Home > Backup and Recovery Blog > What is Immutable Backup? Immutable Backups as a Data Security Measure

What is Immutable Backup? Immutable Backups as a Data Security Measure

1 Star2 Stars3 Stars4 Stars5 Stars
(11 votes, average: 4.83 out of 5)
Updated 16th January 2024, Rob Morrison


Data permanence as a general idea is not something new or groundbreaking. The concept has been around for a good number of years, in many different iterations. Cave paintings are widely considered one of the first, if not the first, case of data permanence – with humans wanting to retain specific information for a prolonged time period. As for how the modern world now perceives permanent data, there is a specific definition for it – immutable backups.

Digital information nowadays is one of the most important resources any company could have, and the same could be said about non-commercial environments, from personal digital lives to entire governments – information is everything. This is why data security became so important in recent years, and its importance is hard to overestimate at this point.

Immutable backup and why it is necessary

There are plenty of different approaches to data security, one of which implies important data that, once created, cannot be modified in any way, shape, or form. Immutable can be quite literally translated as incapable of change or immune to change. It represents data that cannot be modified or deleted once it was made immutable.

This kind of data is what is commonly known as an immutable backup – a copy of valuable information that cannot be altered whatsoever once created, serving as a dedicated restoration option for production servers and other company resources in case something unexpected happens with existing data.

The obvious opposite of immutable data is mutable data – data that can be modified, deleted, encrypted, and so on. Mutable data is always a lot easier for ransomware and other threats to target since it is easier to manipulate in the first place – but it is also easier from the customer’s standpoint and the cooperation standpoint.

Air Gapping

Air gapping can have a close relationship with an IT department’s requirement for immutable data. It  manifests in various forms, each catering to specific security requirements. The two primary types are:

  • Physical Air Gapping: This involves the physical isolation of backup systems from the network. It ensures an impenetrable barrier, mitigating the risk of remote cyber attacks. However, it comes with logistical challenges, such as limited accessibility and increased operational complexity. Immutable tape is often used in this scenario.
  • Logical Air Gapping: In this approach, the separation between backup and production systems is achieved through logical means, such as firewalls or network segmentation. While more flexible than physical air gapping, it introduces the risk of software-based vulnerabilities.

Vendor Claims vs. Ground Reality

Numerous vendors tout air gapping capabilities in their backup and recovery solutions. However, it is imperative for organizations to scrutinize these claims and ensure that the implemented air gapping measures align with industry best practices. Some vendors may fall short in providing true air gapping, relying on software-defined approaches that may leave vulnerabilities exposed.

To mitigate this risk, organizations should conduct thorough evaluations and seek transparency from vendors regarding the mechanisms employed to achieve air gapping. Independent third-party assessments can validate the efficacy of the air gapping implementation, ensuring that it meets the stringent security requirements of mission-critical environments.

Air Gapping and the 3-2-1 Rule

The 3-2-1 rule, a foundational principle in data backup and recovery, emphasizes having three copies of data, stored on two different media, with one copy stored offsite. Air gapping aligns seamlessly with this rule, providing the necessary offsite isolation that safeguards data from both cyber threats and physical disasters.

By incorporating air gapping into the 3-2-1 rule framework, organizations enhance the robustness of their backup strategy, creating a fail-safe mechanism that ensures data availability even in the face of catastrophic events. This synergy between air gapping and the 3-2-1 rule forms the cornerstone of a resilient backup and recovery architecture. In some corners of the IT world, Bacula finds that the 3-2-1 rule has been forgotten, or encouraged not to be followed – even by some backup vendors who have limited capabilities – and therefore a vested interest – in “finding another way”. Bacula recommends that tape be considered, especially in high data volume situations where great savings can be made, as well as achieving true immutability. Bear in mind however, that some backup vendors are not capable of backing up to tape.

The problem of ransomware

There are plenty of different ways to render important data inoperable, with ransomware being one of the most “popular” ones. Ransomware is a variation of malware that prevents the user from accessing their data unless the user in question pays a monetary sum for the unlock or the decryption key – which is where the “ransom” part comes in.

Since ransomware can target the majority of devices that are capable of accessing the Internet and has a very problematic pattern of being able to spread throughout the entire system in no time, it is easy to see why ransomware as a security issue is so high on everyone’s priority list right now. That’s not to say that other methods of a data breach are harmless – but ransomware serves as a great main example of how a company’s data can be encrypted or corrupted in an extremely small time frame.

Another part of this problem is that a lot of different methods that cybercriminals use to access sensitive information tend to evolve at a terrifying pace. In fact, there are already plenty of different ransomware examples that also know to search for and target backups that could be used to restore encrypted data – rendering most traditional data recovery methods useless or at least far less secure.

There is a rather clear separation between primary storage and backups, in which the former has to be open to client systems to allow for collaboration and general work operations, while the latter should be as secure, isolated, and immutable as possible to ensure data recovery in case their original data is compromised in one way or another.

Immutable backups and compliance frameworks

It is rather hard to imagine something more secure than an immutable backup copy – since more standard security measures such as storage protocols or file permissions can still be circumvented in some way or another. As such, immutable backups are basically a requirement for any competent data security system in the modern day. Other advantages of immutable backup include easier versioning and easier data compliance – offering accurate copies of data from specific time frames.

Compliance regulations specifically are rather close to the topic of immutable backups, since plenty of industry-wide regulations require for sensitive or highly confidential data to be resistant to modification or deletion. Some examples of such compliance frameworks include NIST, FINRA, HIPAA, and FedRAMP, to name a few. The introduction of immutable backups to the system allows data such as PII, PHI, phone numbers, payment data, and health-related data to be sufficiently protected from a variety of different threat types.

Why immutable backups are not enough?

Despite the fact that the existence of an immutable backup in any company’s backup and recovery strategy right now is practically a requirement, these backups alone are not enough to ensure a proper level of recoverability. First of all, there are little to no data security experts that advise paying ransom whenever your company is struck with ransomware. The biggest reason for that is the track record of attackers actually providing decryption keys once the ransom has been paid is more or less nonexistent, and decryption itself is a long and complicated process.

There are also plenty of other factors in place. A rather classic case of an immutable backup is a WORM system (Write Once Read Many) that renders the data immune to any modification once it has been created. There are no exceptions to the modification restriction, the data in question can only be copied to an internal system (any external access is prohibited), and there is a very short list of APIs or services that are permitted to do so.

This exact approach already has at least one weak link to it – a list of trusted services of APIs, and there are all kinds of exploits and backdoors being discovered on a regular basis. As such, an immutable backup should be complemented by other security solutions in order to be truly effective, since it can hardly work as the only backup measure, but it remains a crucial part of the overall recoverability plan since the data in question cannot be modified.

General considerations when it comes to immutable data

There are several factors that have to be considered when it comes to immutable backups. First of all, while ransomware is a rather widespread method of cybercrime, there are still plenty of other methods that require other measures in place so that the system in question can operate properly. As such, it is always better to try and prevent ransomware from accessing backups in the first place instead of letting it all in knowing that there should be no way for the attacker to steal or modify said data in one way or another.

A lot of general backup-related best practices are just as relevant for, or involve, immutable backups specifically, including:

  • Emphasis on data encryption and proper storage for encryption keys
  • The need for proper off-site backup storage with a dedicated infrastructure, while also making sure the backups in question are frequently updated
  • Making sure that both the hardware and the software you’re using is reliable and mutually compatible, with priority given to solutions that are the most useful for your company
  • Backup monitoring can also be considered an essential element of any company’s data protection system so that you are always aware of the current state of your backups
  • Employee knowledge is important here, every single person that interacts with backup software to some degree should have a complete understanding of the software in question to prevent or mitigate possible errors from the “human factor”
  • Using a backup solution with no backup and recovery plan in place is highly discouraged, since a proper backup plan serves as a potentially critical guide to the procedures that have to be followed in specific circumstances, while also guiding the backup frequency, the backup type, and much other useful information
  • All of the backup and recovery systems have to be tested on a regular basis, to ensure that they would not fail in the case of an emergency

These are just some of the best practices and factors that may play into account when it comes to choosing the best immutable backup solution. Other factors may include the pricing information (including both the actual price and the licensing model), the solution’s overall effectiveness when it comes to dealing with various cybersecurity issues, their RTOs and RPOs, and many other factors. A lot of it is highly personal and the priority list of practically every company would likely be unique.

Modern-day ransomware and how to combat it

It is also worth noting that there is an entire category of ransomware that targets backups specifically. There is even ransomware that is difficult to detect and does not activate immediately after appearing in a system, making its detection even harder. A company that wants to get the best results from its immutable backups also has to implement:

  • Additional security procedures capable of detecting backdoors and bad actors capable of tampering with immutable backup copies in one way or another (such as deleting clusters that host them)
  • Strong credential/access management strategies, such as MFA (Multi-Factor Authentication), RBAC (Role-Based Access Control), or even a requirement for at least two separate people’s confirmation for being able to perform some actions on an administrative level
  • Comprehensive cyber resiliency strategy for end users that goes beyond the capabilities of backup and recovery solutions to ensure that some attack angles could be either detected or outright prevented

At the same time, there is an entirely new variation of the ransomware approach that gets more and more widespread, it is called double extortion ransomware. For these attacks, the attacker encrypts the company’s data while also threatening to publish it if his demands are not met. As such, constant data encryption and many other security measures are just as necessary as immutable backup, since even something as strict as air-gapped storage has its own vulnerabilities if used as the only data security measure.

Air gapping and immutable backups

Air gapping is one of several ways to achieve backup immutability – aside from setting the backup file to “read-only” status, there is always an option of physically removing any connection between the backup and the outside world. This is the most basic definition of air gapping. Data that is disconnected from any other device is one of the stronger security methods at this point, with the entire world being comprised of billions of interconnected devices of all shapes and sizes.

Air gapping is considered to be at its most effective when used in a context of a so-called 3-2-1 backup rule. This is a particularly old rule that is still widely used in many backup situations. A 3-2-1 rule implies that a system has at least three different copies of all necessary data, with these three copies being stored using at least two different storage types, and at least one of those copies has to be stored away from the rest, be it on an off-site storage location, in cloud storage, etc.

Of course, air gapping has its own limits, just like the entire concept of immutable backups. This data can still be infected before being backed up, it can still be affected by a removable storage device if that device was infected beforehand, and so on.

Other means of creating immutable backups

Immutable backups can also be created using the so-called WORM system, or Write-once-read-many. It is a backup tactic that creates a copy of the data that cannot be modified or erased and writes it to some form of physical backup storage, be it magnetic tape, hard disk, CD/DVD, and so on. WORM strategies can act as an excellent failsafe for a company if every other protective measure fails.

Several other features and tactics in the backup space are also worth mentioning in the context of immutable backups. Backup versioning, for example, is a great way to store multiple copies of the same system. It implies that each data copy is preserved up to a certain number of copies, making it possible to restore data to a specific point in time when necessary and also creating a noticeable audit trail.

Remote cloud storage for immutable backups is also a viable option, with a variety of cloud storage offers to choose from, and a rather impressive scalability that goes both ways. It is not uncommon for such cloud storage providers to offer robust security features and a pay-as-you-go licensing model.

Continuous Data Protection (CDP) is a rather well-known data security measure that offers extremely frequent backups, with each backup only copying data that has been modified since the previous backup. Most common intervals between subsequent CDP backups are usually minutes long or even seconds long.

Using immutable backups in an existing environment

It is becoming clear to most IT departments that immutable backups are borderline essential for practically any modern-day business environment, but adding the capability to an existing environment can be difficult when compared to creating a system that has immutable backups architected in from scratch.

There are three main types of immutable backups that one can implement in some way, shape, or form – cloud-based backups, on-prem physical backups, and hybrid backups. Each of the three immutable backup types has its own advantageous environments – physical backups can be deployed faster, cloud backups are cheaper, and hybrid backups would be at their best in complex multi-faceted environments.

Of course, these are not the definitive examples, each of the three immutable backup types has plenty of their own advantages and shortcomings that the potential user has to keep in mind when choosing between them.

Immutable backup solutions

At this point, the overall market for backup solutions is vast and varied, which is why it is not particularly difficult to find plenty of solutions that offer backup immutability as one of its many options. In fact, the overwhelming majority of the most popular backup solutions work as immutable backup solutions, with examples such as:


unitrends landing page

Unitrends is a proprietary cloud environment capable of integrating with plenty of different backup appliances to create a Disaster Recovery as a Service solution with long-term data retention that can be used to solve many different modern-world data governance problems. Unitrends’ goal is to simplify management and achieve resilience for both software and hardware with features such as automation and many others – ransomware protection, recovery assurance, predictive analytics, 24/7 customer support, and so on.

Customer ratings:

  • Capterra – 4.7/5 stars based on 34 customer reviews
  • TrustRadius – 7.9/10 stars based on 613 customer reviews
  • G2 – 4.3/5 stars based on 355 customer reviews


  • The entirety of a backup process can be controlled and customized
  • A convenient access to all backup-related data is achieved via a centralized dashboard
  • Initiating backup processes is simple once the solution itself has been set up properly


  • A noticeable issue of false alerts that are mostly random and not tied to a specific feature
  • It is difficult to initiate granular recovery within the web interface
  • The solution itself has little to no instructions or manuals, making it necessary for every user to visit community forums to acquire information about how Unitrends operates

Pricing (at time of writing):

  • Unitrends’s pricing information is not publicly available on their official website and the only way to obtain such information is by contacting the company directly for a quote, a free trial, or a guided demo.
  • The unofficial information states that Unitrends has a paid version that starts at $349 USD

My personal opinion on Unitrends:

The primary highlight of Unitrends lies in its comprehensive backup and recovery platform, which spans across virtual environments, physical storage, applications, cloud storage, and even endpoints. The capacity to provide a centralized approach to managing a multitude of data sources concurrently greatly enhances the overall experience associated with utilizing such a solution. The majority of Unitrends’ processes are highly customizable, and launching backup or recovery tasks is not particularly different in most cases. It does have its own drawbacks, such as a perplexing pricing model and a troublesome granular restore process, but none of these issues detract from the overall effectiveness of the software.

Veeam Backup & Replication

veeam landing page

Veeam Backup & Replication is Veeam’s flagship product, capable of providing availability for a multitude of different workload types. It is a reliable and flexible solution for backup, recovery, and archival operations that are controlled with an easy-to-use management console. Veeam Backup & Replication provides a multitude of features, including instant recovery, continuous data protection, granular file recovery, image-based backups, portability, support for enterprise applications, and more.

Customer ratings:

  • Capterra – 4.8/5 stars based on 69 customer reviews
  • TrustRadius – 8.8/10 stars based on 1,237 customer reviews
  • G2 – 4.6/5 stars based on 387 customer reviews


  • Noteworthy customer support with quick and effective responses
  • Easy and convenient first-time setup of the solution
  • A substantial part of Veeam’s features and solutions can be used for free by individuals or micro-companies


  • There is a rather steep learning curve as a whole, and the overall wealth of features makes it difficult to learn how to use all of Veeam’s features within a short timeframe
  • The solution’s user interface is not particularly friendly, and it can be quite confusing for newcomers
  • As one of the bigger software offerings on this market, Veeam has a fair share of large-scale clients that are not particularly concerned with how expensive this solution can be – however, Veeam’s overall pricing level makes it practically unattainable for small or middle-sized businesses (SMBs)
  • Veeam has limitations regarding doing a direct copy to tape

Pricing (at the time of writing):

  • Veeam’s pricing information is not publicly available on their official website and the only way to obtain such information is by contacting the company directly for a quote or a free trial
  • What it does have is a pricing calculator page that lets users specify the number of different environments they want covered with Veeam’s solution, as well as the planned subscription period. All of that can be sent to Veeam in order to receive a personalized quote.

My personal opinion on Veeam:

Veeam is likely the most widely used backup solution on this list, if not the most popular overall. While it places a significant focus on its backup capabilities for virtual machines (VMs), it’s also capable of working reasonably well with various other environments, including physical systems, cloud services, and applications. It’s a scalable and feature-rich solution that offers forms of immutable backup – so it can cater to a broad range of clients, from small startups to large enterprises. However, key requirements for many true approaches to immutable backup, such as by employing backup to tape, can be a major problem with Veeam.

Veeam can be a bit challenging to fully grasp all of its features, there may be concerns about its security levels, and its pricing tends to be higher than the industry average.

Veritas NetBackup

veritas landing page

Operating on a backup-as-a-service model, Veritas NetBackup is a data protection solution for large companies and enterprises. It can work with a plethora of different target locations, including cloud systems, physical deployments, and virtual environments, while also offering features such as automated disaster recovery. Some of the more detailed features of Veritas are instant VM recovery, data deduplication, role-based access control, plugin support, the capability to work with different database standards, etc.

Customer ratings:

  • TrustRadius7.7/10 stars based on 86 customer reviews
  • G24.0/5 stars based on 108 customer reviews


  • Centralization is a great advantage to multi-faceted companies with different storage types, Veritas can offer a single dashboard-like page that presents all of the necessary information at once
  • There is support for a variety of different platforms and storage types, making it a lot easier for large enterprises to use the solution to its fullest
  • Heterogenous operating systems are also supported with Veritas, as well as different hardware types


  • The overall user experience with Veritas is often cited as not that great, with a rather outdated user interface being the biggest turnoff
  • Even though each Veritas user has a choice between a GUI and a command line, there are some specific tasks and commands that simply cannot be performed with the former, forcing users to resort to command line even if they are unfamiliar with it
  • Performing a hardware upgrade or a server migration can be an extremely daunting task with Veritas, even if all of the prerequisites are met beforehand
  • Some limitations on tape manufacturers support

Pricing (at the time of writing):

  • Veritas’s pricing information is not publicly available on their official website and the only way to obtain such information is by contacting the company directly.

My personal opinion on Veritas:

Veritas has been an established company for many decades, providing data protection solutions for various purposes. Among its offerings, NetBackup stands out as a versatile solution capable of performing backups and implementing data protection measures for clients. Veritas NetBackup can be quite complex in terms of its user interface, while also making data migration a significant challenge in most instances.

Commvault Complete Data Protection

commvault landing page

Commvault Complete Data Protection offers a combination of business continuity and data availability for both cloud and on-premise environments by providing a plethora of different features to all of its users. Commvault can offer resilient ransomware protection with encryption and end-to-end data security, centralized access to a variety of backup-related operations, from backups to replication and disaster recovery, as well as the ability to reuse data to facilitate testing and other DevOps tasks with ease. Other capabilities of Commvault include outstanding scalability, a verifiable replica recovery feature, and more.

Customer ratings:

  • Capterra – 4.8/5 stars based on 9 customer reviews
  • TrustRadius – 7.8/10 stars based on 207 customer reviews
  • G2 – 4.2/5 stars based on 78 customer reviews


  • A broad range of features
  • There is a good scope of different integrations with other applications, allowing for Commvault to interact with other software with ease
  • Commvault is also good at connecting with existing complex IT infrastructures


  • Even though Commvault tries to simplify the solution’s connection with existing IT infrastructures, its first-time setup can be long and convoluted
  • Similar to a number of other solutions on the same market, Commvault is an incredibly complex solution with a steep learning curve that takes a significant amount of time to learn how to use it properly
  • Even though Commvault has plenty of features to work with, its logging capabilities are extremely basic and can come up short when needed

Pricing (at the time of writing):

  • Commvault’s pricing information is not publicly available on their official website and the only way to obtain such information is by contacting the company directly for a demo showcase or a free 30-day trial.
  • The unofficial information suggests that Commvault’s hardware appliances’ price ranges from $3,400 to $8,781 per month.

My personal opinion on Commvault:

Commvault is a typical high-end backup solution designed to offer top-notch user experiences by leveraging advanced technologies. It covers a wide range of areas, including containers, cloud storage, virtual machines (VMs), databases, and endpoints. It delivers speedy and precise backup and recovery capabilities, can seamlessly integrate with various cloud storage providers, and is relatively straightforward to configure for backup tasks. However, it comes with a hefty price tag, lacks comprehensive logging and reporting data for most of its features, and the initial setup process is known for being lengthy and intricate.

Bacula Enterprise

bacula enterprise landing page

Bacula Enterprise is a comprehensive backup and recovery solution for large companies and enterprises that is also one of the few players in this part of the market that does not calculate its price based on the amount of data transferred. Bacula can cover physical, virtual, and cloud environments with the same high level of versatility and reliability, while also being incredibly secure. Bacula Enterprise also has a flexible system of modules that allows the solution to become even more specialized and useful than ever before, offering a truly impressive number of different features, including some of the more uncommon ones, such as bare metal recovery, Multi-Factor Authentication support, Changed Block Tracking, and many others.

Customer ratings:

  • TrustRadius – 9.6/10 stars based on 53 customer reviews
  • G2 – 4.7/5 stars based on 55 customer reviews


  • A huge host of features related to immutable storage options, including great architectural flexibility to support immutable approaches, and interoperability with probably more tape technologies than any other vendor.
  • Massive scalability and customization possibilities
  • Extensive support for plenty of different storage types, from regular servers to apps, databases, VMs, and so on
  • Especially high security levels combined with general flexibility and scalability
  • The solution’s overall feature set creates a great framework for backup and disaster recovery tasks
  • Tiered subscription-based licensing model and the system of modules allows for users to be able to stop paying extra for features they are not going to use in the first place


  • Plugins that are not included in the base package may have a separate price tag on top of the existing software licensing fee. This however, often suits users, as it means not having to pay for capabilities they do not use.
  • Bacula packs plenty of features in its solution, and it can be rather overwhelming at first – meaning that the software takes some time to get used to.
  • Setting up Bacula Enterprise as a solution for the first time can take time in some cases
  • At least basic knowledge of Linux is required

Pricing (at the time of writing):

  • Bacula Enterprise’s pricing information is not publicly available on their official website and the only way to obtain such information is by contacting the company directly for a quote.
  • There are plenty of different subscription plans that Bacula Enterprise can offer, even though there is no pricing available to any of them:
    • BSBE – Bacula Small Business Edition, it can cover no more than 20 agents and 2 contracts, offering features such as web support and BWeb management suite
    • Standard – can cover up to 50 agents and 2 contracts, adds support answer deadlines (from 1 to 4 business days)
    • Bronze – can cover up to 200 agents and 2 contracts, offers phone support and shorter deadlines for customer support (from 6 hours to 4 days)
    • Silver – can cover up to 500 agents and 3 contracts, introduces a deduplication plugin and a lower customer support answer deadline (from 4 hours to 2 days)
    • Gold – can cover up to 2000 agents and 5 contracts, drastically reduces customer support answer deadline (from 1 hour to 2 days)
    • Platinum – can cover up to 5000 agents and 5 contracts, has PostgreSQL catalog support and one training seat per year for Administrator courses
  • Unofficial sources claim that Bacula Enterprise’s pricing starts at $500 per month

My personal opinion on Bacula Enterprise:

In this case, there might be some bias, but I believe that Bacula Enterprise stands out as one of the best choices in the backup and recovery market, particularly for large companies and enterprises. It is the outright leader on TrustRadius. Bacula is a versatile backup solution equipped with a multitude of features and capabilities to fit into even especially complex IT environments, including High Performance Computing (HPC) and supercomputing shops. Regarding, for example, its immutability capabilities, Bacula takes the concept to the next level in terms of features, performance, choice and support. In contrast, the majority of other backup and recovery software vendors in the market have restricted or limited approaches to how they do immutable storage. For  example, Bacula offers a HPE StoreOnce Catalyst Plugin, including advanced immutability options. Furthermore, Bacula’s original set of features can be expanded through a system of modules, enhancing its functionality in various ways. Bacula boasts a modular architecture, supports numerous operating systems, and offers impressive flexibility for accommodating different storage types and data formats. While it may require some time and a basic understanding of Linux to get started, the wealth of features available to Bacula users more than justifies the effort required for learning. Bacula is trusted by organizations demanding the very highest levels of performance and security, some examples being NASA, NOAA and many other governmental and military users.

Druva Data Resiliency Cloud

druva landing page

Druva Data Resiliency Cloud is a combination of two former Druva projects – Phoenix and inSync. It is a data security solution that offers information governance, data management, and data protection in a single package. Data Resiliency Cloud Platform is delivered as a service, offering backup simplification, better compliance, faster archival, and more efficient device management to protect end-user data while improving data visibility and ensuring regulatory compliance. The solution claims to be able to offer complete protection without any productivity impact by using centralized management, self-help data recovery, and other features.

Customer ratings:

  • Capterra – 4.7/5 stars based on 17 customer reviews
  • TrustRadius – 9.3/10 stars based on 419 customer reviews
  • G2 – 4.6/5 stars based on 416 customer reviews


  • A lot of praise goes towards the customer support team, stating that the answers are quick and efficient
  • Druva’s overall user interface seems to be rather easy to work with, which is an uncommon sight in the enterprise backup industry filled with complex solutions
  • Data security is the most important topic for Druva, which is why there are plenty of features focused specifically on data protection, such as encryption or data immutability


  • Restoring data from cloud storage can take a while
  • Druva’s interface may be rather convenient, but its first-time setup process is long and difficult
  • There are some features of Druva that barely have any customization to them, such as SQL cluster backups or Windows snapshots

Pricing (at the time of writing):

  • Druva’s pricing is fairly sophisticated and offers different pricing plans depending on the type of device or application that is covered.
  • Hybrid workloads:
    • “Hybrid business”$210 per month per Terabyte of data after deduplication, offering an easy business backup with plenty of features such as global deduplication, VM file level recovery, NAS storage support, etc.
    • “Hybrid enterprise”$240 per month per Terabyte of data after deduplication, an extension of the previous offering with LTR (long term retention) features, storage insights/recommendations, cloud cache, etc.
    • “Hybrid elite”$300 per month per Terabyte of data after deduplication, adds cloud disaster recovery to the previous package, creating the ultimate solution for data management and disaster recovery
    • There are also features that Druva sells separately, such as accelerated ransomware recovery, cloud disaster recovery (available to Hybrid elite users), security posture & observability, and deployment for U.S. government cloud
  • SaaS applications:
    • “Business”$2.5 per month per user, the most basic package of SaaS app coverage (Microsoft 365 and Google Workspace, the price is calculated per single app), can offer 5 storage regions, 10 GB of storage per user, as well as basic data protection
    • “Enterprise”$4 per month per user for either/or Microsoft 365 or Google Workspace coverage with features such as groups, public folders, as well as Salesforce.com coverage for $3.5 per month per user (includes metadata restore, automated backups, compare tools, etc.)
    • “Elite”$7 per month per user for Microsoft 365/Google Workspace, $5.25 for Salesforce, includes GDPR compliance check, eDiscovery enablement, federated search, GCC High support, and many other features
    • Some features here can also be purchased separately, such as Sandbox seeding (Salesforce), Sensitive data governance (Google Workspace & Microsoft 365), GovCloud support (Microsoft 365), etc.
  • Endpoints:
    • “Enterprise”$8 per month per user, can offer SSO support, CloudCache, DLP support, data protection per data source, and 50 Gb of storage per user with delegated administration
    • “Elite”$10 per month per user, adds features such as federated search, additional data collection, defensible deletion, advanced deployment capabilities, and more
    • There are also plenty of features that could be purchased separately here, including advanced deployment capabilities (available in the Elite subscription tier), ransomware recovery/response, sensitive data governance, and GovCloud support.
  • AWS workloads:
    • “Freemium” is a free offering from Druva for AWS workload coverage, it can cover up to 20 AWS resources at once (no more than 2 accounts), while offering features such as VPC cloning, cross-region and cross-account DR, file-level recovery, AWS Organizations integration, API access, etc.
    • “Enterprise”$7 per month per resource, starting from 20 resources, has an upper limit of 25 accounts and extends upon the previous version’s capabilities with features such as data lock, file-level search, the ability to import existing backups, the ability to prevent manual deletion, 24/7 support with 4 hours of response time at most, etc.
    • “Elite”$9 per month per resource, has no limitations on managed resources or accounts, adds auto-protection by VPC, AWS account, as well as GovCloud support and less than 1 hour of support response time guaranteed by SLA.
    • Users of Enterprise and Elite pricing plans can also purchase Druva’s capability to save air-gapped EC2 backups to Druva Cloud for an additional price.
  • It is easy to see how one can get confused with Druva’s pricing scheme as a whole. Luckily, Druva themselves have a dedicated webpage with the sole purpose of creating a personalized estimate of a company’s TCO with Druva in just a few minutes (a pricing calculator).

My personal opinion on Druva:

Druva has designed its cloud backup platform to address the common challenge of managing numerous devices within a single system. Consequently, Druva’s solution primarily caters to large businesses and enterprises. This solution is delivered as a Software as a Service (SaaS) offering and can safeguard various types of devices, including endpoints, databases, virtual machines (VMs), and physical storage, among others. It’s important to note that Druva’s pricing model can be rather confusing, and the initial setup process is not straightforward, making it less suitable for organizations dealing with a substantial volume of data.


msp360 landing page

MSP360 is a solution that was formerly known as CloudBerry Lab – it is a managed backup software that targets MSPs that intend to resell the service in question. It can be deployed directly, as well, but this process is a bit more complicated. MSP360 does not have its own storage resource, offering a choice between multiple third-party cloud storage services for any customer to choose from. MSP360 is a rather competent backup solution that prioritizes cloud services and mostly targets small and mid-sized businesses (while also being capable of working with some of the larger companies).

Customer ratings:

  • Capterra – 4.7/5 stars based on 204 customer reviews
  • TrustRadius – 8.1/10 stars based on 45 customer reviews
  • G2 – 4.5/5 stars based on 403 customer reviews


  • A centralized dashboard greatly improves the overall solution accessibility by allowing you to control multiple processes and functions from a single page
  • MSP360 is one of the few solutions on this list with a relatively easy first-time setup process
  • The same could be said for backup and recovery processes initiated with MSP360 – all of them are easy to launch and/or configure


  • MSP360’s pricing model may not be particularly complicated, but the overall price is high enough to deter most of the SMBs from trying to adopt it in the first place
  • There are also some features that are not included in the original price tag of the solution, such as the ability to perform SQL backups
  • This solution’s customer support seems to be rather inconsistent with its responses, some users sing its praises while others call it useless

Pricing (at the time of writing):

  • MSP360’s pricing information is not publicly available on their official website and the only way to obtain such information is by contacting the company directly for a quote. Their special “quote calculator” page allows potential customers to specify what specifically they want to be backed up, be it Windows, Mac, Linux devices, VMware, Hyper-V, Microsoft 365, Google Workspace, etc.

My personal opinion on MSP360:

MSP360, originally known as Cloudberry Labs, started as a relatively straightforward backup and recovery solution. However, it has since evolved into a comprehensive suite of features suitable for various situations and use cases, including cloud and physical backups. MSP360 is compatible with multiple operating systems, offering both granular and large-scale backup options. It also provides robust centralization capabilities, allowing companies to have complete control over their backup and recovery processes. It is worth noting that there have been mixed reviews regarding MSP360’s customer service, and the pricing model includes numerous additional features that are not part of the base package. This means that users requiring features like SQL backups may need to pay extra for them.


zerto landing page

Zerto is an entire data protection platform that can perform continuous backup tasks, as well as disaster recovery and other data-related tasks with centralized management and a high level of security. Zerto itself is created with continuous data protection in mind, offering a solution with an always-on nature that allows for development sandboxes, data migrations, on-demand tests, and many others. Zerto’s native automation and orchestration capabilities are aiming to eliminate a lot of manual work in backup planning and realization, improving efficiency and boosting data protection efforts.

Customer ratings:

  • Capterra4.8/5 stars based on 25 customer reviews
  • TrustRadius8.6/10 stars based on 113 customer reviews
  • G24.6/5 stars based on 73 customer reviews


  • Zerto can be easily integrated with existing IT infrastructures, no matter if they are on-premise, in the cloud, or hybrid
  • Performing disaster recovery tasks and managing them is simple and convenient
  • A wide variety of different tools and features included in Zerto’s solution, with workload migration being one of many examples


  • Zerto does not support backup or recovery to or from tape – therefore it has inherent limitations with some types of immutable storage and true air-gapping.
  • Zerto’s reporting capabilities are basic and can offer very little in terms of actual usefulness when it comes to error resolving and other tasks of similar importance
  • Unfortunately, Zerto is rather limited when it comes to supporting different operating systems – it can only work with Windows devices in the first place
  • There is also the matter of pricing – immutable backups are necessary for companies of all sizes, but Zerto’s pricing approach makes it difficult to afford for anyone who is not a large-scale enterprise

Pricing (at the time of writing):

  • The official Zerto website offers three different licensing categories – Zerto for VMs and Zerto for SaaS
  • Zerto for VMs includes:
    • “Enterprise Cloud Edition” as a multi-cloud mobility, disaster recovery, and ransomware resilience solution
    • “Migration License” as a dedicated license for data center refreshes, infrastructure modernization, and cloud migration
  • Zerto for SaaS, on the other hand, is a single solution that can cover M365, Salesforce, Google Workspace, Zendesk, and more
  • There is no official pricing information available for Zerto’s solution, it can only be acquired via a personalized quote or purchased through one of Zerto’s sales partners

My personal opinion on Zerto:

Zerto presents an intriguing choice for managing extensive backup and recovery workloads. Designed specifically as a dedicated backup management platform, the solution is exclusively available for Windows users, and the cost can rise rapidly for large enterprises. Nevertheless, its ability to facilitate workload migrations and integrate with diverse systems often proves more valuable than its price tag for sizable companies. Zerto’s primary solution combines ransomware resilience, data mobility, and disaster recovery into a unified package. However, it’s essential to note that its architectural limitations, security and scalability issues could pose significant concerns for larger organizations.

Cohesity Helios

cohesity landing page

One of the main goals of Cohesity Helios is to consolidate silos and eliminate global data fragmentation. It is a data backup and recovery solution that was designed for extreme scalability, and comprehensive data protection with a focus on policies, and support for different data sources. Helios can be used as a service or deployed on-premise, offering a centralized user interface, extensive automation, and converged data protection that eliminates the need for multiple different software appliances that would have to act as media servers, target storages, cloud gateways, and so on.

Customer ratings:

  • Capterra – 4.6/5 stars based on 48 customer reviews
  • TrustRadius – 8.9/10 stars based on 59 customer reviews
  • G2 – 4.4/5 stars based on 45 customer reviews


  • Cohesity’s cluster-like structure can be displayed in a single page, greatly simplifying data management tasks
  • The solution’s interface is rather intuitive and easy to work with
  • The same could be said for the first-time setup of Cohesity’s platform, it is neither long nor complicated process


  • Cohesity’s capabilities in terms of task automation are surprisingly basic, all things considered
  • Cohesity cannot perform backups on a specific date in the calendar
  • Some specific features of Cohesity are not as easy to set up as the others – for example, database backups are extremely convoluted and difficult to work with
  • Cohesity by itself cannot back up to tape – instead, there is a bolt-on solution called QStar that handles that. With the expected resulting limitations, immutable tape capabilities are limited in some architectures.

Pricing (at the time of writing):

  • Cohesity’s pricing information is not publicly available on their official website and the only way to obtain such information is by contacting the company directly for a free trial or a guided demo.
  • The unofficial information about Cohesity’s pricing states that its hardware appliances alone have a starting price of $110,000 USD

My personal opinion on Cohesity:

Cohesity serves as an excellent example of a mid-tier enterprise backup solution, offering a well-rounded set of features. It encompasses everything you’d anticipate from a backup solution at this level, including support for various data types and storage environments, impressive backup and restoration speeds, an extensive list of backup-oriented features, and more. What sets Cohesity apart is its infrastructure, built on a node-like structure that enables remarkable scalability, which is both fast and relatively user-friendly. However, database backup with Cohesity can be complex and lacks automation capabilities, there’s room for improvement when it comes to container backups, tape backup has question marks around it, and the reporting functionality is extremely basic.

NAKIVO Backup & Replication

nakivo landing page

NAKIVO Backup & Replication is a backup recovery software that is versatile, affordable, and effective, capable of protecting several different types of environments – they can be located in the cloud, in a physical location, in a virtual location, or even deployed as a service. NAKIVO provides a plethora of advantages, such as better reliability, faster recovery, and higher backup performance – all of that is possible thanks to NAKIVO’s array of features. As such, NAKIVO can offer protection for a variety of VM types, protection for M365 data, and protection for physical appliances, as well as quick deployment time, low backup size, fast recovery time, and more.

Customer ratings:

  • Capterra – 4.8/5 stars based on 305 customer reviews
  • TrustRadius – 9.2/10 stars based on 142 customer reviews
  • G2 – 4.7/5 stars based on 203 customer reviews


  • NAKIVO’s user interface is simple yet effective, it is relatively easy to operate
  • First-time configuration is also a relatively short process with NAKIVO
  • The customer support team is also a noteworthy part of the solution, offering quick and concise answers to all of the solution-related questions
  • Nakivo can back up to tape


  • NAKIVO’s price tag is definitely higher than the average market value, limiting the number of potential customers it may have attracted otherwise
  • Error logging and reporting capabilities of NAKIVO are extremely limited – an issue that is quite common for this software market as a whole
  • While NAKIVO does support both Windows-based and Linux-based servers, the amount of support it can provide to the latter is very limited

Pricing (at the time of writing):

  • NAKIVO’s pricing can be split into two main groups:
  • Subscription-based licenses:
    • “Pro Essentials” – from $1.95 per month per workload, covers most common backup types such as physical, virtual, cloud and NAS, while also offering instant granular recovery, virtual and cloud replication, storage immutability, and more
    • “Enterprise Essentials” – from $2.60 per month per workload, adds native backup to tape, deduplication appliance integration, backup to cloud, as well as 2FA, AD integration, calendar, data protection based on policies, etc.
    • “Enterprise Plus” does not have public pricing available, it adds HTTP API integration, RBAC, Oracle backup, backup from snapshots, and other features
    • There is also a subscription available for Microsoft 365 coverage that costs $0.80 per month per user with an annual billing and can create backups of MS Teams, SharePoint Online, Exchange Online, OneDrive for Business, and more
    • Another subscription from NAKIVO is its VMware monitoring capability that comes in three different forms:
      • “Pro Essentials” for $0.90 per month per workload with CPU, RAM, disk usage monitoring and a built-in live chat
      • “Enterprise Essentials” for $1.15 per month per workload that adds AD integration, 2FA capability, multi-tenant deployment, and more
      • “Enterprise Plus” with no public pricing that adds RBAC and HTTP API integrations
  • Perpetual licenses:
    • Virtual environments:
      • “Pro Essentials” for $229 per socket, covers Hyper-V, VMware, Nutanix AHV, and features such as instant granular recovery, immutable storage, cross-platform recovery, etc.
      • “Enterprise Essentials” for $329 per socket, adds native backup to tape, backup to cloud, deduplication, 2FA, AD integration, and more
      • “Enterprise Plus” with no public pricing that adds RBAC and HTTP API integrations, as well as backup from storage snapshot
    • Servers:
      • “Pro Essentials” for $58 per server, covers Windows and Linux, and features such as immutable storage, instant P2V, instant granular recovery, etc.
      • “Enterprise Essentials” for $329 per server, adds native backup to tape, backup to cloud, deduplication, 2FA, AD integration, and more
      • “Enterprise Plus” with no public pricing that adds RBAC and HTTP API integrations
    • Workstations:
      • “Pro Essentials” for $19 per workstation, covers Windows and Linux, and features such as immutable storage, instant P2V, instant granular recovery, etc.
      • “Enterprise Essentials” for $25 per workstation, adds native backup to tape, backup to cloud, deduplication, 2FA, AD integration, and more
      • “Enterprise Plus” with no public pricing that adds RBAC and HTTP API integrations
    • NAS:
      • “Pro Essentials” for $149 per one Terabyte of data, can backup NFS shares, SMB shares, folders on shares, and offer file level recovery
      • “Enterprise Essentials” for $199 per one Terabyte of data, adds AD integration, 2FA support, calendar, multi-tenant deployment, etc.
      • “Enterprise Plus” with no public pricing that adds RBAC and HTTP API integrations
    • Oracle DB:
      • “Enterprise Plus” is the only option available for Oracle database backups via RMAN, it can offer advanced scheduling, centralized management, and more
    • VMware monitoring:
      • “Pro Essentials” for $100 per socket with CPU, RAM, disk usage monitoring and a built-in live chat
      • “Enterprise Essentials” for $150 per socket that adds AD integration, 2FA capability, multi-tenant deployment, and more
      • “Enterprise Plus” with no public pricing that adds RBAC and HTTP API integrations

My personal opinion on NAKIVO:

While NAKIVO may lack the extensive experience of some competitors and isn’t the most feature-packed solution in the market, it doesn’t mean it’s not a reliable enterprise data backup software. On the contrary, it offers versatility in backup and recovery, boasting speed, responsiveness, and a user-friendly interface. NAKIVO includes on-demand file recovery, impressive backup performance, easy initial setup, and a dedicated customer support team. At the same time, it’s essential to know that NAKIVO’s services are relatively expensive, and its reporting and logging capabilities are very limited, along with storage destination options.


rubrik landing page

Rubrik is a combination of an enterprise-level backup solution and a cloud data management system that was created by a company with the same name located in Palo Alto. Rubrik offers a vendor-agnostic backup solution that works with a large number of different operating systems, cloud storage providers, hypervisors, applications, databases, and more. Rubrik’s capabilities include operations such as backup, recovery, analytics, archival, compliance, search, and data management – with all of it combined in a single centralized solution.

Customer ratings:

  • Capterra – 4.7/5 stars based on 45 customer reviews
  • TrustRadius – 9.1/10 stars based on 198 customer reviews
  • G2 – 4.6/5 stars based on 59 customer reviews


  • There are plenty of automation capabilities to choose from, making it a lot easier to perform complicated tasks using Rubrik
  • It can be integrated with plenty of different cloud storage providers, while also supporting multi-cloud and hybrid storage setups
  • Rubrik’s administrative interface is effective and relatively user-friendly


  • The number of useful documentation about the solution, be it whitepapers or articles, is very low and not enough to be helpful when there are questions about the solution’s capabilities
  • First-time configuration process is rather convoluted and may take a long time to complete
  • Rubrik is unable to transfer Azure SQL backups directly to cloud, several extra steps are necessary for this to be done
  • Similarly to Cohesity, Rubrik relies on QStar integration to handle backup to tape. Immutable backup to tape capability might be compromised in some cases.

Pricing (at the time of writing):

  • Rubrik’s pricing information is not publicly available on their official website and the only way to obtain such information is by contacting the company directly for a personalized demo or one of the guided tours.
  • The unofficial information states that there are several different hardware appliances that Rubrik can offer, such as:
    • Rubrik R334 Node – from $100,000 for a 3-node with 8-Core Intel processes, 36 TB of storage, etc.
    • Rubrik R344 Node – from $200,000 for a 4-node with similar parameters to R334, 48 TB of storage, etc.
    • Rubrik R500 Series Node – from $115,000 for a 4-node with Intel 8-Core processors, 8×16 DIMM memory, etc.

My personal opinion on Rubrik:

Rubrik is a reasonably versatile enterprise backup solution, encompassing numerous features typically associated with modern, large-scale backup solutions. It provides comprehensive backup and recovery options, a flexible data management platform, a range of data protection measures for various scenarios, extensive policy-based management, and more. Rubrik shines when it comes to handling hybrid IT environments, but it can also serve a wide range of use cases, provided they are comfortable with the pricing structure Rubrik offers for its services. Its documentation may be a bit lackluster, and there are quite a few issues with its first-time setup process, but the overall experience of the solution is positive. Tape backup has the arroding QStar reliance potential issues.

The future of immutable backups

The never-ending race between ransomware developers and data protection solution developers has been going on for a while now, and it shows no signs of stopping any time soon. Immutable backups are a significant part of that race, and there are some technologies and features that can become far more popular and effective in the near future, including:

  • Generally higher focus on regulatory and compliance frameworks due to the inevitable increase of data privacy as a topic on a government level
  • Data governance getting more and more recognition in the eyes of organizations since data exchange is getting more and more complex by using different data formats and data types and storing far more data in the first place
  • Bigger emphasis on technologies that develop at an extremely fast pace, such as machine learning and artificial intelligence, with AI-based data analysis, ML-based threat protection, and so on
  • More widespread adoption of cloud-based backup solutions purely because of how it is a lot easier for cloud solutions to scale and adapt to new business developments compared with traditional backup software

Why Immutable is Important

The 3-2-1 rule of best practice backup means that for every backup made, three copies are created. Two means that an IT department will use at least two different types of media. This is so they are protected against degradation or attack, or loss for whatever reason; technical, physical or human-related. One means one copy is kept off-site. The “one” used to mean that the off-site copy was automatically air – gapped and immutable. However, technology is now such that you can make all three of them immutable.

Immutability is a best practice that is gradually creeping in everywhere. It is coming about partly because storage vendors are including immutability as a basic concept, either built into the product, or at least as a best practice that users can enable.

Immutability to an NFS file share that vendors such as Bacula and NetApp have always supported, is now being done by many more industry players. Immutable storage has never really been standardized, but nevertheless is fast becoming a de facto standard that is being implemented in a common way.

Abuse of the term “Immutability”

Bacula is an example of one of the few backup vendors that is using the open versions of these related interfaces rather than the standard proprietary approach many vendors adopt, calling them names like “open storage plug -in”, which is actually just a vendor means of lock-in where they have a common interface to lots of storage appliances, but for nobody else to have that common interface to lots of storage appliances.

Different vendors have their own unique – but sometimes questionable – interpretations of ‘immutability’. But a more recent positive development is the rise of de facto standards, gaining ground when more than one storage vendor implements them. Therefore, despite there still being plenty of proprietary interfaces, a more open way of doing things is emerging in parallel. This is partly because open standards are growing in demand as a fundamental capability of storage technology. The ability to lock something up for a period of time where it cannot be destroyed is becoming a baseline expectation of certain products where previously, it was a specific and highly priced option.

As a result of these de facto standards, the same Bacula configuration almost always works on all of them. This brings further performance and efficiency gains to the industry. Every organization should require reliable backup systems where – once data checks into the system – its back-end is taking care of all of it behind the scenes. The front-end applications really don’t need to be affected nor directly involved in how those copies are made. And IT Directors just need to be secure, knowing that these copies are indeed made.


Since a lot of what backup solutions can offer in terms of immutable backups can be very similar, it becomes a choice between different service providers. At that point, it depends a lot on what a company actually needs from a backup solution. For example, a small or middle-sized company should work fine with solutions like MSP360 and others that target smaller companies.

At the same time, if the company in question is large, then maybe choosing a powerhouse of a backup solution such as Bacula Enterprise would be the best in that case – offering a large number of different features and capabilities with very high security levels, centralization, unified interface, simplified management, and of course, the ability to fit into complex IT environments, with any kind of storage, be it disk, Cloud or tape-based.

It is a big advantage for every single one of these solutions that all of them have plenty of different backup, recovery, and data protection features to work with. As such, they are much more capable of creating a comprehensive data protection environment that does not rely on a single feature but uses several different approaches that complement one another. This exact approach is how a company can get the most out of immutable backups – by using them in tandem with multiple other features to create a multi-faceted security system that covers as many angles as possible.

About the author
Rob Morrison
Rob Morrison is the marketing director at Bacula Systems. He started his IT marketing career with Silicon Graphics in Switzerland, performing strongly in various marketing management roles for almost 10 years. In the next 10 years Rob also held various marketing management positions in JBoss, Red Hat and Pentaho ensuring market share growth for these well-known companies. He is a graduate of Plymouth University and holds an Honours Digital Media and Communications degree, and completed an Overseas Studies Program.
Leave a comment

Your email address will not be published. Required fields are marked *