The simple definition of immutable is "unchanging over time or cannot be changed". If we apply this to a backup, we are now talking immutable backups. Backed-up data needs to be stored on immutable media, so that it cannot be changed.
So, you might ask: Why would I be concerned about this? Our backups are stored in two places: on the appliance and in the cloud. This data should be safe, and it should be accessible as needed for a restore. The bigger concern, really, is ransomware. The nefarious bad people in the world of ransomware are now able to insert their ransomware into the backups of your data. If your backed-up data is not stored on immutable media, it is susceptible to ransomware attacks.
If you are attacked by ransomware, backups are the de facto way to recover from this. If your backups are also attacked, then your data is at serious risk of not being able to be restored.
It’s important for small and medium businesses (SMBs) to realize that not all backups are created equal, and the quality of your backup process can mean the difference between a successful restore or permanent data loss.
NOT ALL BACKUP MEDIA OR BACKUP SOLUTIONS ARE IMMUTABLE.
Tape media is immutable and may be the single best place for your backed-up data. It can be stored for years (in proper conditions); however, it also requires a lot of maintenance. Moving tapes in and out of the tape library and to offsite storage, purchasing new tapes, replacing old tapes, and removing tapes out of long-term storage when a company's data retention policies require archived data to be purged. Depending on the amount of data a company has, this could involve hundreds of tapes, and certainly a lot of man hours to maintain.
Digital media is much easier to use but is more susceptible to ransomware. One reason for this susceptibility is that digital media is on the network. During a ransomware attack, any information on the network being attacked is vulnerable. Most backups today are solutions using digital media.
Utilizing the cloud for backup has become fundamental to business continuity and disaster recovery (BCDR) best practices. However, there are significant differences in cloud design that can have a major impact on reliable backup and recovery of business-critical data.
These distinctions are coming into focus with threats to backup security on the rise, including hacking, human error, and malware. Research shows that ransomware, a subset of malware, is rapidly increasing the amount of downtime that businesses experience. The security and reliability of cloud backup infrastructure can make or break the ability to recover from a ransomware attack, accidental data deletion, and other threats.
Another note to take into consideration when reviewing backup options and how immutability may be a factor: what type of business are you in and are there compliancy governance that require immutable technology?
Immutable cloud storage is ideal for clients seeking the highest level of protection for their data. But what does it mean to be “immutable”? In computing, an immutable object is one whose state can’t be changed or modified after its creation. The opposite of this would be a mutable object, which can be modified once it has been created. Taking it a step further, the term “immutable storage” is applied to stored data that cannot be changed or deleted.
As it turns out, many solutions that utilize both public and private clouds for backup and recovery are mutable. They can still be corrupted by hackers, who are increasingly targeting backup systems to make it impossible for organizations to recover from a ransomware attack.
Multiple Levels of Security
Datto SIRIS backs up data to the immutable Datto Cloud. A purpose-built backup and recovery cloud, the Datto Cloud’s immutable design provides maximum security and reliability for clients.
Multiple security layers are necessary to build an immutable cloud. In the case of Datto SIRIS, for example, it starts with mandatory two-factor authentication (2FA) for access to the cloud-based administration portal. All data is encrypted at rest in the cloud and optionally in the local hardened SIRIS appliance, helping to secure client data before it’s replicated in the cloud.
Once a granular backup or “snapshot” has been taken, additional safeguards contribute to backup security. In the case of SIRIS, a post-backup ransomware scan is performed to ensure the data has not been infected by ransomware.
Advanced Backup Verification with patented Screenshot Verification adds an additional layer of confidence, virtualizing and test-booting virtualized servers to detect any backup issues, assuring that backups will boot with all data intact and free from ransomware. Once the ransomware scan and advanced backup verification have been performed, backups are replicated to the secure Datto Cloud via AES 256 encryption.
Smart File Systems
The choice of file system is critical to immutable storage. Datto selected ZFS (the Zettabyte File System) for backup storage in the Datto Cloud. ZFS is also specified for Datto appliances including SIRIS and ALTO.
ZFS is an advanced file system that is combined with a logical volume manager, and cannot be corrupted. It provides copy-on-write snapshots, zero-copy writable clones, data compression, and deduplication. In addition, ZFS provides support for massive storage capacities, as well as continuous integrity checking and automatic data repair.
Data integrity is a key characteristic of ZFS, which includes end-to-end checksums and data authentication at multiple levels in its file structure. It excels at data integrity protection by detecting and addressing silent data corruption scenarios, including phantom writes, data corruption on the drive, misdirected reads, and accidental overwrites. The net/net is that ZFS cannot be corrupted by ransomware.
Cloud Deletion Defense also contributes to the immutability of the Datto Cloud. With its ability to “undelete” an accidental or malicious deletion, Cloud Deletion Defense provides yet another protection layer to clients.
Immutability Matters
Hackers are on the prowl, malware is lurking, and erroneous deletion is always a danger, making fully protected backups essential for preserving essential data. Immutable cloud storage is the key to reliable recovery when business systems are compromised.
Datto backups are immutable. Additionally, Datto has implemented several security updates in recent years, making access to the Datto backup environment more secure.
Contact a Rhyme IT professional to assess the security of your data and backup plans.
Resources: Datto | The Managed Service Provider Technology Company & Collabrance | Master Managed Services Provider | Master MSP