New
Request a Demo

What is Data Immutability? A Complete Guide

Immutability
Przemyslaw Szanowski photoPS
Przemyslaw Szanowski

Content Writer

Ryan Post photoRP
Ryan Post

Director Sales Engineering

In February 2024, attackers used stolen credentials to access Change Healthcare, a payment processing subsidiary of UnitedHealth Group, via a remote access portal lacking multifactor authentication. 

For weeks, pharmacies across the US couldn't process prescriptions, and healthcare providers lost access to critical claims data. More than 100 million Americans had their health records exposed, the largest breach ever reported to the US Department of Health and Human Services. [1] 

According to congressional testimony from the CEO, the disruption lasted months because the attack had locked up the various backup systems. This is a much more common ransomware tactic than many people realize. Research shows that in 96% of attacks, the attackers specifically target backup data to eliminate recovery options. [2] When they succeed, paying the ransom becomes the only way out, and even that does not guarantee recovery. 

Backup data immutability is the technical answer with a storage property that makes backup data unalterable from the moment it is written. This guide explains what it is, how it works, and why the standard for backup protection is shifting. 

Key takeaways 

  • Data immutability means stored data cannot be modified or deleted for a defined retention period; it is the technical foundation of any ransomware recovery plan. 
  • Backup solutions with ‘standard immutability’ often have hidden exceptions and loopholes which could allow backups to be deleted, while Absolute Immutability enforces zero access to destructive actions, so your data remains safe. 
  • Only 58% of organizations currently use immutable storage across all their data, despite 89% of IT leaders saying AI-powered attacks have made them more concerned about their organization's data safety. [3] 

What is backup data immutability? 

Immutability is a storage property that prevents data from being modified, deleted, or overwritten after it is written. Once a backup is committed under immutability controls, no process, user, or system command can alter it before the retention period expires. 

That property makes immutable storage categorically different from standard backup storage, where data could be deleted, encrypted, or overwritten by anyone with sufficient access.  

94% of IT decision-makers say immutable backups are essential to comprehensive ransomware protection. [2] Without that protection, backups carry the same vulnerability as the production data they're meant to protect. 

How does immutability work? 

The core mechanism for immutable backup data is WORM (Write Once, Read Many) storage. Data is written once and locked. Reads are unrestricted; data can be accessed and restored at any time during the retention window. Writes to existing data are blocked at the storage layer. 

Object storage data immutability is primarily implemented through S3 Object Lock. When an object is written to an S3-compatible bucket with Object Lock enabled, a retention policy prevents the object from being deleted or overwritten until that policy expires. S3 Object Lock operates in two modes: 

  • Governance mode: Protects against unintended modifications by standard users. A user with specific override permissions can still remove the lock. This is appropriate for operational data management, but not for backup protection where the threat model includes compromised admin credentials. 
  • Compliance mode: No user, regardless of permissions, can shorten the retention period or delete the object before it expires. The lock cannot be overridden through any management interface.

Additional immutability mechanisms include hash verification, where a cryptographic checksum is stored at write time and verified on each read, and versioning, where each modification creates a new object version rather than overwriting, preserving a complete history of all states. 

Absolute Immutability: The modern standard 

 Governance-mode WORM protection relies on admin credentials. A cybercriminal who obtains those credentials inherits the same ability to modify or disable retention policies as a legitimate administrator. 

Absolute Immutability is the response to that specific scenario. It ensures Zero Access to destructive actions. No one, including the most privileged administrator or attacker, can modify or delete backup data. [4] Enforcement sits at the storage layer, not in software policy, so it cannot be disabled by credentials, configuration changes, or remote commands. 

The protection is enforced at four independent layers: 

  1. S3 Object Lock in compliance mode: Locks objects at the storage protocol level. No API call or user permission can shorten the retention period. 
  2. Storage application with restricted admin access: Destructive actions are removed from the administrative interface entirely, not just permission-gated. 
  3. Operating system with root access blocked: No SSH, no root login, no command-line access to the underlying system. 
  4. Restricting BIOS access to physical-only modifications: prevents tampering with boot processes or security settings.  

"As ransomware threats become more sophisticated and costly, the only guaranteed path to recovery is through reliable, absolutely immutable backups," said David Bennett, CEO, Object First. [5] 

The practical difference between standard and Absolute Immutability is most visible when admin credentials are compromised. Governance-mode protection fails in that scenario, while S3 compliance-mode protection with Zero Access to destructive actions does not. 

Who needs data immutability? 

89% of IT leaders say AI-powered cyberattacks have made them more concerned about their organization's data safety, and 73% have identified increasing backup security as their top defense. [3] Yet, only 58% of organizations use immutable backups across all their data, so awareness is not always translating to deployment.  

The consequences are being felt across all sectors, including: 

  1. Healthcare. Ransomware attacks on healthcare organizations don't just encrypt data; they also disrupt patient care. The Change Healthcare breach in 2024 left pharmacies unable to process prescriptions for weeks. Under the HIPAA §164.312(c)(1) regulation, covered entities must implement controls to protect data integrity. Immutable backup storage satisfies that requirement structurally and ensures patient data can be restored without paying ransom. 
  2. Financial services. SEC Rule 17a-4(f) requires broker-dealers to maintain records in non-rewritable, non-erasable format. The same applies under the EU’s DORA regulation covering a wide range of Financial Services organizations. Any modification of financial records creates both regulatory exposure and legal liability. Immutable storage satisfies this requirement at the storage layer, not through an access policy that an administrator could accidentally or deliberately change. 
  3. Managed Service Providers. MSPs manage backup environments for dozens or hundreds of clients simultaneously, making them a high-value target. A single compromised MSP environment can cascade across every customer they serve. Implementing an immutable backup storage solution ensures that even if an attacker gains access to the MSP's management platform, they cannot reach client data. 
  4. Manufacturing. 65% of manufacturing organizations were hit by ransomware last year, and 93% of those had their backup infrastructure specifically targeted. [6] Production line disruption carries a direct revenue impact from the first hour. Clean, immutable backup data is what determines how quickly operations can be restored versus how long they stay offline. 
  5. Education. 95% of education organizations hit by ransomware had their backups specifically targeted, and 71% of those attempts succeeded. [9] Student records, financial aid data, and research data are all high-value targets. Compliance requirements under FERPA create additional exposure if data cannot be demonstrated as unmodified and recoverable. 

The benefits of backup data immutability 

Ransomware-proof backup and faster recovery 

The only path to recovery after a ransomware attack is to restore encrypted production systems from backups. Even paying the ransom doesn’t guarantee that all—or even any—data will be recovered. In most cases, attackers specifically target backup infrastructure. Standard mutable backups can be encrypted alongside production data, leaving nothing to restore from. 

With ransomware-proof backup storage, recovery begins from a clean, verified data state. ESG research found 49% of organizations without tested immutable backups took up to five business days to recover from an attack. [2] Organizations with verified, intact, immutable backups measure recovery in hours, not days. The difference is whether backup data was vulnerable during the attack. 

Compliance defensibility 

Immutable storage directly satisfies retention-integrity requirements under, among other regulations, SEC 17a-4(f), HIPAA §164.312(c)(1), GDPR Article 32, NIS2 Article 21, and DORA Article 12. Each framework requires tamper-evident, non-rewritable storage for covered data categories. Compliance-mode S3 immutable storage satisfies these requirements at the architecture level, not through policies that require ongoing monitoring to confirm they haven't been changed. 

Insider threat containment 

35% of data breaches involve an internal actor. [8] Insider threats range from deliberate sabotage to a misconfigured retention setting during routine maintenance. Because no user, including root administrators, can alter locked data during the retention window, insider-driven data loss is eliminated by design within the protected period. With immutable data protection, the protection is structural not policy-dependent. 

Auditable data history 

Every write to S3 immutable storage creates a versioned, tamper-proof record. Post-incident forensics are straightforward: the data state at any point in the retention window is preserved and independently verifiable. For regulated industries where demonstrating data integrity to auditors or regulators is a requirement, immutable storage provides that evidence without a separate audit trail system. 

Mutable vs. immutable data 

The core difference between mutable and immutable storage is what happens after the initial write. Mutable data can be edited, deleted, or overwritten by any authorized user or process. When immutability is implemented properly with Zero Access to destructive actions, the result is Absolute Immutability. Backup data with Absolute Immutability cannot be changed or deleted, regardless of authorization levels. 

Ransomware operators with admin credentials can delete or encrypt mutable backups before triggering the visible attack on production systems, removing the recovery option before the organization knows an attack is underway. 

  Mutable data  Absolutely immutable data 
Editability  Can be modified post-write  Cannot be modified post-write 
Deletion  Can be deleted by authorized users   Protected for retention period 
Ransomware risk  Backups can be encrypted or deleted   Backups remain intact during attack 
Insider threat  Authorized users can corrupt data  No destructive access during retention 
Compliance  Requires separate audit controls  Satisfies retention integrity structurally 
Recovery confidence  Depends on backup not being compromised  Guaranteed if retention window is active 
Audit trail  Requires additional logging  Versioned record built in 
Use case  Operational and transactional data  Backup data and regulated records 

Best storage for Veeam with Absolute Immutability 

Ransomware-proof with Absolute Immutability, Object First on-premises backup storage for Veeam takes the risk out of data recovery, so you're always Simply Resilient. 

Object First: 

  • Leverages S3 Object StorageBuilt on a fully documented, open standard with native immutability, enabling independent penetration testing and third-party verification.   
  • Enforces Zero Time to Immutability: Backup data becomes immutable the moment it is written—no gaps, no landing zones. 
  • Runs on a Target Storage Appliance: Separates storage from backup software, eliminating DIY risks and offloading operational security to the vendor—no security expertise required.   

Download our white paper on Absolute Immutability and learn why it’s the ultimate ransomware defense.  

 

References 

[1] U.S. Department of Health and Human Services, Office for Civil Rights. "Change Healthcare Cybersecurity Incident." 2024. https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident/index.html 

[2] Object First. "ESG Research Finds Immutable Backup Storage Following Zero Trust as the Best Defense Against Ransomware." 2025. https://objectfirst.com/newsroom/press-releases/esg-research-finds-immutable-backup-storage-following-zero-trust-as-the-best-defense-against-ransomware/ 

[3] Object First. "Object First Survey: 89% of IT Leaders Fear AI-Powered Cyberattacks Will Cost Them Their Data." 2026. https://objectfirst.com/newsroom/press-releases/object-first-survey-89-percent-of-it-leaders-fear-ai-powered-cyberattacks-will-cost-them-their-data/ 

[4] Object First. "What is Absolute Immutability?" https://objectfirst.com/guides/immutability/absolute-immutability/ 

[5] Object First. "Object First Named Global InfoSec Award Winner by Cyber Defense Magazine at RSAC Conference 2026." 2026. https://objectfirst.com/newsroom/press-releases/object-first-named-global-infosec-award-winner-by-cyber-defense-magazine-at-rsac-conference-2026/ 

[6] Sophos. "The State of Ransomware in Manufacturing and Production 2024." 2024. https://www.sophos.com/en-us/blog/the-state-of-ransomware-in-manufacturing-and-production-2024/ 

[7] Verizon. "2024 Data Breach Investigations Report." 2024. https://www.verizon.com/business/resources/reports/dbir/ 

[8] Sophos. "The State of Ransomware in Education 2024." 2024. https://www.sophos.com/en-us/blog/the-state-of-ransomware-in-education-2024/ 

 

Related Guides

View All