Types of Immutable Data Vaults
When we think of the concept of immutable data vaults (IDV) as it relates to data protection, the first thought that comes to mind is: is the data secure and safe? Typically, that is the case—unless the data was somehow compromised prior to it being converted to its immutable state. We all know how important it is to have safe, secure copies of our data, but a common afterthought is how to recover immutable data, and the efforts and time that go into recovery. Cyber vault solutions that ensure both secured data storage and reliable fast recovery are the best options.
Immutable data vaults are designed to store data in a way that prevents any alterations, deletions, or unauthorized changes to the data once it is stored. This is particularly important for industries with strict data retention and compliance requirements, such as finance and healthcare. Several types of immutable data vaults are used in the realm of data protection:
- Storage Array-Based: Write once, read many (WORM) storage systems are one of the most common types of immutable data vaults. When we look at array-based immutability options there are typically two industry-standard categories: “governance mode,” where copies cannot be altered or deleted except by super-admins, and the stricter “compliance mode,” whereby copies cannot be altered or deleted by anyone, including super-admins and support.
- Cloud Storage-Based: Some cloud storage providers offer WORM capabilities as a service. Most of these capabilities are enabled on the cloud object storage level via an “object lock.” You can find these capabilities on many of the cloud providers, such as AWS and Azure.
- Distributed Ledger Technology (DLT) Vaults: DLT is a broader term that includes blockchain but can also encompass other forms of distributed ledgers. DLT can be used to create immutable data vaults where data is distributed across multiple nodes, making it difficult to alter. One of the most common DLT’s is Hyperledger Fabric.
- Immutable File Systems: Some operating systems and file systems offer features that make it extremely difficult to modify or delete files once they are written. This can be used to create immutable data vaults on a system level. At the OS level, there are several ways to achieve immutability, and there are immutable operating systems that can provide some of the highest levels of security such as BottleRocket, Talos Linux, and Flatcar.
While these types of data vaults are great, they are even more beneficial when paired with an isolated recovery environment (IRE). An IRE is a dedicated, secure recovery environment equipped with resources to verify and recover data from an immutable data copy. Immutable data architecture means that data, once written, can never be changed, and so it cannot be encrypted by ransomware.
An IRE with immutable storage does not replace a traditional data protection tool but is meant as a tertiary solution for critical data. Gartner recognizes the value of combining these two types of technologies together and says, “Isolated recovery environments (IREs) with immutable data vaults (IDVs) provide the highest level of security and recovery against insider threats, ransomware, and other forms of hacking.”
Take the next step in data vault security and ensure that your data is both protected and recoverable by combining both an immutable data vault and an isolated recovery environment together to achieve rapid air-gapped recovery. This can be done with the Zerto Cyber Resilience Vault which is a purpose-built IRE and IDV combined into a single solution.
Watch this brief video to understand the concepts of the Zerto Cyber Resilience Vault, or for a deeper dive, visit the Zerto Cyber Resilience Vault page.
Andrew Silva 
