Skip to main content
  • For Support:

    815-308-2095

  • New Client
    815-788-6041

What Is Immutable Backup? Immutable and Air-Gapped Backups Explained for SMBs

June 4, 2026

In this article:

According to Veeam’s 2024 Ransomware Trends Report, 96% of ransomware attacks specifically targeted backup repositories. That number reframes backup from a safety net into a primary attack surface.

A backup that ransomware can reach and encrypt is not a backup. Conventional backups stored on network shares or writable volumes can be reached through the same stolen credentials attackers use to move across your environment. They disappear right when you need them most.

Immutable and air-gapped backups close that gap. This article defines both technologies and explains how WORM storage enforces write-once protection. It then compares the two strategies side by side and shows how they fit into a 3-2-1-1-0 backup framework for SMBs.

What Is Immutable Backup?

An immutable backup is a backup copy that cannot be modified, overwritten, encrypted, or deleted for a defined retention period after the initial write. Once data is written and the retention lock activates, no credential, no software command, and no administrative override can alter it until the lock expires.

That protection matters because of how ransomware operators move. A conventional backup stored on a network share or writable volume inherits the access permissions of the compromised account used to attack production data. Ransomware routinely locates and encrypts backup sets before triggering any visible sign of the incident. By the time your team discovers the breach, the backup is already gone.

Immutability is one component of a complete recovery architecture. The 3-2-1-1-0 framework covered later in this article shows how the remaining layers fit together.

Retention windows on immutable backups are commonly set to 30, 60, or 90 days. Indefinite retention is possible but carries higher storage costs. The goal is a window long enough to detect and recover from an attack before the clean copy ages out.

The storage layer enforces immutability, not the application layer. The technology behind that enforcement is WORM storage, covered in the next section.

How WORM Storage Makes Backups Immutable

WORM, which stands for Write Once, Read Many, is the storage technology that enforces immutability at the hardware or object level. Once data is written to a WORM-capable volume, the storage system blocks any modification or deletion for the duration of the retention policy, regardless of what any software layer requests.

WORM applies across several storage types:

  • Cloud object storage with retention locks. AWS S3 Object Lock (available in compliance mode and governance mode), Azure Blob immutable storage, and equivalent services from major cloud providers apply WORM policies at the object level. Compliance mode is the stronger option: not even the account owner can delete a locked object before the retention period expires.
  • On-premises WORM appliances. Dedicated backup appliances, NAS devices with WORM volumes, and LTO tape media enforce write-once protection at the hardware level, independent of the operating system or backup software running above them.
  • Backup software retention locks. Backup platforms can enforce immutability through their own APIs against a WORM-capable target, layering a software retention lock on top of the underlying storage protection.

WORM-compliant storage also satisfies regulatory requirements for tamper-evident data retention in industries that mandate audit-ready records. Auditors trust records that cannot be altered after the fact.

The critical distinction: immutability is a property of the storage target, not the backup software. A backup application running against a standard writable volume provides no immutability, regardless of its configuration.

Immutability secures a connected backup. The air gap takes a different approach: it removes the connection.

What Is an Air Gap Backup?

An air gap is a physical or logical separation between your backup copy and your production network. Four concepts define how this works in practice:

  1. Physical air gap. Backup media, such as tape cartridges or removable drives, is ejected and stored completely offline. Malware has no digital pathway to reach a drive secured in an off-site location. This is the most absolute form of separation available.
  2. Logical air gap. A backup copy in an isolated cloud vault connects to the production environment only during a short, scheduled backup window. When the window closes, the access path is severed. No persistent connection means no persistent attack surface.
  3. Tape as a time-tested physical air gap. Modern LTO tape is a cost-effective option for businesses with large data volumes that need periodic offline archives. Tape’s sequential write format also makes it naturally resistant to encryption-based attacks.
  4. Logical air gap limitations. Effectiveness depends entirely on strict access controls and network segmentation. A misconfigured vault with persistent connectivity is not a true air gap. The backup sync window itself is also a vulnerability. If ransomware is active in your environment when the sync runs, the air gap offers no protection during that window.

Immutable Backup vs. Air Gap Backup: Two Layers, One Strategy

These two approaches defend against different attack vectors. Cloud backup is a common destination for the immutable copy in this architecture.

  • Immutability prevents modification. A connected backup copy protected by a retention lock cannot be encrypted or deleted, even if an attacker holds valid credentials and full network access to the backup target.
  • Air gapping prevents access. A backup stored offline or in a sealed vault has no reachable network path. Ransomware cannot locate it to attempt encryption in the first place.
  • Neither alone closes every gap. An immutable backup on a persistently connected volume can still be targeted through credential theft, even if encryption fails. A non-immutable air-gapped copy can be overwritten during its sync window if that window is compromised.
  • Combined posture. A backup that is both immutable and air-gapped is unmodifiable and unreachable by network-based ransomware. This is the strongest protection layer available for backup data.
  • Traditional backups by comparison. Backups written to the same network shares used by production servers are routinely located and encrypted in ransomware attacks before the organization discovers the breach.
  • Practical SMB deployment. Most businesses achieve this through an immutable cloud backup destination (logical air gap) plus a periodic tape or removable-media copy (physical air gap) that rotates off-site.

The 3-2-1-1-0 Rule: Where Immutable Backups Fit

Those two layers map directly into a formal framework most security-conscious organizations already reference.

The 3-2-1-1-0 backup rule structures resilient data protection into five requirements:

  • 3 copies of your data
  • 2 different media types
  • 1 copy offsite
  • 1 copy offline, air-gapped, or immutable
  • 0 unverified backups

The fourth digit is precisely where immutable and air-gapped backups slot in. That second “1” requires a copy that is offline, air-gapped, or protected by immutability controls. This is the component most SMBs skip entirely, and it is the one ransomware operators count on being absent.

The final digit closes the loop. Scheduled restore tests convert storage capability into actual recovery capability. Without them, the “0” in your framework is a hope, not a guarantee.

Regulated organizations subject to HIPAA requirements use 3-2-1-1-0 as a baseline; immutable copies directly satisfy the technical safeguard requirement for backup integrity. Organizations pursuing HIPAA compliance support will find this framework directly applicable to their planning.

How SMBs Can Build Ransomware-Resistant Backup Systems

Understanding the framework is step one. Building it correctly is another matter.

Start with an audit of where your current backups land. If ransomware running under a compromised admin account can reach your backup target over the network, those backups are not protected.

From there, build the protection layer in deliberate steps:

  • Separate backup credentials. Backup service accounts should carry no admin rights on production systems, limiting lateral movement from a compromised endpoint into backup infrastructure.
  • Select storage with native immutability. Choose object storage with retention lock policies or a hardware appliance that enforces WORM protection at the storage layer. Either keeps your backups safe regardless of the application running on top.
  • Layer in an air-gapped copy. Schedule a periodic sync to an offline or vaulted destination outside the primary backup window. At least one copy should exist that no attacker could reach during an active incident.
  • Test restores on a defined schedule. The “0” in 3-2-1-1-0 means zero unverified backups. Regular restore tests are the only way to confirm a backup is actually a recovery asset rather than a storage artifact.

Orchestrating retention locks, credential separation, restore verification, and air-gap rotation across a hybrid environment is operationally intensive for lean IT teams. Working with a provider that offers data backup and recovery services delivers a consistent, auditable process without the internal overhead.

Your Path to Ransomware-Resistant Backups

Immutable and air-gapped backups are not optional enhancements. They are the difference between restoring from a clean copy and negotiating over a decryption key.

SMBs rarely struggle with understanding why these controls matter. The challenge is building and maintaining them correctly:

  • Configuring retention locks on backup storage
  • Separating credentials to limit lateral movement
  • Validating restores on a defined schedule
  • Rotating off-site media on a schedule that holds

When any single step slips, the protection slips with it.

A clear picture of your current backup posture is the right starting point. Schedule an assessment and get an honest review of where your exposure lies before ransomware provides one for you. When backup security becomes a managed risk rather than a recurring crisis, your team can focus on the work that actually moves the business forward.

LeadingIT provides managed IT and cybersecurity services to businesses with 25 to 250 employees across Chicagoland, including endpoint protection, 24/7 monitoring, incident response, vCIO guidance, and compliance support. We solve problems before they reach your inbox.

Contact our Chicagoland IT support team or call 815-788-6041 to schedule a free assessment.

Return to blog

Stephen Taylor is the founder and driving force behind LeadingIT, a Chicagoland-based IT and cloud services company, where he focuses on delivering practical, client-first technology solutions for businesses. A Microsoft Certified professional and author of Technology Should Just Work, he combines hands-on expertise with a passion for making IT simple, transparent, and effective. Read more

Let Us Be Your Guide In Cybersecurity Protections
And IT Support With Our All-Inclusive Model.
Meet With Us