What are immutable backups? Is your backup data immutable?
There has been considerable discussion recently on the topic of data immutability especially in the context of immutable backups.
What are immutable backups?
Immutability is the property of something to remain unchanging over time – or be unchangeable.
One can easily make the connection to see how this makes sense in relation to backed-up data. Clearly, preserving a copy of the backup data in an unchangeable format is a desirable property in any backup solution. An organization will want to preserve their data assets with immutable backups not only from accidental deletion by their own users, but also from malicious insiders or from ransomware.
The simplest way to ensure immutability is to have immutable storage systems. Examples that come to mind are WORM (Write Once Read Many) storage systems like optical disks or CD-ROMs. Data once committed to these systems cannot be altered. But storage media like these are slow in nature and lend themselves more to data archiving use cases. Backing up to them is not practical.
There are storage and backup vendors that advertise immutable storage technology. Even without getting into the specifics of each and assessing how effective they are – one thing is clear. All of them are clearly expensive propositions. Immutability seems to come at a hefty cost.
A practical approach – How to implement an immutable backups strategy
But unless a business is in a highly regulated industry vertical that demands WORM-like compliance to data immutability, such systems may be superfluous. It is possible to achieve a practical level of immutability with good security and backup software which can thwart an attacker well before they gain storage level access. Think of it as data immutability – and not so much as storage immutability.
Let’s break the immutability argument down and examine who we are trying to protect the backed-up data from:
1. External threat actors
External threat actors
An external actor is someone who attempts to breach your security defenses in order to gain access to business data. These attacks can take many forms and it is important to have an effective security defense against external threats – not just for your backups, but for your infrastructure as a whole. A Zero Trust based defense is the best approach for today’s environment in which workforces are distributed. Rather than rely on a perimeter trust model, Zero Trust is designed to “assume breach” and always verify identity at every level. Zero Trust also relies on a centralized identity management mechanism (such as Azure Active Directory) and enforces multi-factor authentication (MFA). A Zero Trust stance is essential for almost all organizations today to protect all their assets – not just their backups.
If Zero Trust is also breached and an unauthorized actor has gained access to your backups, encryption is your next line of defense. Good backup software will not only allow for strong encryption of the backed-up data, it will also allow customers to control the encryption/decryption keys.
This is a much different challenge. Insiders by definition have authorized access to various systems that belong to the organization. To protect against insiders, insulating secondary storage (used for backups) from primary storage is a critical first step. What this means is that the storage on which backups are stored should not be directly accessible to any users.
The second step is to be able to block users from interfacing with backup data directly even via the backup software. Most modern backup software solutions usually do a fairly good job of limiting user access to backups. Users typically only enjoy read-only access, which is required for them to download or restore their data – and nothing more. Any deletion of backups occur automatically via software policy settings that govern backup aging – and never via a human action like an administrator deleting backups.
Also, all administrator accesses to backup aging policies and any modifications they make should be fully audit-logged – good backup solutions will do this.
Here again, even if a rogue insider gains access to the backup storage, encryption needs to be the next line of defense – as stated above.
Ransomware poses an altogether different problem. These are automated programs that are designed not only to encrypt user data, but also to seek out and destroy backups. As in the previous case, insulation of secondary storage from primary storage is an essential step to protect against ransomware. If your backups are on the same network, in the same datacenter, on a mapped network drive, or (god forbid) on just another disk on the same computer – then they become easy pickings for ransomware.
To be an effective defense against ransomware, the backups should be housed in a geographically separated storage target – like in the cloud. And being that the backups are being stored outside the typical network perimeter, they should of course be encrypted to defend against external and insider attacks. The access to cloud storage should be a complex step that only the backup software knows to navigate successfully. It should involve a modern, token-based authentication mechanism such as OAuth2.0 and should form an API-gap which ransomware cannot negotiate. Using cloud-based object storage (such as Amazon S3 buckets or Azure blob storage) as a backup target can be an ideal solution.
Administrators are not just insiders, they’re insiders with elevated privileges. To protect backup data from actions by administrators (whether accidental or premeditated), insulating access to secondary storage (as described above in the ransomware section) is an essential first step. Encryption is the next line of defense. Rigorous audit-logging is a third line of defense. Although effective only post-facto, reliable and effective audit-logging has been proven to act as a highly effective deterrent. Lastly, some modern backup software have advanced privacy features that disallow administrators from gaining access to user data. They may have the ability to transfer the backup data ownership from one user to another – but not have access to the backed-up data itself.
From all this, it is clear that the goals of immutability in the context of backup don’t always require expensive storage immutability. A high degree of data immutability can be achieved with a good combination of modern data backup and security solutions.
Parablu’s BluVault is designed to enable robust data backup from user endpoints, SaaS workloads (Microsoft 365) and edge servers. Our patented integration with Microsoft 365 and OneDrive for Business also means that you can deploy BluVault without spending a penny for backup storage. Sound interesting? Ask us for a personalized demo here or write to us at firstname.lastname@example.org.