A Deep Dive Into Immutable Storage: How It Works for Ensuring Data Protection and Ransomware Recovery

JANUARY 30TH, 2024
Aftab Alam
Executive Vice President, Product Management

Immutable storage is recognized as one of the most effective data protection solutions for ensuring ransomware recovery. That’s more important than ever, given that 66 percent of respondents to the Sophos State of Ransomware Report 2023 reported that their organization was hit by ransomware in the previous year. So, the odds are high that your organization will become hit if it hasn’t already.

While most IT pros know about immutable storage, they may need help understanding how it functions. With that in mind, let’s dive into the technical underpinning of immutable storage.

What Is Immutable Storage?

Think of immutable storage as your last line of defense for ransomware protection and data loss prevention. Data backed up to immutable storage is protected against any modifications or deletions.

At the heart of immutable storage systems is the write-once-read-many (WORM) technology. WORM technology prevents data from being overwritten or deleted once written to a storage medium. 

Hardware-Based WORM

WORM was initially associated with physical storage media, such as optical discs, which use a laser to write data. Once written into the disc by the laser, data is physically prevented from being erased or modified. Modern implementations of WORM technology extend beyond physical media to software-defined storage systems, offering broader and more flexible applications of immutability principles.

Software-Defined WORM

Software-defined WORM solutions offer a more versatile approach to immutability, applying the principle at the file system or object storage level. In these systems, software controls enforce immutability by restricting write and delete operations on the files or backups saved as immutable, with the storage system modifying the file or object’s metadata to mark it as unchangeable. 

This metadata, a foundational file system component, acts as the gatekeeper, enforcing immutability rules. It also enables the dynamic application of WORM policies, where data can be immutable for a predetermined retention period without needing specialized hardware.

Locking Down Data: Set Retention Periods

In both hardware and software-defined WORM systems, data is “locked down” for a specified retention period when it is written. Defined by your policies and regulatory requirements, this retention period ensures the data can’t be altered or deleted until the set period expires. That gives you flexibility in managing retention periods, so you can apply policies based on the data type (see our post on data classification and tiering), compliance requirements, and business needs.

During the retention period, the storage system systematically blocks any attempts to modify or delete the data. This immutable data protection ensures data integrity, especially when historical accuracy, such as legal evidence or financial records, is paramount.

When the retention period expires, the data’s immutable protection status can be lifted so that it can be altered or deleted. This lets users delete outdated files and backups to save storage while ensuring compliance with required retention periods. Administrators can typically review and manage data as it approaches the end of its retention period and decide to extend the immutability, archive the data, or delete it if it is no longer needed.

Access Control Systems Enforce Immutability

File systems or object stores that support immutability implement rigorous access control mechanisms. These mechanisms are designed to restrict unauthorized access and operations on data, ensuring it remains unchanged once data is marked as immutable. Here are the common access control mechanisms in use today:

Discretionary Access Control (DAC)

In a DAC system, the data owner specifies who can access the data and what operations they can perform. While DAC is flexible, for immutable storage applications it is typically bolstered by additional controls to prevent data access for immutable storage applications. 

Mandatory Access Control (MAC)

MAC systems offer tighter controls than DAC systems because they rely on fixed policies that system administrators define to control access. In the context of immutable storage, MAC can enforce immutability policies across different data tiers, ensuring that only authorized users and processes can access data based on their security clearance and the data classification level

Role-Based Access Control (RBAC)

RBAC limits access and operations based on the roles of individual users within an organization. This method is effective in immutable storage environments because it can restrict who can mark data as immutable or alter immutability policies based on predefined roles, such as system admins or data managers.  

Attribute-Based Access Control (ABAC)

ABAC provides a highly granular level of control by defining access permissions based on a wide range of attributes. These can include user attributes, such as department or role; environmental attributes, such as time of day; and data attributes, such as classification and immutability status. ABAC dynamically enforces access decisions based on complex policies considering multiple factors, making it highly adaptable to various security environments.  

Cryptographic Access Control

Some immutable storage systems enforce access control using cryptographic means, such as digital signatures and encryption. Users must have the appropriate cryptographic keys to access or modify data, adding a solid layer of security. This approach ensures that even if a user technically has access to data, they can’t modify it without the correct cryptographic authorization.

Data and Ransomware Recovery from Immutable Backups

Data recovery is the most significant advantage of immutable storage. Since immutable backups are protected from threats, they provide a reliable recovery point following a cyber incident or data disaster. If ransomware strikes, you can revert to a pristine version of your production environment using an immutable backup.

Put Immutability to Work

With an understanding of WORM, you now know how immutable storage systems provide robust defenses against threats. For expert help implementing immutable onsite, offsite, and cloud data protection, backup, and disaster recovery, find an Arcserve technology partner.

You May Also Like