UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
Technical · Backup · Architecture

Immutable backup architectures: WORM, S3 Object Lock, hardened Linux

Servnet Editorial · Backup & DR Practice8 min read

Ransomware-resistant backup architecture is no longer optional — it's expected by every UK regulator + insurer. The three production-grade approaches are WORM, S3 Object Lock, and hardened Linux. This explainer covers what each does, when to use it, and the gotchas Servnet sees in UK deployments.

Immutable backup — 3-2-1-1-0 reference
ProductionVMs + DBPrimary repoXFS + reflinkSecondaryObject lock S3Air-gappedTape / offlineCyber vaultDetached + tested

Why immutable matters

Modern ransomware actively targets backup. Once attacker gains domain admin, they look for backup software + storage + try to encrypt or delete backups before encrypting production.

Without immutability: backup encrypted = no recovery = pay ransom.

With immutability: backup cannot be modified or deleted (even by admin) for the configured retention window. Recovery without paying ransom is possible.

Architecture 1 — WORM (Write Once Read Many)

Hardware-based immutability — typically NetApp SnapLock, Dell PowerProtect WORM, or DataDomain Retention Lock.

Strongest guarantee — hardware enforces immutability at storage layer.

Most expensive option. Best for highly-regulated workloads (FS, healthcare critical records).

Operational complexity — restore + retention extension require specific procedures.

Architecture 2 — Object Lock (S3, Azure Blob, GCS)

Software-based immutability at object level — AWS S3 Object Lock, Azure Blob Storage immutable, Google Cloud Storage Bucket Lock.

Cloud-native. Pay for storage + egress. Excellent ransomware posture.

Veeam, Rubrik, Commvault all support S3-Compatible Object Lock targets.

Modern default for UK mid-market backup architecture.

Architecture 3 — Hardened Linux Repository

Linux server with: SSH disabled or via certificate-only, xfs / ext4 with immutable file attribute (chattr +i), single-use credentials, file-system audit logging.

Veeam-specific (Veeam Hardened Linux Repository) — most-deployed immutable architecture for Veeam customers.

Lowest cost (uses standard Linux servers).

Gotcha: requires Linux operational discipline. Single-use credentials must be genuinely single-use.

Immutable backup — what "real" looks like
Immutability audit — control mapI1Hardware enforcement (WORM)COREI2Object Lock in Compliance modeCOREI3Admin cannot delete (4-eyes / MFA)COREI4Restore tested quarterlyCOREI5Air-gap or vault tier presentPLUS

The 3-2-1-1 rule

3 copies of data — production + 2 backups.

2 different media types — disk + tape or disk + cloud object storage.

1 offsite copy — geographically separated.

1 immutable copy — protected from ransomware encryption / deletion.

What Servnet does

Servnet deploys all three immutable architectures across UK customers — see our backup buyer's guide for the upstream platform choice.

Key takeaways
  • Modern ransomware targets backup — immutable architecture is mandatory.
  • 3 architectures: WORM (hardware), Object Lock (cloud), hardened Linux (software).
  • Object Lock = modern default for UK mid-market.
  • Hardened Linux = lowest cost; requires Linux discipline.
  • WORM = strongest guarantee; most expensive.
  • 3-2-1-1 rule: 3 copies, 2 media, 1 offsite, 1 immutable.
Frequently asked

FAQs — Immutable backup architectures

Architecture

Which architecture should we pick?

Most UK mid-market: S3 Object Lock (AWS / Azure Blob / Wasabi). Veeam-specific environments: Hardened Linux Repository at lower cost. Highly regulated (FS / NHS critical): consider hardware WORM (NetApp SnapLock).

Related

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →