Immutability (BETA)

About Immutability

Immutability is a feature that locks backup datasets for a period specified in GFS retention policy settings. Within this period, backup data cannot be modified nor deleted.

Immutable storage is tightly bound with compliance mandates with specific data maintenance requirements. Also, immutability gets more popular in conjunction with backup and restore solutions since cybercriminals aimed their ransomware tools at backups as well.

Amazon Web Services (AWS) provides the ability to create immutable backup datasets on S3 by using an Object Lock feature. Object Lock seems to be best suited to preserving data purposes in accordance with compliance requirements. It allows an administrator to specify a data retention period or to implement a legal hold that prevents data from being deleted until the hold is removed.

Immutability is now introduced in Backup for Windows and is linked to the GFS retention policy. If the immutability is applied along with GFS settings, full backups that are subject to the GFS retention policy become immutable for the GFS keeping period.

For example, if in GFS settings you enable weekly and monthly keeping periods with 2 weeks and 2 months of keeping backups accordingly and then enabled immutability, it means that all weekly and monthly backups selected by the GFS keeping period assignment mechanism will be locked on backup storage with no other possibility to delete data except deleting the storage account.

In Backup for Windows version 7.2, the Immutability feature is in BETA

Note that the immutability feature is supported for the new backup format only

How It Works

Enable this feature for an appropriate storage account, if you need to comply with the regulations, maintenance or legal requirements, or anything else that requires an immutable backup dataset. In some cases, it could be easier to create a new bucket in the existing storage account for immutability purposes.

You can only enable Immutability for new buckets. If you want to turn on Immutability for an existing bucket, contact the storage provider support team if they can help you.

Note that if your storage provider is AWS and you create a new bucket with the Immutability feature enabled, versioning for this bucket is automatically enabled

If you create a bucket with Immutability enabled, you cannot disable it or suspend versioning for this bucket

Retention Modes

Generally, there are two retention modes for Immutability:

  • Governance mode
  • Compliance mode

These retention modes apply different levels of protection.

In Governance mode, users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. With Governance mode, objects in backup storage are protected against being deleted, but you can still delete the object, if necessary, in the AWS console.

While in BETA, all buckets with the Immutability allowed, are in Governance mode

In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in Compliance mode, its retention mode cannot be changed, and its retention period cannot be shortened. Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period defined in the GFS retention policy settings.

While in BETA, Compliance mode is unavailable

Enable Immutability for Storage Account

First, make sure your storage account supports Immutability. Currently, Immutability is supported for Amazon S3 only.

To enable the Immutability feature for the storage account, proceed as follows:

  1. In the application menu, select Edit Storage Accounts.
  2. Select the account you want to enable the Immutability feature for, then click Edit.

  1. Select the bucket that supports the Immutability or create a new one. If the selected bucket does not support Immutability, you will be informed with an appropriate warning.

Note that you can only enable the Immutability feature for new buckets. If you want to turn on the Immutability for an existing bucket, contact AWS Support

  1. Select the Allow immutability check box.
  2. Read carefully the confirmation dialog, then confirm the action.

  1. Click OK.

Once the Immutability feature is enabled on the required storage account, proceed to create or edit the backup plans that require immutable data.

Enable Immutability in Backup Plan

  1. Edit the backup plan you intend to apply immutability to or create a new one.
  2. Follow the backup wizard steps to the Retention Policy step.

  1. Select the Enable GFS check box.
  2. Configure your GFS settings according to your requirements or compliance mandate.
  3. Select the Enable Immutability check box.
  4. Confirm the action in a dialog box, then click Next.

Attention! Once the Immutability is enabled, it is NOT possible to edit or delete the backup data unless the specified GFS keeping period expires, so be extremely cautious since it may lead to serious storage bill increases

  1. Follow the backup wizard to an end to save the backup plan configuration.