Immutability

This chapter covers the following topics:

About Immutability

Immutability is a feature that locks backup datasets for a period specified in GFS retention policy settings. Within this period, backup data cannot be modified nor deleted.

Immutability is supported for the following storage providers:

Note that Immutability is not supported for MSP360 own storage powered by AWS S3 and by Wasabi

Immutable storage is tightly bound with compliance mandates with specific data maintenance requirements. Also, immutability gets more popular in conjunction with backup and restore solutions since cybercriminals aim their ransomware tools at backups as well.

Immutability is a solution that suits best to data preserving purposes in accordance with compliance requirements. It allows an administrator to specify a data retention period or to implement a legal hold that prevents data from being deleted until the hold is removed.

The Immutability feature is linked with the GFS retention policy. If the Immutability is applied along with GFS settings, full backups that are subject to the GFS retention policy become immutable for the GFS keeping period.

For example, if in GFS settings you enable weekly and monthly keeping periods with 2 weeks and 2 months of keeping backups accordingly and then enabled immutability, it means that all weekly and monthly backups selected by the GFS keeping period assignment mechanism will be locked on backup storage with no other possibility to delete data except deleting the storage account.

Use the Immutability feature with extreme caution. Once a backup data becomes immutable, there is no way to delete it from the storage until the specified GFS keeping period expires except the storage account termination. Careless or light-headedly made settings can cause high storage bills

Support for Versioning Buckets in Amazon S3/Wasabi

Applies to Backup Agent versions 7.3 and later

With the Immutability feature enabled on the storage account, synchronization is performed file list formed on the list of versions.

Along with it, a so-called postponed synchronization approach is used that implies data collections from a list of files, then analyzed and added to the database. During the analysis, immutable generations are checked for deleted files. If any deletions are detected, some deleted files are restored: common generation files (generation metadata, GFS marker) and restore point files up to the first successful one.

During consistency checks, the same logic applies: immutable generations are checked for deleted files. If any deletions are detected, some deleted files are restored: this concerns common generation files (generation metadata, GFS marker) and restore point files up to the first successful one.

Retention Modes For Immutable Data

Generally, there are two retention modes:

  • Governance mode
  • Compliance mode

These retention modes apply different levels of protection.

In Governance mode, users can't overwrite or delete an object version or alter its lock settings unless they have special permissions. With Governance mode, objects in backup storage are protected against being deleted, but you can still delete the object, if necessary, in the AWS console.

In Compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your storage provider account. When an object is locked in Compliance mode, its retention mode cannot be changed, and its retention period cannot be shortened. Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period defined in the GFS retention policy settings.

Allow 'Manage Immutability' For Your Administrators

If you intend to delegate the Immutability management to your administrators, grant the appropriate permission for them. To do this, proceed as follows:

  1. Open the Management Console.
  2. In the Organization menu, select Administrators.
  3. Click Edit or Add Administrator to create a new one.
  4. Switch to the Permissions tab.
  5. Find the Manage Immutability option, then select the appropriate check box.
  6. Click Save.

Allow Immutability In Storage Account

If you need to comply with the regulations, maintenance or legal requirements, or anything else that requires an immutable backup dataset, enable this feature for an appropriate storage account.

For AWS S3

To allow Immutability for AWS S3, proceed as follows:

  1. Open the Management Console.
  2. In the Storage Accounts, select the required account to allow the Immutability or create a new storage account.

Note that the 'list versions' permission must be enabled for the storage account

  1. Click the gear icon, then select View Backup Destinations.
  2. Click Add Destination Bucket to create a new backup destination for immutable backups or click the ... button to edit an existing destination.
  3. In the Destination Bucket property box, fill in the required data (create or select an existing bucket), then click Allow Immutabiluty.

  1. Confirm the action: read the confirmation message, select the I Confirm Enabling Immutability check box, then click Confirm.
  2. Once you are done, proceed to backup plans to enable the Immutability for specific backups along with the GFS retention policy. The allowed Immutability feature enables it on the specified bucket only and does not apply itself to any backups.

Note that if a bucket has the Immutability feature enabled, versioning for this bucket is automatically enabled as well

For Wasabi

To allow the Immutability for Wasabi, proceed as follows:

  1. Open the Management Console.
  2. In the Storage Accounts, select the required account to allow the Immutability or create a new storage account.

Note that the 'list versions' permission must be enabled for the storage account

  1. Click the gear icon, then select View Backup Destinations.
  2. Click Add Destination Bucket to create a new backup destination for immutable backups or click the ... button to edit an existing destination.
  3. In the Destination Bucket property box, fill in the required data (create or select an existing bucket), then click Allow Immutabiluty.

  1. Confirm the action: read the confirmation message, select the I Confirm Enabling Immutability check box, then click Confirm.
  2. Once you are done, proceed to backup plans to enable the Immutability for specific backups along with the GFS retention policy. The allowed Immutability feature enables it on the specified bucket only and does not apply itself to any backups.

Instead of AWS S3, Wasabi storage does not have lifecycle policies. So, object versions are required to be removed from versioning buckets.

As of Backup Agent 7.3 version, backup data are purged by versions in buckets with versioning enabled

Disable Immutability In Storage Account

If you need to suspend or terminate immutable backup keeping, proceed as follows:

  1. Open the Management Console.
  2. In the Storage Accounts, select the required account.
  3. Click the gear icon, then select View Backup Destinations.
  4. Click the ... button to edit an existing destination.
  5. In the Edit Destination Bucket property box, clear the Allow Immutabiluty check box.

Note that after you disable Immutability, you will not be able to create new backup plans with the selected storage account and enable Immutability. Also, all backup plans that have Immutability enabled will be terminated with an appropriate error. To avoid these errors, disable the Immutability feature manually in the plans where you no longer need this feature

  1. Click Save.

Enable Immutability In Backup Plans

For security reasons, the Immutability option cannot be enabled or edited in Backup Agent

To enable the Immutability in backup plans using Remote Management, proceed as follows:

  1. Open the Management Console.
  2. In the RMM menu, select Remote Management.
  3. Find the required computer, then click the gear icon.
  4. Select Show Plans.
  5. Edit the required backup plan or create a new one. Remember that the backup plan must be in the new backup format.
  6. On the Where To Back Up step of the backup wizard, select the storage account with the Immutability feature supported.
  7. Follow the backup wizard to the Retention Policy step.
  8. Enable the GFS retention policy, then specify the GFS keeping periods according to your requirements. If you already have the GFS policy configured, skip this step.

  1. Select the Enable Immutability check box.
  2. Confirm the feature enabling, then follow the backup wizard steps to save the backup plan configuration.