Hardened / Immutable Backups are the equivalent of “air gapped,” tape, or WORM backups, rendering your data nearly untouchable by Threat Actors! Hardened / Immutable Backups are accomplished through the use of a Linux repository server, the XFS filesystem (to support Fast Clone), one-time-use credentials, and the immutability flag which is a property of just about any Linux filesystem.
Does it actually work, what about validation, you ask? Yes is does work, and the good folks at Veeam had it is tested and proven by Cohasset Associates meeting the requirements for non-rewritable, non-erasable storage as specified by SEC 17a-4(f), FINRA 4511(c) and CFTC 1.31(c)-(d).
What an Immutable Repository is designed to do:
- Protect your backups from encryption by Ransomware
- Prevent backup file deletion by unauthorized administrators.
What an Immutable Repository cannot do:
- Prevent deletion of the SAN LUN by users who have SAN administrator credentials
- Prevent formatting of the volume by users who have login credentials for the Immutable Repository VM.
As a Best Practice, Veeam recommends that Immutable Repositories be deployed on a physical server with lots of disk space, such as an HPE Apollo. While that’s an admirable goal, there are lots of us with Virtualized and Cloud Infrastructures, and we rely on SAN systems to provide block storage.
VMsources has created a Virtual Appliance in OVA format, following Veeam Best Practices, making it easy for anybody to mount an iSCSI LUN as a Veeam Immutable Repository. Not everybody is fond of Linux or the CLI, so we have created an Ubuntu 22.04LTS server with all of the requirements baked-in as an OVA Virtual Appliance, and then documented the step-by-step instructions to mounting a SAN LUN, formatting it as XFS, and then creating your Veeam Immutable Repository.
Check out the OVA and PDF instructions here: https://www.johnborhek.com/download/immutable-repository-for-veeam-backup-and-replication-11/