Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology
Immutable Backups Explained

Immutable Data Backups Explained and How It Works in MSP360

Immutable Data Backups Explained and How It Works in MSP360

When you back up your data, one of the worst scenarios imaginable is losing your data due to ransomware or another type of cyberattack. Data protection is a burning issue right now due to these attacks, and the best way to keep your data safe is to use the most current cybersecurity technologies, such as immutable backups.

What Is Immutability (Object Lock)

Immutability offers complete immunity to any changes to your data, providing a significant leap forward in keeping your data safe. An immutable backup is a copy of your dataset that cannot be modified, deleted, or overwritten. The data saved in an immutable storage format remains fixed due to the WORM (write-once-read-many) mechanism. This mechanism ensures that a backup dataset is locked safely away from any type of alteration.

Further reading Beyond Technology: How Immutable Backup Builds Trust for MSPs

Importance of Immutable Backups

Immutability (object lock) is currently the highest level of backup protection possible. Immutable backups are not prone to ransomware, unattended access, or human factors. Even if you lose all your data, an immutable backup will help you to rebuild everything from scratch, using clean, uncorrupted data. Here are some examples where immutable backups can help:

  • If an intruder gains access to the server or endpoint using some malware. This is one of the most widespread threat types, and intruders often go further, aiming to delete all your backups, so that you can’t just restore your data instead of paying the ransom. Immutable backups are the best way to protect your data from this threat type, as no one except employees you trust can erase or overwrite anything from the backup dataset.
  • If you fall under compliance that requires you to store several copies of your data. The immutable backup is a guarantee that these copies are completely accurate and will remain in the unchanged state until the immutability period ends.
  • If you encounter a disaster and lose all your data. Backup storage in this case acts like a blood donor; it provides you with an appropriate volume of data for transfusion, so that you can continue running your business. This data, like blood, should be of appropriate quality – sufficient amount, no viruses, etc. Immutability ensures that your “blood” set is exactly the same as it was when you sent it to the storage – fully compatible with your business.

Further reading How to Meet Cyber Insurance Requirements with MSP360 Immutable Backups

How It Works

When you choose to create an immutable backup, you enable object lock. Object lock prevents a dataset from being altered within a given period of time. During this time, the dataset is WORM-protected, which means that it can be read, but nothing can be written to or deleted from this set. After the retention period expires, the lock fades and the backup dataset loses its immutability. Of course, you can set an indefinite period, but the relevance of data decreases with time, so there aren't many cases when it is worth keeping the data forever.

Immutable backups are bulletproof to ransomware attacks because the data that was backed up can’t be altered. There’s always a guaranteed clean copy for recovery if your entire environment is hit by ransomware.

How Immutability Works in MSP360 Managed Backup

In MSP360 Managed Backup, immutability is supported for Amazon S3, Wasabi and Backblaze B2 storage providers.

How to Enable Immutability (Object Lock) for Amazon S3

To create an immutable backup in MP360 Managed Backup, you need an Amazon S3 account. You can use an existing bucket with an enabled object lock feature inside your S3 account or create a new bucket inside the MSP360 Managed Backup control panel. To do this, proceed to the Storage / Storage Accounts section, choose an AWS account, and click the gear icon. Here, you can add a new bucket with immutability enabled or edit an existing bucket.

Add a New Bucket with Immutability Enabled

You’ll see the confirmation message. Read it, mark the I Confirm Enabling Immutability check box, and click Confirm.

Confirm Enabling Immutability

You can check whether or not you switched it on in the Audit Log section on the Organization tab.

Audit Log

How To Enable Immutability (Object Lock) for Wasabi

To create an immutable backup in MP360 Managed Backup with Wasabi, select the existing account or create a new one in the MSP360 Managed Backup control panel.

wasabi immutability

To add a new destination for immutable backups with Wasabi, click Add Destination Bucket or edit an existing destination. In the Destination Bucket section, fill in the required data and tick the Allow Immutability box.

wasabi immutability

Depending on preferences, the dataset can be totally invulnerable to any changes or can be modified by users with specific permissions. These modes are called “Compliance” and “Governance”, respectively. The “Compliance” mode provides full immutability; even a root user cannot modify the protected data within the retention period you specify. The “Governance” mode allows alteration with permission; it can be used for testing immutability or when you want to protect backups from “regular” users, not admins. By default, immutability in MSP360 Managed Backup works in Governance mode.

How to Enable Immutability (Object Lock) for Backblaze B2

To create an immutable backup with Backblaze B2, go to the Storage tab, Storage Accounts section and either create a new backup destination or edit the existing one. You can enable immutability in the Destination Bucket section by selecting the Allow Immutability option.

How to Enable Immutability (Object Lock) for Backblaze B2

By default, immutability in MSP360 Managed Backup works in Governance mode (the one that allows modifying with specific permissions), but you can change this later.

The next step is creating an immutable backup. In the Remote Management section, click the gear icon of the computer for which you want to create an immutable backup, then click Show Plans.

Show Plans

Choose a backup plan type and click Try New Format. Follow the wizard instructions. In the Where to Back Up step, choose the destination with immutability enabled.

Select Backup Storage

When you reach the Retention Policy step, switch on the GFS feature and specify periods of retention for daily/weekly/yearly backups. Please note: you need at least one full backup scheduled weekly (or more often) for GFS to work.

Retention Policy Settings

Click Enable Immutability and confirm that you want to make backups unchangeable. Continue with the plan and run it.

Confirm Enabling Immutability

Now, all the backups that fall under GFS retention policy will be immutable for the period of time you’ve specified here. That means that, for instance, if you choose to keep two weekly and two monthly GFS backups, no one (unless they have specific permissions – for the “Governance” mode) will be able to modify these four datasets until their periods of retention expire. The weekly backup will lose immutability after a week, and the monthly – after a month.

  New call-to-action

Example of GFS Settings

Before the specified period of time expires, an immutable backup cannot be deleted, unless you delete your storage account completely. Bear this in mind when you plan your budget, as you pay for the space immutable backups take up during this period.

MSP360 Managed Backup for Microsoft 365 and Google Workspace with Object Lock (Immutability)

We've also implemented the Object Lock (Immutability) feature for Microsoft 365 and Google Workspace Backup for AWS, Wasabi Hot Cloud Storage and Backblaze B2 to ensure that backup administrators have a robust data protection tool in place. With this feature, MSP360 Managed Backup strengthens protection against evolving security threats.

Object Lock for M365/Google Workspace

Object Lock M365/Google Workspace

MSP360’s Approach to Ransomware Protection

Immutability provides a high security level but it is not the only MSP360 feature that protects your data within the solution. MSP360 was designed to secure your data from ransomware and other threats. To name just a few options:

  • Two-factor authentication. With this, you can prevent unattended access to the MSP360 Managed Backup control panel.
  • IP Allowlisting. You can ban any IP but yours from access to the console.
  • Different permission levels. Limit access to certain sections or settings in the MSP360 control panel for sub-admins and users.
  • Restricted access for endpoint users. If a backup is not immutable, a user might delete something just by mistake. In Settings/General Agent Options, you can disable data deletion for your users or even choose not to show them the agent at all.
  • Encryption and passwords. Encrypted data is much harder to steal.
  • Activity logs. A system of logging and reporting allows you to keep an eye on everything that happens with your backups.

Keeping your data safe is our job. Immutable backups are another great addition to our security feature set. With immutability, your backups are even more protected, and it ensures that, in the event of a disaster, you’ll be up and running in a short period of time. Start using MSP360 Managed Backup to enable immutable backups and prepare for any kind of cyberattack. Should you have any questions, please contact us.

WP icon

New call-to-action
Steps for Keeping Backup Data Safe from Ransomware
  • Cloud and local backups protection
  • Backup and recovery operations
  • How to use backup software to centralize backup operations