Why immutable differs from offline
Offline backup (tape locked in safe) protects from attack but requires manual operation. Immutable backup protects from attack even while remaining online because the OS or service prevents deletion/alteration for a defined period β even by an administrator with maximum privilege. Modern groups (LockBit, BlackCat, Akira) attack Veeam B&R, ESXi and Active Directory BEFORE encrypting production. Immutability is the only protection that survives compromised credentials.
Mistakes that invalidate immutability
- 1.Governance mode on S3 Object Lock. Governance allows removal with special permission. Use Compliance for real immutability.
- 2.Veeam Hardened with SSH+sudo from same AD. If AD credential falls, attacker uses SSH+sudo. Use isolated local password and MFA.
- 3.Forget to enable Object Lock at bucket creation. Cannot be enabled later. Bucket without that flag since creation is mutable forever.
- 4.Mix immutable and mutable data in the same bucket. Increases attack surface and complicates audit. Use a dedicated bucket for immutables.
Implementation in 3 typical environments
Choose based on volume, RTO and environment.
- 1
Option A β AWS S3 Object Lock (cloud)
Create S3 bucket with Object Lock enabled at creation. Set Compliance mode (does not allow removal even by root) with 30-90 days retention. Configure Veeam B&R to write to this bucket via SOBR (Scale-Out Backup Repository) with immutable capacity tier. Cost: ~US$0.023/GB/month + transfer.
- 2
Option B β Veeam Hardened Repository (on-prem)
Install Ubuntu 22.04 LTS on dedicated server (NOT in AD). Create non-root user for Veeam. Use ext4/XFS. In Veeam Console, add Linux repository with 'This repository is hardened' flag. Veeam applies chattr +i on backups for X days. Full setup in ~2h.
- 3
Option C β LTO Tape in WORM (compliance)
LTO-7+ tapes in WORM (Write Once Read Many) mode. Veeam/Commvault write and the physical tape prevents rewriting. Lower TB cost long-term. Higher RTO (hours to find and read). Ideal as 3rd copy for long retention (7+ years).
- 4
Set adequate retention
Minimum: 30 days. Recommended: 90 days (covers attacks that sleep before encrypting). For regulated sectors (healthcare, financial): 1-7 years per regulation.
- 5
Audit monthly
Try to manually delete a file via console: must fail. Document the result. Audit access via CloudTrail (S3) or auditd (Linux Hardened). Disable audit accounts 'that disappeared'.
FAQ
Does Object Lock Compliance lock the bucket forever?
No. Locks each object for the defined retention period. After expiration, can be deleted normally. Set a 90-day rotating cycle for controlled cost.
Does Veeam Hardened work on any Linux?
We recommend Ubuntu 22.04 LTS or RHEL 9 for stability and Veeam support. Technically works on any Linux with chattr.
How much does protecting 50 TB cost?
S3 Object Lock: ~US$ 1,150/month. Veeam Hardened on-prem: hardware ~US$ 8,000 (one-time) + ~US$ 100/month operation. LTO WORM: ~US$ 5,000 setup + tapes.
Can I replicate immutable backup to another region?
Yes and recommended. S3 Cross-Region Replication keeps Object Lock at destination. Veeam can replicate to another Hardened in DR.
How does it combine with 3-2-1-1-0?
Fast local copy (traditional Veeam) + immutable copy (S3 Object Lock or Veeam Hardened) + offsite copy (the same S3 or another Hardened in DR). 1 immutable + 0 errors via monthly testing.
Want help implementing immutability in your company?
Veeam + S3 Object Lock implementation consulting + restore tests.