iCompaas Support

Profile Applicability:
 Level 1

Description:
 Immutability for Azure Backup Vaults ensures that backup data cannot be altered or deleted within a specified retention period. This feature protects backups against accidental or malicious tampering, including ransomware attacks, by making recovery points write-once-read-many (WORM) compliant.

Rationale:
 Enabling immutability enhances data protection and compliance by guaranteeing the integrity and availability of backup data. It ensures that backup data remains unchangeable and recoverable for the retention duration, which is critical for business continuity and regulatory requirements.

Impact:

• Pros:
  

  • Protects backup data from deletion or modification.
    

  • Mitigates risk from ransomware and insider threats.
    

  • Supports compliance with data retention and audit regulations.
    

• Cons:
  

  • Requires careful planning of retention policies.
    

  • May increase storage costs due to longer data retention.
    

  • Immutability periods cannot be shortened once set.
    

Default Value:
 Immutability is disabled by default and must be explicitly enabled and configured.

Pre-requisites:

• Azure Recovery Services Vault with backup enabled.
  

• Permissions to configure immutability policies.
  

• Understanding of organizational retention requirements.
  

Remediation

Test Plan:

Using Azure Portal:

1. Go to https://portal.azure.com.
   

2. Navigate to Recovery Services Vaults.
   

3. Select the target Backup Vault.
   

4. Under Backup Policies or Immutability Settings, verify if immutability is enabled.
   

5. Confirm that a lock duration or retention period is configured.
   

Using Azure CLI:

1. Check the immutability settings on the vault or policy (commands may vary):

az backup policy show --resource-group <resource-group> --vault-name <vault-name> --name <policy-name> --query "immutabilitySettings"

2. Confirm immutability is enabled and configured with a retention period.

Implementation Plan

Using Azure Portal:

1. Create or update a backup policy with immutability enabled.
   

2. Define the retention duration for immutability according to policy.
   

3. Assign the policy to relevant workloads or backup items.
   

4. Save and validate the settings.
   

Using Azure CLI:

1. Enable immutability in a backup policy:

az backup policy set --resource-group <resource-group> --vault-name <vault-name> --name <policy-name> --set immutabilitySettings.enabled=true immutabilitySettings.retentionDurationInDays=<days>

2. Assign the policy to backup items as needed.

Backout Plan

Using Azure Portal:

1. Disable immutability by modifying the backup policy.
   

2. Note that immutability cannot be revoked for already created recovery points.
   

Using Azure CLI:

1. Disable immutability in the backup policy:

az backup policy set --resource-group <resource-group> --vault-name <vault-name> --name <policy-name> --set immutabilitySettings.enabled=fa

2. Understand that existing immutable backups remain unaffected.

References:

• Azure Backup Immutability Overview
  
  

• Configure Immutability for Recovery Services Vault