Immutable Data Backups Explained and How It Works in MSP360

When you back up your data, one of the worst scenarios imaginable is losing your data due to ransomware or another type of cyberattack. Data protection is a burning issue right now due to these attacks, and the best way to keep your data safe is to use the most current cybersecurity technologies, such as immutable backups.

What Is Immutability (Object Lock)

Immutability offers complete immunity to any changes to your data, providing a significant leap forward in keeping your data safe. An immutable backup is a copy of your dataset that cannot be modified, deleted, or overwritten. The data saved in an immutable storage format remains fixed due to the WORM (write-once-read-many) mechanism. This mechanism ensures that a backup dataset is locked safely away from any type of alteration.

Importance of Immutable Backups

Immutability (object lock) is currently the highest level of backup protection possible. Immutable backups are not prone to ransomware, unattended access, or human factors. Even if you lose all your data, an immutable backup will help you to rebuild everything from scratch, using clean, uncorrupted data. Here are some examples where immutable backups can help:

• If an intruder gains access to the server or endpoint using some malware. This is one of the most widespread threat types, and intruders often go further, aiming to delete all your backups, so that you can’t just restore your data instead of paying the ransom. Immutable backups are the best way to protect your data from this threat type, as no one except employees you trust can erase or overwrite anything from the backup dataset.
• If you fall under compliance that requires you to store several copies of your data. The immutable backup is a guarantee that these copies are completely accurate and will remain in the unchanged state until the immutability period ends.
• If you encounter a disaster and lose all your data. Backup storage in this case acts like a blood donor; it provides you with an appropriate volume of data for transfusion, so that you can continue running your business. This data, like blood, should be of appropriate quality – sufficient amount, no viruses, etc. Immutability ensures that your “blood” set is exactly the same as it was when you sent it to the storage – fully compatible with your business.

Further reading How to Meet Cyber Insurance Requirements with MSP360 Immutable Backups

How It Works

When you choose to create an immutable backup, you enable object lock. Object lock prevents a dataset from being altered within a given period of time. During this time, the dataset is WORM-protected, which means that it can be read, but nothing can be written to or deleted from this set. After the retention period expires, the lock fades and the backup dataset loses its immutability. Of course, you can set an indefinite period, but the relevance of data decreases with time, so there aren't many cases when it is worth keeping the data forever.

Immutable backups are bulletproof to ransomware attacks because the data that was backed up can’t be altered. There’s always a guaranteed clean copy for recovery if your entire environment is hit by ransomware.

How Immutability Works in MSP360 Managed Backup

In MSP360 Managed Backup, immutability is supported for Amazon S3, Wasabi and Backblaze B2 storage providers.

How to Enable Immutability (Object Lock) for Amazon S3

To create an immutable backup in MP360 Managed Backup, you need an Amazon S3 account. You can use an existing bucket with an enabled object lock feature inside your S3 account or create a new bucket inside the MSP360 Managed Backup control panel. To do this, proceed to the Storage / Storage Accounts section, choose an AWS account, and click the gear icon. Here, you can add a new bucket with immutability enabled or edit an existing bucket.

You’ll see the confirmation message. Read it, mark the I Confirm Enabling Immutability check box, and click Confirm.

You can check whether or not you switched it on in the Audit Log section on the Organization tab.

How To Enable Immutability (Object Lock) for Wasabi

To create an immutable backup in MP360 Managed Backup with Wasabi, select the existing account or create a new one in the MSP360 Managed Backup control panel.

To add a new destination for immutable backups with Wasabi, click Add Destination Bucket or edit an existing destination. In the Destination Bucket section, fill in the required data and tick the Allow Immutability box.

Depending on preferences, the dataset can be totally invulnerable to any changes or can be modified by users with specific permissions. These modes are called “Compliance” and “Governance”, respectively. The “Compliance” mode provides full immutability; even a root user cannot modify the protected data within the retention period you specify. The “Governance” mode allows alteration with permission; it can be used for testing immutability or when you want to protect backups from “regular” users, not admins. By default, immutability in MSP360 Managed Backup works in Governance mode.

How to Enable Immutability (Object Lock) for Backblaze B2

To create an immutable backup with Backblaze B2, go to the Storage tab, Storage Accounts section and either create a new backup destination or edit the existing one. You can enable immutability in the Destination Bucket section by selecting the Allow Immutability option.

By default, immutability in MSP360 Managed Backup works in Governance mode (the one that allows modifying with specific permissions), but you can change this later.

The next step is creating an immutable backup. In the Remote Management section, click the gear icon of the computer for which you want to create an immutable backup, then click Show Plans.

Choose a backup plan type and click Try New Format. Follow the wizard instructions. In the Where to Back Up step, choose the destination with immutability enabled.

When you reach the Retention Policy step, switch on the GFS feature and specify periods of retention for daily/weekly/yearly backups. Please note: you need at least one full backup scheduled weekly (or more often) for GFS to work.

Click Enable Immutability and confirm that you want to make backups unchangeable. Continue with the plan and run it.

Now, all the backups that fall under GFS retention policy will be immutable for the period of time you’ve specified here. That means that, for instance, if you choose to keep two weekly and two monthly GFS backups, no one (unless they have specific permissions – for the “Governance” mode) will be able to modify these four datasets until their periods of retention expire. The weekly backup will lose immutability after a week, and the monthly – after a month.

Before the specified period of time expires, an immutable backup cannot be deleted, unless you delete your storage account completely. Bear this in mind when you plan your budget, as you pay for the space immutable backups take up during this period.

MSP360’s Approach to Ransomware Protection

Immutability provides a high security level but it is not the only MSP360 feature that protects your data within the solution. MSP360 was designed to secure your data from ransomware and other threats. To name just a few options:

• Two-factor authentication. With this, you can prevent unattended access to the MSP360 Managed Backup control panel.
• IP Allowlisting. You can ban any IP but yours from access to the console.
• Different permission levels. Limit access to certain sections or settings in the MSP360 control panel for sub-admins and users.
• Restricted access for endpoint users. If a backup is not immutable, a user might delete something just by mistake. In Settings/General Agent Options, you can disable data deletion for your users or even choose not to show them the agent at all.
• Encryption and passwords. Encrypted data is much harder to steal.
• Activity logs. A system of logging and reporting allows you to keep an eye on everything that happens with your backups.

Keeping your data safe is our job. Immutable backups are another great addition to our security feature set. With immutability, your backups are even more protected, and it ensures that, in the event of a disaster, you’ll be up and running in a short period of time. Start using MSP360 Managed Backup to enable immutable backups and prepare for any kind of cyberattack. Should you have any questions, please contact us.