: Backup data is stored in a way that prevents overwriting or alteration after it is written.
Retention Policies: Definition of how long backups must remain immutable (e.g., 30/90/365 days).
Legal Hold: Ability to lock backups independently of standard retention until they are explicitly released (e.g., for audits or legal matters).
Object Lock / Immutable Object Storage: Support for immutability on object storage (on-premises or cloud), including governance/compliance modes.
Tamper-Proof Metadata & Checksums: Integrity validation (hash/checksum) and protection against later manipulation of catalogs/metadata.
Role-Based Access Control with Deletion Protection: Separation of duties, restrictive delete permissions, and minimized privileged access.
Multi-Step Approvals / MFA for Critical Actions: Additional safeguards for deletions or policy changes (e.g., four-eyes approval, multi-factor authorization).
Immutable Snapshots: Read-only snapshots on the storage/repository layer as an additional protection layer.
Air-Gap Options (Logical/Physical): Functional separation between backup storage and production to reduce attack paths.
Audit Logs & Traceability: Logging of accesses and policy changes, including audit-ready or tamper-evident logs.
A company enforces a 90-day immutable retention so ransomware cannot delete or alter backup sets.
An IT team stores backups in object storage with “Object Lock” to guarantee integrity for defined retention periods.
Monthly backups are placed under a “Legal Hold” until a compliance audit is completed.
Shortening retention or removing locks requires multi-factor approval and a four-eyes principle.
Backups are additionally stored as immutable snapshots in the backup repository to enable recovery even in case of misconfiguration.