Backups Apr 2, 2024

Immutable backups: protection from ransomware and mistakes

WORM and separate accounts help recovery when regular backups are lost.

An immutable backup cannot be altered or deleted until retention expires. This is critical during ransomware attacks when attackers try to remove copies. It becomes the last reliable layer of defense.

Define retention policy: how often backups run and how long they stay. Different services have different RPO and RTO targets, so a single rule rarely fits all. Segment data by criticality.

Store backups in a separate account with separate access keys. A compromised primary account should not be able to delete backups. This is a fundamental reliability practice.

Test restores regularly. Without verification you do not know whether backups are usable. Scheduled tests and checksums reveal issues early.

Combine snapshots with WORM object storage. Snapshots provide fast rollback, while object storage delivers long term protection. Track storage cost and restore pricing.

Watch regional placement. Backups may default to another region, which can violate residency requirements. Configure and document locations explicitly.

When choosing a provider, ask about immutability support, API access, and alerts. Without these features the protection process becomes manual and risky.

Separate permissions: development teams should not be able to delete backups. It reduces accidental data loss risk.

Align backup frequency with service criticality. Payments need a tighter cycle than archival data.

Prepare recovery instructions and store them separately. In a crisis you need a clear plan, not a search through emails.

Separate alert channels for backup failures from general logs. Otherwise critical errors get lost and recovery time increases.

Agree on who performs restores and how long they take. Without roles and a runbook, even a good backup is useless. Regular drills reveal real recovery time.

Store recovery contacts and backup system access in a secure place. During incidents this saves time.

Validate backups with checksum verification to ensure integrity.

Review backup logs at least once a week.

#backups #security #ransomware #hosting

Related reading

Backups, DDoS and isolation: the minimum security baseline Security · Jan 9, 2026
Postmortems and incidents: what to ask a provider Operations · Sep 18, 2022
Zero Trust for hosting: what to verify with a provider Security · Nov 20, 2024
Back to articles All articles To hosting list