Immutable backups or immutable data storage refers to data that has been securely backed up and that cannot be modified or deleted until the data controller (the customer) no longer requires the data. The latter is determined by the customer organisation's data protection and retention policies.
Data that is backed up by Redstor cannot be modified once it has been stored on Redstor’s StorageServers. If data in a backup account (1) has been backed up at least once and (2) has not been trimmed as part of a roll-up, it will be available to be restored, regardless of whether the original was deleted or not. Files that are flagged as suspicious as part of malware detection are prevented for restore, but are not removed.
There are two additional components in the delivery of immutable backups: data retention and the separation of production and backup data. The combination of these components ensures that customer data cannot be modified or deleted until the appropriate time (or contract termination).
1. Data retention
It should be possible to specify how long data can be retained. Redstor provides the ability for customers to define their data retention requirements. For the default setting of monthly roll-ups, the last backup of the month becomes the roll-up for that month. The last backup of the roll-up period becomes the roll-up for that period. By default, we now retain 84 roll-ups (month-ends) for new customers. Existing customers may still have the previous default of two roll-ups (month-ends) enabled.
Customers can also request to increase their data retention to meet organisational requirements, e.g. financial regulations that require data to be kept for several years. Please note that this may be subject to additional costs. Read more about configuring retention in Article 106.
2. Separation of production and backup data
There should be a clear physical and logical separation between production data and backup data. This prevents the spread of ransomware from one environment to another, and enables more efficient disaster recovery and incident management.
In accordance with ISO 22301 (Security and resilience — Business continuity management systems), Redstor maintains a business continuity strategy and associated plans. In line with these provisions, Redstor maintains two copies of customer data in geographically separate data centres. Our primary data centre is located in Slough, UK and our secondary data centre in Reading, UK. If a failure occurs in the primary data centre, Redstor can therefore service customers from the secondary centre. Each data centre is equipped with resilience and redundancy features to ensure availability and continuity of service to our customers.
By storing data with Redstor, customers can comply with the UK National Cyber Security Centre's best practices. In summary, these are as follows:
- The offline rule – Keep backups in the cloud, physically and logically separate from production data.
- The recovery rule – Ensure there is always a "good" version of your data available to restore from.
- The 3-2-1 rule – Keep three copies of all data (including the primary copy) on at least two devices, of which one is off-site.
- The regular rule – Backup frequently, and test frequently that these backups work as expected.
With regard to backups for schools and colleges, as of 10 October 2022 the UK Department for Education (DFE) also emphasises:
- the 3-2-1 rule (a minimum of three backup copies, on at least two separate devices, with at least one of those being off-site), and
- using anti-malware and anti-virus software to protect devices on their networks.
Redstor can assist in complying with all of the abovementioned standards.
If you have any questions on how Redstor can help strengthen your data protection, don't hesitate to reach out to your account manager or contact us directly.