🔐 Public Preview: Backup Immutability for Azure SQL Database LTR Backups

Microsoft

Sep 30, 2025

The Ransomware Threat Landscape

Ransomware attacks have become one of the most disruptive cybersecurity threats in recent years. These attacks typically follow a destructive pattern:

Attackers gain unauthorized access to systems.

They encrypt or delete critical data.

They demand ransom in exchange for restoring access.

Organizations without secure, tamper-proof backups are often left with no choice but to pay the ransom or suffer significant data loss. This is where immutable backups play a critical role in defense.

🛡️ What Is Backup Immutability?

Backup immutability ensures that once a backup is created, it cannot be modified or deleted for a specified period. This guarantees:

Protection against accidental or malicious deletion.

Assurance that backups remain intact and trustworthy.

Compliance with regulatory requirements for data retention and integrity.

🚀 Azure SQL Database LTR Backup Immutability (Public Preview)

Microsoft has introduced backup immutability for Long-Term Retention (LTR) backups in Azure SQL Database, now available in public preview. This feature allows organizations to apply Write Once, Read Many (WORM) policies to LTR backups stored in Azure Blob Storage.

Key Features:

Time-based immutability: Locks backups for a defined duration (e.g., 30 days).

Legal hold immutability: Retains backups indefinitely until a legal hold is explicitly removed.

Tamper-proof storage: Backups cannot be deleted or altered, even by administrators.

This ensures that LTR backups remain secure and recoverable, even in the event of a ransomware attack.

📜 Regulatory Requirements for Backup Immutability

Many global regulations mandate immutable storage to ensure data integrity and auditability. Here are some key examples:

Region	Regulation	Requirement
USA	SEC Rule 17a-4(f)	Requires broker-dealers to store records in WORM-compliant systems.
	FINRA	Mandates financial records be preserved in a non-rewriteable, non-erasable format.
	HIPAA	Requires healthcare organizations to ensure the integrity and availability of electronic health records.
EU	GDPR	Emphasizes data integrity and the ability to demonstrate compliance through audit trails.
Global	ISO 27001, PCI-DSS	Require secure, tamper-proof data retention for audit and compliance purposes.

Azure’s immutable storage capabilities help organizations meet these requirements by ensuring that backup data remains unchanged and verifiable.

🕒 Time-Based vs. Legal Hold Immutability

⏱️ Time-Based Immutability

Locks data for a predefined period (e.g., 30 days).

Ideal for routine compliance and operational recovery.

Automatically expires after the retention period.

📌 Legal Hold Immutability

Retains data indefinitely until the hold is explicitly removed.

Used in legal investigations, audits, or regulatory inquiries.

Overrides time-based policies to ensure data preservation.

Both types can be applied to Azure SQL LTR backups, offering flexibility and compliance across different scenarios.

🧩 How Immutability Protects Against Ransomware

Immutable backups are a critical component of a layered defense strategy:

Tamper-proof: Even if attackers gain access, they cannot delete or encrypt immutable backups.

Reliable recovery: Organizations can restore clean data from immutable backups without paying ransom.

Compliance-ready: Meets regulatory requirements for data retention and integrity.

By enabling immutability for Azure SQL LTR backups, organizations can significantly reduce the risk of data loss and ensure business continuity.

✅ Final Thoughts

The public preview of backup immutability for Azure SQL Database LTR backups is a major step forward in ransomware resilience and regulatory compliance. With support for both time-based and legal hold immutability, Azure empowers organizations to: