Protecting your data in the cloud is fundamental to your security posture in terms of business continuity and disaster recovery. While Rubrik customers utilize the cloud every day to safely store off-site copies of their data, this blog is going to explain how we’ve made that practice even safer!

We know that security threats to backup systems are on the rise, with hacking, malware, and even human error becoming more prevalent in the age of remote work. This makes the security and reliability of cloud backup infrastructure all the more important, as it affects your ability to recover from a ransomware attack, data corruption, or accidental data deletion.

Immutability in the Cloud

With the Rubrik winter 2022 release, we’re excited to announce support for the Amazon Simple Storage Service (S3) Object Lock feature that helps customers accomplish two very important things when it comes to data security: (1) Better protect themselves from ransomware while archiving to the cloud, and (2) Help meet regulatory requirements such as SEC Rule 17a-4(f) by creating immutable copies of their data.

Use Cases for Immutable Storage

Immutable cloud storage is for organizations seeking the highest level of protection for their data. It is key to reliable recovery when production data is compromised. Say you’re moving data to Amazon S3, an object storage service that’s built to store, protect, and retrieve data from “buckets” at any time from anywhere on any device. You may want to also use Amazon S3 Object Lock to prevent cybercriminals from encrypting your data. Or say you’re a financial institution or belong to another highly-regulated industry and need to make an immutable copy of your data to meet a regulatory requirement. Immutability for your archived data in these cases is a huge benefit for backup, infrastructure, and security teams alike.

What’s New

When adding an Amazon S3 bucket as an archival location with Rubrik, you can now seamlessly enable S3 Versioning and S3 Object Lock (in compliance mode) as part of the process. In order to take advantage of this immutability feature, Rubrik has introduced two new configuration options for an Amazon S3 archival location -  Password Encryption and Immutability Lock Period.

Password Encryption

Since S3 Object Lock requires S3 versioning to be enabled, multiple versions of the same object can be stored in a bucket. When archiving to an Amazon S3 location with S3 Object Lock enabled, Rubrik adds additional unique metadata to each uploaded object and uses the password for encryption. 



By doing this, should you need to recover after a cyber attack, Rubrik ensures that you are recovering the correct version of your data. 

However, it’s important to mention that versioning and safe delete sound like methods to protect your data but they aren't foolproof.  

Immutability Lock Period

In order to adequately protect the data for an entire snapshot chain, Rubrik requires an Immutability Lock Period be provided as part of adding a new archival location with S3 Object Lock enabled. This value corresponds to the default bucket retention period and is calculated using a range of values based on full snapshot upload frequency, the desired SLA retention, and the delay before archival. 



Once an immutable Amazon S3 archival location has been added, it can now be used to protect data with an SLA.

Additional Protection with Minimal Configuration

By adding support for archival locations with S3 Object Lock, we’re happy to bring our customers additional options to improve their security posture, while also helping to meet their compliance & regulatory needs with end to end immutability for data. 

To learn more about how you should be thinking about your approach to backup and recovery in both cloud and hybrid environments, check out our guide to Backup & Recovery Best Practices