Immutable backups play an increasingly important role in helping companies protect themselves from the catastrophic impact of ransomware. Businesses and the data they produce are continually changing, so your day-to-day production data must also remain changeable, or mutable.
Immutable data is unchangeable. If all of your data were immutable, you could never change it; you couldn’t update a spreadsheet, correct a typo in a document or add a record to a database. While immutable data would make it challenging for ransomware to change your data, it’s not practical for daily business.
However, there is one kind of data you can safely make immutable: your backup data. Having immutable backups as your last line of defense is a useful data backup strategy against ransomware and other threats.
In this post, I’ll cover topics like what an immutable backup is, how it works, why it’s important and what to look for. You’ll learn that backup and recovery solutions are now back at the forefront of protecting your business, partly because of problems like ransomware.
What is an immutable backup?
An immutable backup is a set of backup data that, once written, cannot be changed in any way. That means you can’t change it, your CIO can’t change it, the manufacturer of the backup system can’t change it, nobody can change it. Not even ransomware can change it.
While this sounds great it does come with a challenge. If we are going to set our backups to be immutable then we must understand the data retention polices that the business has. Why is this important? If you set the retention too long, you may find yourself having to add more storage as the immutable backups cannot be removed. Careful planning, sizing and clarifying of business retention polices will be needed.
How do immutable backups work?
Once data is written, backup software configures a setting that prevents the data from being modified or deleted. In effect, it changes the status of the data to read-only.
This prevents an attacker’s malware from altering or deleting the data. That’s a good first step, but it does not prevent malware from exfiltrating or reading the data. That’s where encryption comes in.
Can immutable backups be encrypted?
Yes. A good backup and storage solution should encrypt your data rather than storing it in a recognizable format, because the goal is to make the data as useless as possible to bad actors.
Keep in mind that—especially in the context of ransomware—cybercriminals have one or two main goals.
The first goal is to prevent you from using your backup data to thwart their ransom demand. To that end, they write malware designed to delete your backups. Or, the malware may encrypt your backups with their own key, which they sell you.
The second goal is to make money from your data, usually by exfiltrating a copy of it to a computer that they control and that you cannot find. Thus, besides holding your data hostage while it’s still inside your network, they hold it hostage a second time.
In both cases, it’s to your advantage to have an immutable backup that you have encrypted with your own key. It thwarts their first goal because they can neither delete nor encrypt (modify) your backup data. And it thwarts their second goal because, even if they manage to smuggle out a copy of your backup data, they cannot read it without your encryption key.
Check. And checkmate.
How have immutable backups evolved?
From the 80s to the 00s almost all backups were immutable. That’s because backing up was seen as an administrative task designed to help recover information in the event of a hardware failure or accidental deletion. Companies backed up their data from disks to tapes, then stored the tapes securely, preferably off-site. In effect, that was a kind of immutable backup; off of the network, tapes are tamper-proof and secure. In case of disaster, the admins retrieved the tape, put it into the drive and restored the backed-up data.
Then, technology changed a few things:
- The amount of data your company generates skyrocketed.
- Data protection requirements changed.
- The per-gigabyte cost of disks (storage) plummeted.
- The speed of disks soared.
These changes caused a step change with the backup technology and processes. You can back up much more data in much less time to disk than to tape. This allowed companies to back up to disks initially, then gradually move those backups to tape after a while. But every millisecond that your backup data is on a disk in a computer connected to your network (before you write it to tape), it’s effectively ‘online’. It’s accessible, as opposed to being taken off-site, the way tapes were.
We have now had another transformation in technology that has changed things again, cloud. While tape was predominately used to take data off-site, there is now another option, cloud storage.
Enter ransomware, cyberattacks, intrusions and data breaches. The threat actors launching those attacks against your network now take aim at the data not only on your computers and servers but also in your backups. Why? Because they know that if you’re attacked, you’ll want to restore from backups. So they try to render your backups unusable, or they try to delete them altogether.
That’s why immutable backups have evolved so much and why backup solutions are once again in the limelight of network security.
Why are immutable backups so critical?
With immutable backups, you add more protection to your backup and recovery solutions, which are an appealing target for bad actors and the last line of defense your business has.
Just as your company makes plans about your production applications, infrastructure and data, it must also plan for immutable backups. Start your planning by answering these questions:
- How big is our backup data set?
- How much storage space do we have?
- For how long will we retain each backup data set?
If you make an immutable backup of your data today and it takes up 20 terabytes, it’s going to take up 20 terabytes for as long as you retain it. That means that you’ll have to plan for storage space, because you won’t have the option of deleting or modifying today’s backup should you run out of space. (If you could delete or modify the backup, it wouldn’t be immutable.)
Planning the capacity of a disk target for immutable backups becomes almost as important as the immutability itself. If size times retention is greater than the storage space you have, don’t reduce retention just to fit the data. Instead, increase your storage space to ensure you’re meeting the minimum requirements for your business and for cyber insurance.
The benefits of immutable storage backups
The key benefits of immutable backups include the following:
- Read-only. Immutable backup data is configured so that it cannot be modified.
- Can’t be encrypted by ransomware. Because the data cannot be modified, it cannot be encrypted or otherwise damaged by ransomware
- Can’t be deleted. Moreover, immutable backup data cannot be deleted from the file system or media on which it is stored.
- Improves data availability. Knowing that their backup data is unassailable, IT administrators are assured that the data will be available for recovery in case of disaster or outage.
- Reduced risk of ransomware payments. Cybercriminals have far less leverage on a company that knows its backup data is safe and always available. Softer targets are easy for them to find.
Key questions to ask when talking about immutable backups
As mentioned, backup and recovery will be your last line of defense against cyberattacks. When you evaluate immutable backup products, put yourself in the shoes of the attacker and pose some hard questions.
1. Can I gain access at a lower level?
I (as the attacker) discover that the backup data is immutable, I know that my malware won’t be able to encrypt it all and hold it hostage. Can I get access to the data at a lower level? Can I log into the operating system where the data is being stored?
The best defense against that includes the usual best practices for network security, such as very strong passwords, multi-factor authentication and access only to users who need it.
2. Can I change the system clock?
Let’s say I discover that data immutability was specified by time — say, for 90 days. Can I just hack the clock in the operating system and move it forward 90 days, past the end of immutability?
A real-world clock is too easy to crack, so well-engineered immutable systems don’t rely on that. Instead, they measure time internally. So even if you left the system powered off for 90 days, when you turned it back on again, it would know that 90 operating days had not elapsed. The backup would still be immutable.
3. Can I delete data from the backup application?
I obtain credentials and privileged access to the backup software. Can I log in as an administrator and delete those backups?
This answer should be “no.” Once the backup data is written and flagged as immutable, nobody should be able to change that — not even the software vendor. Because if anybody can change it, then you’d better believe that an attacker can.
4. Can I use known default passwords or back doors?
If I look in the right places long enough, can I find a default password or back door, and log into the backup application that way?
This answer should also be “no.” Back doors and default passwords are the worst-kept secrets on the internet. If the product is sold with a default password, it should be changed to a strong password before any data is stored. Smart vendors of backup software also prohibit the use of default passwords from obsolete versions of their own products.
Any means of recovering from a lost or forgotten password becomes an avenue of entry for potential attackers.
5. Can I change the immutability time frame from the backup application?
If hacking the system clock doesn’t work, can I change the time frame settings in the application?
This answer should be “no.” The only change — if any — that you should be able to make is to prolong immutability. That would make the attacker’s job even more difficult. You shouldn’t be able to shorten immutability and you shouldn’t be able to delete the data through the backup application.
How does access control play a role in immutable backups?
You control access to assets like backup data because not everybody needs access to everything. In the same way that few people in the organization need access to the data in Human Resources and Finance, almost nobody needs access to backup data.
Access control is driven by the question, “Which resources on the network does this user need for their tasks?” The risk grows as the organization grows and the question drifts into “Which resources on the network might this user need someday?” Giving users more access than they need is a frictionless approach to network administration, but it is short-sighted and fraught with risk.
Protect all your systems, applications and data.
Role-based access control, in which access and permissions are tied to the user’s work role, is one way to mitigate that risk. It ensures that users will not abuse privileges and access resources unduly. More to the point, it reduces the risk of a bad actor taking advantage of a user account that has more privileges than it should have.
In the context of immutable backups, some companies address access control by disassociating their backup system from their production network running, for example, Active Directory. That way, if their production system is compromised, their backup system is not vulnerable to an attack.
Conclusion
Immutable backups are necessary in hardening backup data, which is the last line of your organization’s defense in case of disaster or catastrophic breach. They balance IT’s need to protect and retain data against the never-ending efforts of cybercriminals to wreak havoc and extort money with ransomware.
The ideal of immutable backups is air-gapped, network-inaccessible data storage. In the context of short and medium-term storage, immutable backups combine the speed of disk storage with the security of encryption and read-only access.
