Immutable Backup Repositories
Effective methods to protect your backup system and storage against common attack vectors.
A backup that can be deleted is an illusion of protection
Cryptolockers are programmed to destroy backup copies before encrypting production data. Without backups, organizations have no choice — to recover their data, they pay the ransom.
Infection
Minute 0An employee opens an attachment or clicks a link. Malicious code executes automatically in the background. There is no indication that anything is happening.
Reconnaissance
Minutes 1–10Ransomware automatically scans the local network. It identifies network shares, file servers, backup systems and backup repositories.
Backup destruction
Minutes 10–30It automatically deletes VSS copies, disables backup services, and removes or encrypts repositories. Production is still running.
Encryption
Hours 1–6Mass encryption of production data. Applications stop working, and what is still accessible runs extremely slowly. Backups are already gone.
Ransom demand
A message with payment instructions appears on screens.
Thirty minutes is not enough time to react. The only answer is an architecture that does not require a reaction.
How is immutability achieved?
An immutable repository is one where stored data cannot be deleted, overwritten or modified by anyone — including the administrator — for a predetermined period of time.
Immutability is enforced at the file system or object protocol level. When a backup copy is written, a retention time lock is set — a compromised administrator account simply receives a denial, regardless of the privilege level.
Object Storage
S3 Object Lock · Compliance mode
Scality ARTESCA+, Veeam Data Cloud Vault — even the storage administrator cannot delete data before the retention period expires.
DetailsHardened Repository
chattr +i · single-use credentials
Linux — the immutable attribute blocks file modification at a level below the operating system. No persistent external access.
DetailsCloud Connect
Domain separation · Insider Protection
A compromised account in the customer's network has zero access to the service provider's infrastructure. A system recycle bin protects against intentional deletion.
DetailsImmutable Repositories
Every IT environment is different. Compare four approaches to immutability and choose the one that best matches your infrastructure and budget.
Scality ARTESCA+
ARTESCA+ is object storage software (S3 compatible) that can be deployed on your existing hardware or ordered as a turnkey hardware appliance — in a tower form factor for smaller environments or rack-mounted for larger ones.
Backup immutability is ensured by S3 Object Lock in Compliance mode, and a unique architectural feature is the absence of S3 API exposure on the local network, as communication between Veeam and the repository occurs inside an isolated container, eliminating one of the common attack vectors.
ARTESCA+ is particularly useful in disaster recovery scenarios. Deployed on a separate server — outside the production environment — it acts as an independent recovery platform. The Veeam Software Appliance integrated in the same device allows you to start restoring systems without first having to rebuild the backup infrastructure.
Veeam Data Cloud Vault
Veeam Data Cloud Vault is an immutable cloud repository service, managed directly by Veeam and built on Microsoft Azure and AWS infrastructure. The service is currently available in over 17 regions worldwide, including full European Union coverage, which is important from a GDPR compliance perspective.
It requires no infrastructure on the customer side — a Veeam license and a few minutes of configuration are all you need. Immutability is built into the service and active by default.
Data transfers and recovery operations are included in the service price, with no separate charges for egress or recovery, making the cost model fully predictable.
Veeam Hardened Repository
Veeam Hardened Repository is a dedicated Linux server acting as a backup repository, connected to the Veeam environment using Direct Attached Storage. Physical separation from the production network and no shared access credentials make it naturally isolated from a potential attacker.
Immutability is enforced at the file system level, where after writing a backup copy, Veeam automatically sets the immutable attribute (chattr +i) on repository files. No deletion or modification operation is possible until the retention period expires (no root account).
VHR can be deployed on your existing hardware — all you need is an ISO image with the RockyLinux operating system. This makes it one of the most cost-effective methods for deploying an immutable repository in an on-premises model.
Veeam Cloud Connect
Veeam Cloud Connect is essentially a Backup as a Service offering, most commonly implemented as an off-site backup solution. The service provider's infrastructure acts as the remote repository.
At the same time, the provider can offer rental licensing for Veeam Backup & Replication (Veeam Data Platform) or Veeam Agent, which are required to use the service.
The key protection mechanism is full authentication domain separation — compromised accounts in the customer's network provide zero access to the provider-side infrastructure. An attacker who takes over the customer environment has no way to reach the remote backup copies.
The Insider Protection feature provides an additional layer of security — even if a backup copy is intentionally deleted from the customer console, we retain it in the system recycle bin for 14 days, making the deletion reversible.
Repository comparison
| Scality ARTESCA+ | Veeam Data Cloud Vault | Veeam Hardened Repository | Veeam Cloud Connect | |
|---|---|---|---|---|
| Pricing model | Capex / Opex | Opex | Capex / Opex | Opex |
| Price per 1TB (net) | 45 zł/m-c | 90 zł/m-c | 20 zł/m-c | 80 zł/m-c |
| Deployment time | ~30 days | 1 day | ~30 days | 60 minutes |
| Location | On-premises | Cloud | On-premises | Cloud |
| Hardware required | Yes | No | Yes | No |
| Immutability mechanism | S3 Object Lock | Native | chattr +i | Insider Protection |
| Availability | Deployment required | Activation in 24h | Deployment required | Activation in 1h |
Downloads
Below you will find product brochures and descriptions of technologies and best practices for backup storage.
Scality ARTESCA+
Veeam Data Cloud Vault
Veeam Hardened Repository
Veeam Cloud Connect
Backup repository immutability is the foundation of cyber resilience
Immutable repositories are the last line of defense — but cyber resilience is more than a single mechanism. Discover Viability's proprietary methodology that combines data visibility analysis, backup and recovery, monitoring, and immutability into one coherent protection system.
Discover the 4 Rings of Cyber Resilience.png)
Not sure which repository to choose?
Let's talk. We'll match the solution to your infrastructure, budget and requirements.
Book a consultationClick the booking button — you will be redirected to our expert's calendar, where you can choose a convenient time for an online meeting.