iCompaas Support

Profile Applicability:
 Level 1

Description:
 Immutability on Azure Recovery Services Vaults ensures that backup data and recovery points cannot be altered or deleted within a specified retention period. This write-once-read-many (WORM) protection safeguards backups against accidental or malicious tampering, including ransomware attacks, maintaining data integrity and availability.

Rationale:
 Enabling immutability strengthens data protection and compliance by guaranteeing that backup data remains unchangeable for the retention period. This is critical for business continuity, regulatory requirements, and audit readiness, ensuring reliable recovery points in case of data loss or corruption.

Impact:

• Pros:
  

  • Protects backups from deletion or modification.
    

  • Mitigates risks from ransomware and insider threats.
    

  • Supports compliance with data retention and audit regulations.
    

• Cons:
  

  • Requires careful planning of retention durations.
    

  • Immutability periods are non-reversible for existing backups.
    

  • Potentially higher storage costs due to enforced retention.
    

Default Value:
 Immutability is disabled by default and must be explicitly enabled and configured on Recovery Services Vaults.

• Azure Recovery Services Vault configured with backup enabled.
  

• Permissions to manage immutability settings.
  

• Defined organizational retention and compliance policies.
  

Remediation

Test Plan:

Using Azure Portal:

1. Navigate to https://portal.azure.com.
   

2. Open Recovery Services Vaults and select the target vault.
   

3. Under Backup Policies or Immutability Settings, verify that immutability is enabled and configured with an appropriate retention period.
   

Using Azure CLI:

1. Retrieve immutability settings for the backup policy:

az backup policy show --resource-group <resource-group> --vault-name <vault-name> --name <policy-name> --query immutabilitySettings

2. Confirm that immutability is enabled and retention duration is set.

Implementation Plan

Using Azure Portal:

1. Create or update a backup policy with immutability enabled.
   

2. Specify the retention duration according to policy.
   

3. Assign the policy to relevant backup items or workloads.
   

4. Save and verify the settings.
   

Using Azure CLI:

1. Enable immutability in a backup policy:

az backup policy set --resource-group <resource-group> --vault-name <vault-name> --name <policy-name> --set immutabilitySettings.enabled=true immutabilitySettings.retentionDurationInDays=<days>

2. Apply the policy to backup items as necessary.

Backout Plan

Using Azure Portal:

1. Disable immutability in the backup policy if required.
   

2. Note that immutability cannot be revoked for existing immutable backups.
   

Using Azure CLI:

1. Disable immutability:

az backup policy set --resource-group <resource-group> --vault-name <vault-name> --name <policy-name> --set immutabilitySettings.enabled=false

2. Existing immutable backups remain unaffected.

References:

• Azure Backup Immutability Overview
  

• Configure Immutability for Recovery Services Vault