How Azure Backup Immutability help you protect against Ransomware threats

Ransomware attacks deliberately encrypt or erase data and systems to force your organization to pay money to attackers. These attacks target not just your data, but even your backups. The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your backup data - one such feature is Immutable Vault. 

Immutable Vault  (currently in preview) can help you protect your backup data by blocking any operations that could lead to loss of existing recovery points. Enabling this property helps you ensure that recovery points once created cannot be deleted before their intended expiry. While this helps prevent data loss, you would not be able to perform certain operations on this vault and its protected items.

How does it protect

The following table summarizes list the supported operations, behavior (i.e. what’s allowed and what’s blocked) and support for the Vault types.  

How does it work

This is a Vault level Property.  This is an opt-in capability, by default it is disabled.  The following table summarizes the various states with screenshots:

Locking Immutability 

Once you enable this lock, it makes immutability setting for the vault irreversible. This will prevent any malicious actors from disabling immutability and deleting backups. While this helps secure the backup data in the vault by preventing anyone , we recommend you make a well-informed decision when opting to lock. You can also test and validate how the current settings of the vault, backup policies, and so on, meet your requirements and can lock the immutability setting later.

Additional Resources:

• https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-concept
• https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-how-to-manage