<Beta version released in v14.0.4>
What is Cloud Immutability?
Cloud immutability means that once your backup data is saved in the cloud, it cannot be changed or deleted for a set period. This protects your cloud backups from cybercriminals, accidental mistakes, or intentional tampering. Even if ransomware infiltrates your systems, your immutable backups remain untouched,ensuring you have a clean copy to restore from.
Think of cloud immutability as a sealed vault with a timed release. Once your data is stored inside, it remains locked and untouchable until the set period expires. No one - not even you - can alter or delete it prematurely, ensuring that your cloud backups are always there when you need them most.
BackupAssist Classic Support for Cloud Immutability
BackupAssist Classic supports cloud immutability by integrating with versioning and object locking features provided by supported cloud storage services. Instead of referencing standard file paths, BackupAssist tracks version identifiers of storage objects/blobs, ensuring the ability to recover even if f attacker attempts to overwrite or delete backup data.
Note:
1. Unlike standard cloud backup jobs, where BackupAssist automatically creates a cloud bucket or container for your backups, immutable cloud backup jobs require you to manually create and configure the bucket/container.
2. It is essential to correctly configure the immutability settings of your cloud storage to ensure your backups are properly protected and to avoid unexpected costs or insufficient data retention.
3. In addition to the Cloud Add-on, you will need to have an active BackupCare subscription to protect your cloud backups using Cloud Immutability.
BackupAssist support immutable cloud storage for:
- Amazon S3
- Microsoft Azure
- Wasabi
- Other S3 compatible implementations that support versioning and object locking
Cloud Providers Configuration Instructions
Ensure your cloud storage is configured correctly for use with BackupAssist Classic by following the provider-specific guidelines below:
Show : Microsoft Azure Immutable Blob Storage
- Refer to How to create Microsoft Azure cloud storage for basic setup instructions.
- BackupAssist Classic supports Immutable Storage feature for Azure Blob.
- Enable Versioning on the storage account.
- Create a new Container in the Azure console and enable version-level immutability.
Note:
BackupAssist does not support enabling immutability on existing continers with backups. - Add an Immutable storage policy via the Access policy settings.
- BackupAssist recommends using container level policies rather than account level policies.
- Set a time-based retention policy aligned with your backup retention scheme:
- Example: For 30 days of backups with weekday runs, use a 42 days (6 weeks) retention period.
- Lock the policy to prevent changes.
Show : AWS S3 Object Lock:
- Refer to How to create Amazon S3 cloud storage for basic setup instructions.
- BackupAssist Classic supports AWS S3 Object Lock.
- Create a new S3 bucket in the AWS console and enable Object Locking – see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html#object-lock-configure-new-bucket
Note:
1. Object Lock must be enabled at creation time. It cannot be added to existing buckets.
2. Object Lock, once enabled, cannot be disabled. - See https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html#object-lock-configure-set-retention-period-object to configure the Retention period and retention mode
- Only Compliance Mode is supported; Governance Mode is not supported because it does not align with the goals of immutable backups.
- Set a time-based retention policy aligned with your backup retention scheme:
- Example: For 30 days of backups with weekday runs, use a 42 days (6 weeks) retention period.
Show : Wasabi Object Lock:
- Refer to Wasabi Storage Guide for basic setup instructions.
- BackupAssist Classic supports Wasabi Object Lock.
Note:
1. Object Lock must be enabled during bucket creation and cannot be disabled later.
2. BackupAssist does not support Wasabi's bucket-level Compliance Mode, as it removes application-level control needed for secure backup management. See: https://docs.wasabi.com/docs/immutability-compliance-and-object-locking - Create a new Wasabi bucket using Wasabi’s portal and Versioning and Object Locking enabled. See https://docs.wasabi.com/docs/object-locking.
- Configure object lock settings. See: https://docs.wasabi.com/v1/docs/object-locking-enable.
- Use Compliance Mode only; Governance mode is not supported because it does not align with the goals of immutable backups.
- Set a time-based retention policy aligned with your backup retention scheme:
- Example: For 30 days of backups with weekday runs, use a 42 days (6 weeks) retention period.
Creating an immutable cloud backup job
To create a cloud backup job with immutability enabled, follow the steps below:
- Begin by following the instructions in Creating a Cloud Backup Job.
- In the Set up destination step in the Cloud Backup Wizard, tick the Enable cloud immutable backups checkbox to activate immutability for this job.
- Important Notes About Destination Setup
- The Check destination… button only verifies access to an existing cloud bucket/container. It does not create a new container. You must manually create and configure the container or bucket in your cloud provider's portal ahead of time.
- Ensure that the Backup retention policy aligns with the Cloud Provider’s immutability retention policy.
- Immutable Cloud Backups are not backward compatible and will not function if you downgrade to BackupAssist version 14.0.3 or earlier.
- See earlier documentation for guidance on creating a compliant container in your provider’s portal.
- No special recovery steps are required for immutable backups. You can restore data from an immutable cloud backup just as you would from a standard cloud backup.
