Blog Post

Azure Storage Blog
2 MIN READ

How Azure Backup Immutability help you protect against Ransomware threats

Srinath Vasireddy's avatar
Nov 25, 2022

Ransomware attacks deliberately encrypt or erase data and systems to force your organization to pay money to attackers. These attacks target not just your data, but even your backups. The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your backup data - one such feature is Immutable Vault. 

 

Immutable Vault  (currently in preview) can help you protect your backup data by blocking any operations that could lead to loss of existing recovery points. Enabling this property helps you ensure that recovery points once created cannot be deleted before their intended expiry. While this helps prevent data loss, you would not be able to perform certain operations on this vault and its protected items.

 

How does it protect

The following table summarizes list the supported operations, behavior (i.e. what’s allowed and what’s blocked) and support for the Vault types.  

 

Operation Type

Blocked

Allowed

Backup Vault

Recovery Services Vault

Stop protection with delete data

A protected item can't have its recovery points deleted before their respective expiry date.

You can still stop protection of the instances while retaining data forever or until their expiry.

Supported

Supported

Modify backup policy to reduce retention

Any actions that reduce the retention period in a backup policy are disallowed on Immutable vault.

You can make policy changes that result in the increase of retention. You can also make changes to the schedule of a backup policy.

Not Supported

Supported

Change backup policy to reduce retention

Any attempt to replace a backup policy associated with a backup item with another policy with retention lower than the existing one is blocked.

You can replace a policy with the one that has higher retention.

Not Supported

Supported

 

How does it work

This is a Vault level Property.  This is an opt-in capability, by default it is disabled.  The following table summarizes the various states with screenshots:

 

Locking Immutability 

Once you enable this lock, it makes immutability setting for the vault irreversible. This will prevent any malicious actors from disabling immutability and deleting backups. While this helps secure the backup data in the vault by preventing anyone , we recommend you make a well-informed decision when opting to lock. You can also test and validate how the current settings of the vault, backup policies, and so on, meet your requirements and can lock the immutability setting later.

 

Additional Resources:

 

Updated Nov 30, 2022
Version 2.0