According to the Risk to Resilience: 2025 Ransomware Trends and Proactive Strategies report, out of the 1,300 ransomware victims surveyed, 89% had their backup repositories targeted. In fact, 17% of organizations that opted to pay the ransom reported they couldn’t retrieve their data, despite giving in to the attacker’s demands.
With cyber threats persevering, it’s not surprising that most companies have adopted immutable and air-gap (i.e., survivable storage) technologies to ensure their data recovery efforts aren’t hindered by ransomware and they can recover their minimum viable business.
This blog explores the differences between air-gap and immutable backup technologies and how organizations can leverage these solutions in their cyber resiliency strategy.
Why Air-Gapped Backups Matter Today
An air-gap backup isolates your critical data by separating it from the network — by physically removing the drive, disconnecting the network ports, or using digital methods of blocking network traffic. The benefits of air-gapping backups include the following:
- Protection against ransomware and other malware. Since these backups aren’t accessible from the backup server or elsewhere on the network, it’s harder for attackers to access or corrupt them. An attacker needs to be physically present and have the proper access credentials to delete the data. If the backups are properly ejected/isolated and cared for (e.g., temperature controlled, dirt/dust, humidity, etc.), the chances of a failed recovery are low.
- Prevention of unauthorized access and data breaches. It’s best practice for air-gapped backups to have an extra layer of protection in the form of encryption. This ensures that if an attacker gains access to your backups, they can’t restore them and view the contents. Compare this to a scenario where you have a local backup of your domain controller without encryption, and a bad actor restores your backup on their server. They can now leisurely farm your credentials to prepare for an attack on your production systems. Encryption of the backups (especially those off-site) is critical to preventing unauthorized users from accessing the company’s sensitive data.
- Preservation of data integrity. This ensures the contents of the backup haven’t been altered. Both accuracy and consistency are crucial for regulatory compliance and reliable recovery. For organizations in health care, government, finance, etc., keeping various types of data long-term can range from years to indefinitely and require maintaining a secure chain of custody in some cases. Failure to comply with industry regulations can result in hefty fines and significant damage to your brand.
The Power of Immutable Backups in Modern Cybersecurity
An immutable backup is a copy of data with role-based access controls and other authentications, and it can’t be changed or deleted until a set time has expired. However, it isn’t offline like an air-gap backup, as it’s stored on a device accessible via the internet or network. Multiple technology vendors leverage this type of immutability, whether on-premises or in the cloud, in the form of object locks, secure snapshots, and the hardened repository from Veeam.
Immutability is essential in an environment where cyberattacks are becoming increasingly common. It helps protect against ransomware attacks and insider threats, preventing unauthorized parties from altering the data in the backups. Even if an attacker gains physical access to an immutable backup, the damage they can do is limited.
By combining air-gapped and immutable backups, organizations can protect their data from unauthorized access and maintain its integrity, even if the worst happens.
Air-Gapped vs. Immutable Backups
An immutable backup addresses some of the same survivability goals as an air-gap backup, but key differences exist. Both types of backup offer resistance against ransomware and data compliance, but that’s where the differences come in.
A traditional air-gap backup, such as tape, can incur an additional cost for managing the media and working with vendors to store it properly. This also holds true for immutable storage because it can grow exponentially if data policies change.
Recovery Time Objectives (RTO) are also a variable depending on the storage media used. For example, a business operating in a remote area with slow network connections or metered data might find recovering data from a cloud backup too slow for its requirements. In this instance, keeping tapes on-site provides a cost-effective and quick way to recover from ransomware attacks. Off-site/cloud backups act as a last line of defense.
In contrast, for a multinational organization that operates primarily online, using public cloud providers to store backups can offer a flexible and cost-effective storage option, with the ability to restore snapshots directly to the cloud, potentially saving weeks of downtime.
One Veeam client, the water company GORI, switched to Veeam as part of a broader plan to strengthen its ability to recover from cyber incidents. GORI had an existing backup strategy but found it was labor-intensive to manage. The company switched to Veeam Data Cloud Vault, a preconfigured and fully managed cloud storage solution offering immutable and logically air-gapped protection for backups.
Veeam Data Cloud enables GORI to recover on-premises systems and Microsoft 365 more quickly than its previous backup solution and facilitates regulatory compliance, thanks to its use of the 3-2-1-1-0 rule. The company benefits from increased resilience and improved RTOs.
With Veeam, customers can build a data-resilient strategy that works for them. The choice between air-gapping and immutability isn’t an either/or situation. Just as VM replicas aren’t backups and vice versa, air-gapped backups aren’t necessarily immutable backups. Both technologies exist to help organizations recover data faster. Leveraging them in tandem increases the chance of successful recovery after a cyber event.
Overview of Cyber-Resilient Strategies
Step 1 – Ensure Survivable Backup Targets
For decades, air-gap backup storage was the most trusted option companies could leverage to protect their critical assets from most threats. Write Once, Read Many (WORM) via tapes or rotating hard drives ensured data, once ejected and moved off-site, would be recoverable in the event of a disaster. Resilient data storage, such as tapes, is now used alongside hybrid cloud approaches, and in some cases, air-gapped storage is falling out of favor.
Immutability has become more common as it offers similar functionality as WORM, with less overhead for managing the media, but isn’t traditionally unreachable on the network. When building cyber-resilient and disaster recovery strategies, both air-gap and immutable storage have pros and cons. Using both options together offers an extra layer of resilience.
It’s best practice to maintain multiple copies of critical data. The traditional 3-2-1 rule recommends three copies of your data, using at least two media types, with one copy kept off-site. For most Veeam deployments, your production data is [Copy 1, media type=disk], the backup data on the local repository is [Copy 2, media type=disk], and you keep a third copy off-site for disaster recovery [Copy 3, media type= disk, cloud, or tape].
Most organizations have adopted this practice and expanded beyond the 3-2-1 rule into the 3-2-1-1-0 rule to incorporate immutability as an extra layer of protection against cyber threats. The added 1-0 to the rule suggests that one copy be kept offline (inaccessible via air-gap or immutable) and have zero errors (tested and validated). This helps ensure the highest level of data recoverability from any disaster.
The modern version of having off-site backups often means using cloud storage and storing the data in different data centers. This is a particularly useful backup strategy because it protects against local incidents, such as theft or fires, and widespread natural disasters. A flood or earthquake that significantly damages an entire city could wipe out the backups stored at your business premises, but it’s unlikely to impact the copy stored at a Google, Microsoft, or Amazon data center several hundred miles away.
Veeam has taken it a step further with Veeam Data Cloud Vault. Veeam Vault is a cloud storage solution that receives Veeam Data Platform backups and is built specifically to help fulfill the 3-2-1-1-0 rule principles above. Backed up data is available for fast recovery and always placed in a write-one read-many state as well as encrypted by default to stop bad actors from encrypting, deleting, or modifying your backups.
Step 2 – Reduce Access Opportunities
Now, it’s all about access management and making it difficult for bad actors to get a foothold on your systems to view or change your data. To protect against this, you must adopt a cyber-resilient posture and consider external and insider threats.
Here, everything on your production site has proper access controls in place. Use Veeam ONE to monitor the production environment for suspicious activity and run reports to protect your workloads and have encrypted immutable backups. Next, define user account roles with proper separation of duties to ensure only relevant individuals can work with your backups. Implement Four Eyes Authorization to ensure key actions require the approval or verification of at least two authorized individuals. And, enable multifactor authentication (MFA) on your Veeam Backup Server to prevent malicious actors from accessing it, even if an employee’s login credentials are compromised.
Use an immutable target as your first backup media to allow for recovery in the event of bugs, cyber threats, or accidental data deletions. Most importantly, test these backups with Veeam Recovery Plans frequently to verify their integrity. This gives you peace of mind that you won’t have issues recovering in the event of a cyberattack or other disasters.
Your third copy should be kept off-site, encrypted, and offline or air-gapped. Natural disasters and unauthorized user access aren’t the only reasons keeping a siloed copy offline and off-site is beneficial. Data integrity, legal disputes, and data compliance/retention rules may not be typical data loss events, but they should be a consideration in your incident response plans.
If you store backups in the cloud and your business operates in an industry with strict regulatory requirements, it’s vital to consider that when selecting a cloud provider and configuring the backups. Depending on your industry, you may need to use a compliant cloud service (rather than the public cloud) and pay close attention to encryption and access controls to ensure the security and integrity of your data.
Step 3 – Regular Testing and Updating
It’s crucial to keep your backup and recovery software up-to-date and stay up-to-date on developments in the security and disaster recovery industry so you’re always well-protected against ransomware and other cyberthreats.
You should also test your backups and recovery processes. You need to confirm your backups are working, error-free, and fully comprehensive. One useful strategy is to run simulations of potential disasters, such as a server outage, hardware failure, or ransomware attack. How quickly can you recover your critical data? Do your backups have all the data needed to resume normal operations or minimum viable business?
Redo these simulations periodically to verify your backups are still comprehensive. All too often, changes in your organization’s daily procedures can lead to data being omitted from backups. Shadow-IT is a common issue, as employees using unauthorized or undocumented tools may depend on them for their workflows, but your IT department may not have included the relevant folders or files in their backup plans.
By testing your backups frequently, you can ensure your backup coverage is complete and your recovery processes will work when needed.
Protect Your Data With Veeam
In the Risk to Resilience Report, 69% of the 1,300 surveyed organizations were struck by a ransomware attack. The report also found that organizations with more successful responses were more likely to have the following in their ransomware response plan: backup verifications and frequencies, backup copies and assured cleanliness, containment or an isolation plan, alternative infrastructure arrangements, and a pre-defined chain of command.
As organizations look to adopt more cyber-resilient data protection strategies, Veeam continues to form strong partnerships with hardware and cloud vendors, making it easier to adopt immutable backup repositories, air-gap solutions, or (as a best practice) both.
Our software offers immutability with Microsoft Azure, Direct to S3 with Immutability, and enhanced tape backups, and Veeam Vault helping organizations improve the efficiency of their backups and better defend themselves against the impact of ransomware infections. Veeam Vault offers seamless integration within the Veeam ecosystem, providing Veeam Data Platform users with an accessible and secure immutable storage solution.
See the power of Veeam for yourself by watching one of the demonstrations below. Alternatively, subscribe to our newsletter to get more updates about our backup and recovery solutions, or contact us to learn how you can partner with Veeam.