When discussing with clients the merits of data backups as a means of cyber defense — and resiliency — I will use the word “immutability.” The simple explanation around immutability means that the data can’t be altered, encrypted, or deleted by any means, that it is essentially locked down against threat actor attacks.
“Immutability” is a big and complex word in the context of data backup technology. It’s also a necessary and important term for cybersecurity practitioners steeped in backup technology knowledge, so further explanation and examination are required.
First of all, know that not all immutable backups are created equally nor configured properly. Many security solutions label backups as “immutable” based on software flags or settings that can be easily reversed if an attacker gains administrative access. But this creates a false sense of security.
Immutability means zero override capability
In a truly immutable backup system, even root or administrator-level users are unable to modify, delete, or overwrite data until the defined retention period has expired. When implemented in software, this requires a robust, multi-layered security framework. Proper configuration includes strict access controls, multi-user authorization, and enforced multifactor authentication (MFA) to prevent unauthorized changes and ensure data integrity.
Attackers often target backup systems first. If your backup immutability can be disabled or bypassed, your last line of defense is gone. True immutability ensures backups remain untouched even in worst-case scenarios. Additionally, auditability and compliance depend on the integrity of backup systems. Regulatory frameworks increasingly require provable data integrity. As such, truly immutable backups provide a defensible position during audits and investigations.
The truth about “claimed” immutability
Service providers who market “immutability” likely rely on software configurations or permissions that can often be overridden or misconfigured. For example, policy-based characteristics of claimed immutability may use access control lists (ACLs), software flags, or permissions that are potentially reversible by privileged users. Improper backup configuration or lack of enforcement can allow modification or deletion of data. Allowing admins to alter or delete data if they bypass or change controls degrades immutability. Too often, I see security focused through obscurity, meaning the controls are more focused on preventing accidental changes than on withstanding targeted attacks.
Know that ransomware attackers who gain privileged access to an IT network can still delete or encrypt backups. Moreover, malicious insiders or compromised accounts can override immutability — for example, backup software with retention settings but no hardware enforcement or cloud backups without object lock or versioning.
Best practices to attain true immutability
To aspire to true backup immutability:
- Use object-lock capable storage with compliance mode, not governance mode.
- Implement air-gapped or offline backups, such as tape or cold storage.
- Limit or monitor admin access with MFA and auditing.
- Regularly test backup immutability with simulated attacks.
A key consideration around immutability is the ability of backups to survive a breach. It means that even if threat actors gain access, they cannot tamper with or destroy the backups. However, Fenix24 statistics collected from frontlines of breach investigations show that 84% of the time, critical backups do not survive threat actor incursions. Of the 16% that do survive, 50% cannot provide a suitable recovery timeline, and 33% of the data will be unrecoverable, corrupted, damaged, or deleted.
Fenix24’s internal research also shows that 90% of organizations cannot meet their stated RTOs (recovery time objectives). Meanwhile, 86% have no survivable backup copies, and 76% knowingly do not have all known critical data backed up.
The inevitability of breach
The hard truth is that you will likely be attacked. No defense is impregnable. Assume a breach will happen at some point. Threat actor tactics are evolving among nation-states, ransomware gangs, and insider threats. Many assumed defensive resistance strategies and technologies are not effective.
My parting advice is that when evaluating managed backup solutions, it’s critical to understand how immutability is enforced, such as through WORM-enabled (Write Once, Read Many) storage and ensuring that administrative actions require multi-party approval. Remember, the most secure systems enforce change controls that require authorization from multiple administrators before any modification is executed, reducing the risk of insider threats or accidental misconfigurations.