Secure backups are the cornerstone of any data protection and business continuity strategy. Immutability is an essential characteristic of secure backup solutions, and many organizations are adopting it as part of their cyber resilience policies and best practices. But what is an immutable backup, and why should your organization use this technology?
What Is Immutable Backup?
Immutable backups are backups that can’t be changed and can only be deleted under highly specific circumstances (such as when a specific period has passed since the backup was made). The data is held in immutable storage, so if you restore a backup, the data will be an exact snapshot of the moment the backup was made.
Data in an immutable backup is protected against tampering, accidental modifications or deletions, as well as encryption caused by ransomware. With cyberattacks on the rise, immutable backups are more important than ever.
Why Are Immutable Backups Important?
Immutable backups help you recover after a ransomware attack has encrypted your production data and serves other purposes as part of a resilient data protection strategy, such as preventing data loss through accidental changes or deletion.
A few years ago, a government agency was in the news after deleting a large number of files that affected multiple people outside their organization. After investigation, it was determined that this agency had no backups to recover because the files had expired or been deleted as part of a data cleanup exercise. Unfortunately, this was a highly public data loss event that drew negative publicity nationally and resulted in some individuals losing their jobs.
Many other companies have suffered from similar data loss events, whether accidental or malicious. They just haven’t been publicized.
Backup and immutability strategies drive stakeholders to outline their needed business service level agreements to balance data storage costs and data availability appropriately.
Immutable Backup vs. Traditional (i.e., Mutable) Backups
According to the 2024 Data Protection Trends Report, 75% of organizations admitted to having suffered from at least one cyberattack in 2023. Relying on traditional backup is no longer enough when it comes to cyber threats. Following the 3-2-1-1-0 rule and using immutability increases your chances of successful data recovery.
So, how can you leverage your current backup solution investment and implement immutable backups? Veeam provides several options for implementing immutable strategies and technologies, giving you peace of mind that your data is safe and secure.

With Veeam, it’s possible to use immutable backups in conjunction with traditional methods. While immutable backups may become the default for how most customers store their data, traditional backups can still be used to extend a policy outside the “recoverability zone” or to back up data that isn’t mission critical.
We recommend organizations follow the 3-2-1-1-0 backup rule.
- Three copies of the data
- On two different media
- With one copy being off-site
- And one copy being offline, air-gapped, or immutable
- And zero errors with SureBackup recovery verification
Immutable and traditional (mutable) backups are used in an overall data protection strategy. For example, you can use traditional backups to hold data on-premises while storing a copy in off-site immutable storage on the cloud. Veeam simplifies the process of adopting an immutable backup strategy since you can send backups directly to object storage.
Benefits of Immutable Backups
There are many benefits of immutable backups beyond ransomware resilience, including:
- Data integrity and security
- Data corruption prevention
- Protection against cyberattacks
- Compliance with data regulations (e.g., GDPR)
- Reliable disaster recovery
- Faster RTOs to avoid searching for intact backups after the attack
- Higher RPOs
- Preservation of historical data
- Ensuring auditability and compliance
- Facilitating forensic analysis
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends using encrypted, immutable backups to help mitigate ransomware.
Implementing Immutable Backups
The process of implementing immutability depends on your choice of storage technology.
Veeam works with over 30 immutable storage partners, giving you unparalleled choice regarding data storage. Let’s examine a typical backup system and look at where you can add immutability and encryption to increase security and resilience.

The original data set is found on your production infrastructure. Here, primary storage providers can create immutable (i.e., read-only) volume snapshots of your workloads. This makes it easy to quickly recover from a recent data loss event. Veeam supports taking backups and recovering from storage snapshots to ensure the highest RPOs and RTOs.
Next, we have the Veeam infrastructure with proper access controls, including multi-factor authentication. This is separated from backup storage. If the original data is compromised, changed or is lost, the backup isn’t affected, and you have a copy to use for recovery.
Finally, you have an autonomous or isolated clean room with backup data where you have multiple options for storage taking advantage of Veeam backup portability combined with immutability. Let’s break this down further.
Technology and Infrastructure
Immutable on-premises storage solutions include:
- Veeam Hardened Repository: This is for backups in a disk-based storage server. Server vendors include HPE, Cisco, Fujitsu, Huawei, NEC, Dell, Lenovo, and more. There are over 100 Veeam Ready – Repository partner products which take advantage of Veeam’s deduplication, compression, and XFS Block Cloning, including immutability.
- On-premises S3-compatible storage: Featuring object lock immutability with Veeam deduplication and compression, this option includes vendors such as ObjectFirst, Cloudian, DataCore, Dell, ExaGrid, Fujitsu, Scality, IBM, MinIO, Hitachi, SpectraLogic Black Pearl, and many others.
- Deduplication appliances: These are disk-based but have deduplication and compression built in. Specifically, Veeam and HPE StoreOnce have an integration for controlled data immutability (ISV-DI), which requires dual authorization. While others, such as Exagrid, Quantum, Infinidat, leverage time retention locks or secure snapshot technologies for immutability.
- Pure Storage FlashBlade//S: This is also an on-premises S3-compatible vendor that leverages object lock immutability and SafeMode Retention Lock as an added layer to protect against insider threats or the compromise of administrator credentials.
Immutable cloud-based options include the following:
- Veeam Data Cloud Vault is a fully managed, secure cloud storage resource designed to eliminate the complexities of managing infrastructure and unpredictable cloud cost models. Leveraging Microsoft Azure, Veeam Vault offers pre-configured, immutable, and air-gapped storage that is always encrypted, ensuring data security and resilience against cyber threats.
- Public providers, including AWS and Microsoft Azure, can provide immutability when you create an Amazon S3 bucket or Azure storage.
- Other Veeam partners such as Blackblaze, Wasabi, and 11:11 Systems provide S3-compatible immutable cloud for Veeam backups.
- Ecosystem providers, including IBM and Veeam Cloud & Service Providers (VCSPs), provide immutability on the backend. They can also be used as a Disaster Recovery sites that extend capabilities to replicate the most critical workloads to achieve low RTOs.
Backup Strategies and Best Practices
The vendors listed above have knowledge base articles covering best practices and validated architectures. This lets you adopt an immutable strategy easily. Once immutability is set for certain vendors, it can be difficult to change and sometimes becomes permanent. Therefore, it’s vital to understand your organization’s business SLAs and have agreed-upon retention policies that prevent mishaps for data storage. Consider the questions below when choosing the best technology for your organization.
- Duration: How fast would you be able to restore your business — 1 day, 1 week, 1 month, or longer? Having multiple recovery strategies is critical to prepare for any data loss event. A traditional snapshot-based backup leaves gaps and risks. Adding at least one immutable backup copy increases your chances of successful data recovery.
- How: Are manual or automated recovery processes in place, and in what order? An outage isn’t the time to determine what workloads to recover first and how long they could take. Having tested and updated documentation for business continuity/disaster recovery is critical, and Veeam can help provide this with Veeam Data Platform Premium Edition.
- Where: Which location have you designated for recovery? Is it the cloud, a service provider, or a second data center? You should consider off-site replication and geographical redundancy when creating a BC/DR plan. If a second site isn’t available, could you leverage a VCSP or a public cloud provider to get data off-site and immutable?
Protect Your Data with Veeam
Veeam is a market leader when it comes to data security, recovery, and flexibility. Veeam Data Platform allows you to prohibit the alteration or deletion of data from backups on different types of backup repositories from hundreds of vendors.
If you need to secure your data and protect your organization from ransomware and other cyber threats, our backup and recovery solutions can help. Get started by downloading a free trial today or explore the Veeam community to get answers to common questions, access free training, and communicate with other users.
If you’re a managed services provider and reseller interested in helping your customers protect their data, partner with Veeam today to deliver data resilience solutions.