Veeam recently released Veeam backup for Microsoft 365 v7, and the headline feature is backup immutability. Cirrus for Microsoft 365 has followed suit with an enhancement to our offering to allow an immutable backup copy to be created, so while there’s all this noise around immutability I thought I’d write a post on the subject.
What is backup immutability?
I asked ChatGPT and this is what it had to say:
“Backup immutability is a security feature that ensures that backups cannot be altered, deleted, or corrupted once they have been created. This means that even if an attacker gains access to the backup storage, they will not be able to modify the data in any way.”
This is a good high level definition but let’s dive in a little deeper.
Why is immutability important?
With the increasing prevalence of malicious actors looking to impact our businesses, particularly with ransomware attacks, backups are becoming more and more important to get a company back up and running quickly. These attackers are aware of this and increasingly attacks are starting with deletion of backups so that recovery is not possible. This is where immutable backups come in. With an immutable backup even a privileged admin account within your organisation cannot delete the backup, so no matter what accounts the hacker or disgruntled employee have access to, the backups are protected.
Are all immutable backups created equal?
Definitions of immutability vary in the industry, so don’t take a provider’s promise of immutability at face value. Our partner Veeam have a strict definition of immutability that relies on the capabilities of the underlying storage itself. If that underlying storage is able to be locked for a set time period with no capability to delete the data, then that can be considered to be truly immutable.
Are Cirrus for Microsoft 365 backups immutable?
By one measure it can be said that our Cirrus for Microsoft 365 backups have always been immutable, since there is no capability for a customer administrator to delete the backup data. We store data within Microsoft Azure with no external access to the underlying infrastructure. We also have strict internal controls in place and do not allow deletion of underlying storage infrastructure within the customer’s contract period.
However, as mentioned before, our partner Veeam have a stricter definition of immutability than most backup providers, and up to now this has not been supported for Microsoft 365 backups. Thankfully that has changed with the latest version of Veeam Backup for Microsoft 365 which uses features of Azure Storage to protect the backup data for the immutable time period.
How do I turn on immutable backups for Cirrus?
Immutability has a few implications. For one thing even we can’t delete your data during the immutability period, so part of the process of turning on immutability is agreeing an immutability period and a corresponding notice period for your Cirrus licence.
To illustrate: if you wish to have 6 month’s immutability we have to keep your data for that 6 months – so we need a commitment from you that you’ll give us 6 month’s notice if you wish to terminate your contract.
If you wish to add an immutable copy of your backup please get in touch with our support team so we can tailor the most suitable option for you, and discuss any implications.