What Is an Immutable Backup?

An immutable backup is a copy of your data that cannot be altered, deleted, or encrypted by anyone, including system administrators, the applications that created it, or attackers who've compromised your credentials. Once written, it stays exactly as it was. That's the entire point.

Immutability has become a cornerstone of modern data protection because ransomware has gotten smarter. Attackers no longer just encrypt your production data; they go after your backups first, knowing that a company with no clean recovery point is far more likely to pay. An immutable backup removes that leverage entirely.

Air-gapped vs. immutable backup: Why you need both

These two approaches are often conflated, and the distinction matters.

Air-gapping in backup environments typically refers to isolating the backup media or backup network from production systems.. In a traditional model, data is written to removable media, such as tape, then physically disconnected and stored offline, preventing malware on connected systems from reaching it. More modern “air-gapped” backup architectures often use a controlled, isolated backup environment with tightly restricted connectivity, such as one-way data flows, limited access paths, or physically restricted administration. While these approaches greatly reduce exposure to ransomware and remote attacks, they still rely on strong physical security and operational controls to protect against insider threats, media tampering, or physical destruction of backup assets.

Indelibility locks the data itself, regardless of where it's stored or who has access to the system. Even someone with administrator privileges can't overwrite or delete an immutable backup during its protection period. That's a fundamentally different and stronger guarantee.

Both approaches serve a purpose. Air-gapping reduces your attack surface by taking storage offline. Immutability ensures data integrity, no matter who touches the system. The strongest backup architectures use both.

How immutable backups work

When you create an immutable backup, the storage system places an object lock on the data. That lock enforces a write-once, read-many (WORM) model: The data can be read any number of times, but it cannot be overwritten, modified, or deleted for the duration of the retention period you set.

The retention period is configurable—days, months, years, or indefinitely—and typically set by the administrator at the time of backup creation. Once set, even that administrator cannot shorten or remove the lock before it expires.

When the retention period ends, the object lock releases and the backup becomes mutable again. Most organisations don't set indefinite immutability for active production backups because data changes constantly; a backup from three years ago may not reflect enough of your current state to be a useful recovery point. Archived data for compliance purposes is a different story.

Types of immutable backup storage

Not all immutable backup solutions work the same way at the hardware or software level:

• WORM storage: The traditional form. Data is written once to physical media, historically optical disks or tape, and physically cannot be overwritten. It’s still widely used for long-term archiving, particularly in regulated industries.
• Object lock (S3-compatible): Cloud object storage with object lock enabled creates software-enforced immutability. AWS S3, Azure Blob, Wasabi, and S3-compatible on-premises platforms all support this. Granular retention policies can be set per-object or at the bucket level.
• Hardened repositories: On-premises Linux-based backup repositories can be configured to deny any modification or deletion requests. They’re common in enterprise backup software, such as Veeam's hardened Linux repository model.
• Continuous data protection (CDP): Continuous data protection backs up data in real or near-real time by capturing every write operation. Each data change is retained immutably, giving organisations a granular recovery point objective (RPO) that can be measured in seconds rather than hours.
• Snapshot-based immutability: Storage platforms can enforce immutability at the snapshot level, preventing any modification to a point-in-time copy for a defined period. This approach can protect both primary and backup data, helping organisations recover clean copies even if production systems or backup environments are compromised.

The right choice depends on your recovery time objectives, compliance requirements, and whether your priority is on-premises control, cloud scalability, or both.

How immutable backups fit into a 3-2-1-1-0 backup strategy

The traditional 3-2-1 rule, three copies of data, on two different media, with one stored off-site, served enterprise IT well for years. It's no longer enough on its own.

The modern standard is the 3-2-1-1-0 rule:

• 3 total copies of your data
• 2 different storage media or locations
• 1 copy off-site
• 1 copy that is immutable or air-gapped
• 0 errors—every backup is verified and confirmed recoverable

The additional "1" (immutable or air-gapped) is the direct response to ransomware targeting backup infrastructure. The "0" closes a different gap: A backup you've never tested is a backup you can't trust. Automated verification that confirms backups can actually be restored, not just that the job completed, is now considered a baseline requirement.

Immutable backups serve as the recovery anchor in this strategy. If ransomware compromises your production environment and your connected backups, the immutable copy is untouchable. You restore from it, resume operations, and avoid paying the ransom.

Why organisations use immutable backups

Ransomware defense

Modern ransomware variants specifically target backup systems before encrypting production data, eliminating recovery options to maximise pressure on victims. With an immutable backup, that attack path is closed. The backup cannot be encrypted, deleted, or held hostage.

Insider threat mitigation

Not all data loss is external. Accidental deletion, misconfiguration, or deliberate sabotage from insiders are real risks. Immutability ensures that no one inside your organisation, regardless of their access level, can tamper with a protected backup during the retention window.

Compliance and regulatory retention

Several major regulations effectively require immutable backups, even without naming the technology explicitly:

• HIPAA requires healthcare organisations to maintain protected health information with strict controls against unauthorized alteration
• SEC rules 17a-3 and 17a-4 require financial firms to retain records in a non-rewriteable, non-erasable format—a direct mandate for WORM or equivalent immutability
• GDPR requires data integrity protections and verifiable audit trails
• FINRA and SOX place similar requirements on financial record retention

Immutable backups create an auditable chain of custody, which simplifies compliance reporting and reduces exposure during audits.

Data integrity and faster recovery

An immutable backup guarantees the data you recover is exactly the data that was backed up. There's no question about whether someone modified it after the fact, whether a storage error corrupted a byte, or whether the backup is safe to restore into production. That certainty accelerates recovery. Teams don't spend time validating backup integrity under pressure; they restore and move forward.

Benefits of immutable backups

• Protect against ransomware, malware, and insider threats
• Satisfy compliance requirements for non-rewriteable data retention (SEC 17a-4, HIPAA, GDPR)
• Guarantee data integrity—what you backed up is exactly what you recover
• Improve recovery time objectives by eliminating the need to validate backup integrity before restoring
• Provide a reliable recovery point even when production systems and connected backups are compromised
• Create auditable records and a chain of custody for legal and regulatory purposes
• Reduce ransom payment pressure by ensuring a clean recovery path always exists

Disadvantages of immutable backups

No security control is perfect, and immutable backups have real tradeoffs worth understanding:

• Storage costs accumulate. If retention periods are set too long, you may end up storing large volumes of data you can no longer legally or practically delete. Retention policy governance is important.
• Physical media is still vulnerable. Immutability protects against logical tampering, not physical destruction. If a tape or on-premises storage device is damaged, lost, or destroyed in a disaster, the immutable data goes with it. Off-site and cloud-based copies address this.
• Sleeper attacks are a risk. Sophisticated ransomware may lie dormant inside your systems for weeks or months before activating. If dormant malware makes it into your immutable backup before the retention lock is set, that backup may itself be compromised. Backup verification and extended retention windows help here.
• Configuration errors are a real threat. Immutability is only as strong as how it's configured. A retention period that's too short, an object lock misconfigured at the wrong level, or a hardened repository that wasn't actually hardened can leave gaps. Auditing your immutable backup configuration regularly is not optional.

How to keep immutable backups secure

Immutable backups are a critical layer of your security stack, not a standalone solution. They work best alongside:

• Backup encryption: Encrypting backup data at rest and in transit prevents exposure even if someone gains access to the storage medium
• Role-based access control: Restrict who can create, configure, and view backup policies; no single person should have unchecked authority over backup infrastructure
• Zero-trust access model: Require identity verification for any access to backup systems, and treat backup credentials as separately managed from production system credentials
• Multi-factor authentication: Prevent credential compromise from translating into backup deletion or reconfiguration
• Automated verification and testing: Regularly confirm that backups can actually be restored; a backup that's never been tested is a liability, not an asset
• Multilayer resiliency: Combine immutable backups with air-gapping, geographic redundancy, and snapshot retention for defense in depth

Immutable backup FAQs

Can immutable backups be stored in the cloud?

Yes, and cloud storage is increasingly the preferred option for many organisations. Cloud providers, including AWS, Azure, Google Cloud, and Wasabi, support object lock and WORM-compatible storage. Cloud-based immutable backups are well-suited for long-term retention, compliance archiving, and off-site redundancy. The trade-off compared to on-premises immutable storage typically centers on egress costs and recovery speed—factors worth evaluating against your recovery time objectives.

What's the difference between an immutable backup and an immutable snapshot?

Snapshots capture the state of a storage volume at a specific point in time. Immutable snapshots apply the same write-protection principles: no modification or deletion for the retention period. The key difference is granularity and purpose: Snapshots are typically retained for shorter periods and used for near-term recovery, while immutable backups are often replicated off-site and retained longer for disaster recovery and compliance purposes. Both have a role in a comprehensive data protection strategy.

How long should backups be immutable?

That depends on your compliance requirements and your recovery strategy. Many regulated industries (healthcare, financial services) require multi-year retention—sometimes seven years or longer for certain record types. For active production backups used for ransomware recovery, 30 to 90 days is a common baseline, ensuring you have enough rollback window to identify and predate a dormant infection. Review your specific regulatory obligations and set retention periods accordingly.

How often should immutable backups be updated?

Frequent enough that a failure doesn't cost you more data than your organisation can tolerate losing. That threshold, your recovery point objective, varies by organisation and by system. Critical databases may require near-continuous backup; less dynamic data may tolerate daily or weekly cycles. Whatever frequency you choose, test restores regularly to confirm the backup is clean and recoverable.

Are immutable backups safe against all threats?

No single control is. Immutable backups are highly effective against ransomware, accidental deletion, and insider threats, but they don't protect against physical destruction of media, dormant malware included in the backup prior to the lock being set, or misconfiguration. Layering immutability with encryption, verified testing, and off-site storage closes most of the remaining gaps.

Immutable backups and Everpure

For organisations that need immutable data protection built into their storage infrastructure, not bolted on afterward, both Everpure™ FlashArray™ and FlashBlade® support SafeMode™ Snapshots. SafeMode Snapshots create immutable, non-deletable copies of your data that cannot be eradicated, even if an attacker gains administrative access to your environment. Recovery from a ransomware attack doesn't have to mean paying a ransom or calling a vendor; you can restore from a clean snapshot and resume operations.

The Evergreen//One™ storage-as-a-service model also includes built-in data protection and recovery capabilities designed for organisations that want predictable economics alongside immutable protection, without managing the underlying infrastructure.