Immutable Backup System Features

Facebook X

Having an immutable backup system is no longer optional—it’s survival. But here’s the thing: immutability alone isn’t enough to protect your organization from ransomware attacks and data destruction. If bad actors can compromise your backup infrastructure through weak authentication or misconfigured access controls, your fancy immutable backup system becomes worthless. I’ve seen it happen too many times.

This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/

Let me be clear about something: ransomware is now the number one reason organizations restore from backups. Not hardware failure. Not someone accidentally deleting files. Ransomware. And the attackers know exactly where your crown jewels are stored—in your backup system. That’s why hardening your backup infrastructure isn’t just good practice anymore. It’s the difference between recovering from an attack and going out of business.

Multi-Factor Authentication: Not All MFA Is Created Equal

Your immutable backup system absolutely needs multi-factor authentication, but SMS-based MFA is terrible. I’ll say it again: SMS-based MFA is terrible. Why? Because SMS messages can be intercepted, SIM cards can be swapped, and there’s a whole industry built around compromising SMS-based authentication.

So what should you use instead? At minimum, time-based one-time passwords (TOTP) using apps like Google Authenticator or Authy. Better? Hardware tokens like YubiKeys that support FIDO2 and WebAuthn standards. Best? Passkey authentication, which uses public-key cryptography and is phishing-resistant by design.

Think about it this way: the person who has full administrative access to your backup system can overwrite everything in your data center, delete all your backup configurations, and wipe out all your recovery points. That’s an incredibly powerful position—and we often give it to junior people or protect it with nothing more than a password and a text message. That’s insane.

Secure Remote Access Without RDP

Here’s my controversial take: turn off RDP. Just turn it off. Remote Desktop Protocol has become such a massive attack vector that you’re better off not using it at all. There are better ways to manage remote access to your backup infrastructure.

Good: Use a VPN combined with a bastion host to create a jumping point for accessing your systems. This at least adds a layer of security between the internet and your critical infrastructure.

Better: Implement a SaaS-based remote management platform from a company that specializes in secure access. These companies live and breathe security, and they’re probably better at it than you are at managing a bastion host.

Best: Hardware-based remote management systems that plug directly into your infrastructure. Yes, they’re more expensive and potentially more complex, but they’re also more secure. Your immutable backup system deserves that level of protection.

I get pushback on this. People tell me they need RDP for various legitimate reasons. Fine. But at minimum, never expose RDP directly to the internet, implement certificate-based authentication if you must use it, and restrict access through VPN. Better yet, use one of the many RDP alternatives that were designed with security in mind from the ground up.

Role-Based Access Control: Division of Powers

RBAC—role-based access control—goes hand in hand with the principle of least privilege access. Here’s the reality: the backup administrator is literally the most powerful person in your company from a data destruction standpoint. They can destroy more data, faster, than anyone else in the organization. And we often don’t treat that role with the gravity it deserves.

With proper RBAC implementation for your immutable backup system, you can divide responsibilities. One person can run backups but not configure them. Another can configure backups but not perform restores. Someone else can do restores but not modify backup policies. Each of these represents a different level of trust and a different attack surface.

For larger organizations, consider implementing four eyes authentication for destructive operations. What’s four eyes? It’s not Curtis with glasses—it’s two people authenticating before certain actions can be performed. Why would you want this for something like changing backup configurations? Because a malicious actor or rogue admin could modify your backup schedule to run once a week instead of daily, or change your retention to keep only one copy instead of following the 3-2-1-1-0 rule. Before you know it, your immutable backup system isn’t protecting you anymore because there’s nothing being backed up.

Considering Outside Help

The final thing to think about is whether you should hand over some or all of your backup security to specialists. This could mean working with a managed security service provider (MSSP) who actively monitors and secures your backup infrastructure. Or it could mean moving to SaaS-based data protection where you’re putting the security of your backups in the hands of a company for whom this is their core business.

Now, I’m not saying blindly trust any vendor. Trust but verify. Ask about penetration testing. Ask about their security certifications. Ask if they support passkey authentication—and if they stare at you blankly, maybe look somewhere else. Ask about immutability and whether you have the ability to delete backups. Because here’s my rule: if you can delete the backups, then so can the bad guy.

Look, I get it. Nobody wants to admit they need help. But backup security has become incredibly complex, and the consequences of getting it wrong have never been higher. Companies are going bankrupt because they couldn’t recover from ransomware attacks. Jaguar Land Rover is still trying to recover. Asahi Brewing Company spent months trying to get back online. This is serious business.

The Bottom Line on Immutable Backup System Security

Immutability is table stakes. But it’s only the foundation. You need to layer on strong authentication, secure access methods, granular access controls, and potentially outside expertise to truly protect your backup infrastructure. These aren’t nice-to-have features. They’re survival requirements in an era where ransomware is the primary threat to your data.

The human is the weakest link in every security chain. Your job is to make it as hard as possible for humans—whether malicious or merely careless—to compromise your backup system. Because when ransomware hits, your immutable backup system is the only thing standing between recovery and disaster.

Get these security measures right. Your future self will thank you when you’re restoring from a ransomware attack instead of explaining to your board why the company is going under.

Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data

Immutable Backup System Features

Multi-Factor Authentication: Not All MFA Is Created Equal

Secure Remote Access Without RDP

Role-Based Access Control: Division of Powers

Considering Outside Help

The Bottom Line on Immutable Backup System Security

Understanding the T10000 Encryption feature

How to Prevent Ransomware: Essential Strategies for Your Organization

Laptop Restore Nightmare: When Minutes Turn Into Weeks

TSM: Don't turn off expiration & reclamation!

Network filesystem showdown

My head’s in the clouds: I just joined Druva

Multi-Factor Authentication: Not All MFA Is Created Equal

Secure Remote Access Without RDP

Role-Based Access Control: Division of Powers

Considering Outside Help

The Bottom Line on Immutable Backup System Security

Related Posts

Similar Posts