HomeResourcesGlossaryImmutable Backup
Cybersecurity Glossary

What is Immutable Backup?

An immutable backup is a backup copy that cannot be modified or deleted for a defined retention period, even by an administrator or an attacker with stolen credentials. Immutability is the single most important property for a ransomware-resistant backup strategy.

Blocks 99% of password attacks
Required by most cyber insurance
Core to SOC 2, HIPAA, PCI
How It Works

How Immutable Backup works

Three-step view of how it operates in practice.

1

Write

A backup copy is created using WORM (Write Once, Read Many) storage or object lock technology.

2

Lock

The copy is marked immutable for a retention window — days, weeks, or years — during which it cannot be changed.

3

Restore

If production data is encrypted or corrupted, the immutable copy remains usable for recovery. The attacker cannot delete it.

Immutable Backup Variants

Immutability mechanisms

A clear breakdown of the common variants.

Mechanism

Object Lock (S3)

AWS, Azure, and Wasabi all offer Object Lock at the cloud storage level. Backup tools can target this directly.

Most common

Linux hardened repo

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

Air-gapped tape or USB

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Vendor-native immutability

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why Immutable Backup matters for SMBs

An immutable backup is a backup copy that cannot be modified or deleted for a defined retention period, even by an administrator or an attacker with stolen…

94%
of ransomware attacks attempt to target backup repositories
Source: Veeam Data Protection Trends Report, 2024
Pitfalls

Common Immutable Backup mistakes

  • Backup credentials equal admin credentialsIf a domain admin can delete backups, ransomware can delete backups. Backup accounts need separate credentials and MFA.
  • Immutability only on the latest copyAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
  • No regular restore testsImmutable but untested backups aren’t proven backups. Quarterly restore drills confirm they work.
  • Skipping SaaS backupM365 and Google Workspace aren’t backed up natively. A third-party immutable SaaS backup closes this gap.
Common Questions

Immutable Backup frequently asked questions

Yes — expanded. 3-2-1-1-0: three copies, on two different media types, one offsite, one immutable or air-gapped, with zero errors on verification.
Air-gapped means physically disconnected (tapes in a vault, USB drives offline). Immutable means logically locked for a retention window but still online. Both resist ransomware; immutable is more convenient.
At least as long as your longest ransomware dwell time — for most SMBs, 30-90 days. Attacker dwell times are shrinking (avg 10 days per Mandiant 2024), but some campaigns plant and wait.
No. Default cloud storage is fully mutable. Object Lock, S3 versioning with MFA Delete, or vendor-specific immutable tiers must be explicitly configured.
Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.
Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.
Related Terms

Related glossary terms

Ransomware

Policies that adapt to device, location, and risk signals.

BCDR

A security model that verifies every request as if it came from an open network.

RTO vs RPO

Give users only the access they need — nothing more.

Incident Response

FIDO2 keys and passkeys that cannot be proxied or replayed.
Identity & Access

Can ransomware reach your backups?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services
No commitment · Local engineers · Response within 1 business day