Why ‘Immutability-Washing’ Is Putting Enterprise Backups at Risk

Today, ransomware poses a major threat to organizations, especially enterprises. Large organizations struggle to keep their infrastructure and architecture up to date as attack vectors become more complex, leaving them vulnerable. According to research by Enterprise Strategy Group, 66% of organizations faced at least one ransomware attack in the past two years, and 96% of those targeted backup data.

Unfortunately, no matter how advanced a business’s cybersecurity posture and defenses are, a cyberattack resulting in a breach is almost inevitable. Immutable backup storage is the ultimate Data Resilience strategy for any organization. Yet only 59% of companies currently use immutable storage. When all businesses face threats to their storage and backups, that’s a problem.

Defining Absolute Immutability – How to Know Your Data is Ransomware-Proof

Absolute immutability is defined as Zero Access to perform destructive actions, meaning that no one, not even the most privileged admin or attacker, can access backup storage to modify or delete data. It’s based on Zero Trust principles, which assume that a breach has already occurred. Zero Access takes it a step further by assuming the worst-case scenario: all credentials will be stolen or compromised. Recovery from an attack requires the ability to reliably restore data from backups; therefore, it is critical that no one, whether or not they appear legitimate, can perform actions that could harm backup data.

Achieving Absolute Immutability through Zero Access requires adherence to three core principles:

S3 object storage. This protocol includes Object Lock and versioning, native immutability features that ensure data cannot be modified or removed once it is written. Traditional storage systems often lack native immutability and rely primarily on proprietary, bolt-on solutions. S3 object storage has consistently demonstrated security and reliability at enterprise scale, validated by real-world deployments and third-party testing. Its foundation on open standards allows such testing, rather than relying on the ‘trust us’ claims of proprietary storage architectures.

Zero Time to Immutability. Backup data must be immutable once written to prevent unauthorized alterations, maintain data integrity, and defend against ransomware. If immutability is not enforced during data ingestion, a critical vulnerability window remains open. Attackers will exploit this period to encrypt, modify, or embed malicious code in the backup. Backup data must be written directly to object storage with S3 Object Lock enabled, ensuring that the data is immutable from the moment it is stored. This is the only way to confirm absolute, instant, and irreversible immutability.

Target Storage Appliance. There are two types of purpose-built backup appliances (devices that are configured and optimized for storing backup data). Integrated storage appliances combine backup software and storage in a single system, while target storage appliances provide a turn-key storage device for external backup software. In line with the requirements of the Zero Trust Data Resilience architecture developed by Veeam and Numberline Security, Absolute Immutability requires a strict separation of backup software and backup storage. Only a target storage appliance can ensure that backup data is physically isolated from the backup software that manages it, in accordance with a defined, documented protocol. This ensures that if credentials are stolen, they cannot be tampered with or deleted.

Purpose-built backup appliances can include DIY (do-it-yourself) solutions, where customers or integrators build their own backup storage systems by combining hardware and software. There are two main types: DIY setups built directly on self-managed hardware and those deployed within a virtual machine (VM). In both cases, the storage software is either manually installed on user-provided hardware or pre-installed on a general-purpose server. While this gives users greater flexibility and convenience, it also means they’re fully responsible for critical tasks—such as daily monitoring, patching, servicing, and managing the system lifecycle.

Evaluating the Results

The result? Each deployment is one-of-a-kind, often undocumented, and lacks standardized support. This increases the risk of misconfiguration, weak network segmentation, and operational inconsistencies. It also creates dependencies on individuals with deep Linux and cybersecurity expertise, making the approach resource-intensive and potentially fragile.

Running a DIY backup system within a VM adds additional risk. Since immutability is enforced only by software within the VM, there’s no hardware-level safeguard. If an attacker gains access to the host or storage layer, they can easily wipe out or manipulate the backup VM, sometimes in just a few clicks.

When evaluating a purpose-built backup appliance, the manufacturer's security posture is critical. The CISA ‘Secure-by-Design’ pledge promotes built-in security among manufacturers. Those who commit to this pledge focus on reducing exploitable vulnerabilities, implementing security controls such as Multi-Factor Authentication (MFA), and maintaining transparency in security practices, for example, by publishing Common Vulnerability and Exposures (CVEs). When evaluating a backup solution, enterprises should review the current list of pledge signers to ensure the vendors they are considering adhere to the latest security best practices.

Absolute Immutability is the key to protecting enterprises’ crown jewels: data. As cybercrime organizations become more tenacious and ransomware continues to incapacitate organizations at an increasing rate, security teams need robust defenses to protect backups. Absolutely immutable storage provides safeguards to ensure regulatory compliance and maintain data integrity throughout legal processes—but most importantly, it ensures recoverability and resilience. By following the three principles, organizations can ensure Absolute Immutability and, regardless of what happens—ransomware, insider threats, or credential breaches—backup data remains protected and recoverable.