Thursday, April 18, 2024
HomeBackupBackup Security, Air-Gaps, and Immutable Storage in a Cloud World

Backup Security, Air-Gaps, and Immutable Storage in a Cloud World

We live in an ever-changing technological and regulatory landscape. Organizations are facing the challenge of remaining compliant with new frameworks like GDPR, CCPA, and evolving ones like ISO 27001, which has been updated to include new controls for SaaS providers.

While at first glance, the controls can seem straightforward and easy to implement, they often present interesting challenges. For example, these regulations can sometimes appear contradictory. GDPR, HIPAA, PCI DSS, etc. all require organizations to maintain an immutable copy of data to satisfy the requirement that an organization possesses ”the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. At the same time, the EU, with Article 17 of GDPR, and numerous other jurisdictions, legally protect the right to be forgotten.  

One of the easiest ways to walk this tightrope is to work with a vendor that has built secure data protection solutions with these challenges in mind.  

How AvePoint Secures Your Data 

Below, we will outline how our customers’ data is secured from its source to our platform: 

Encryption is Standard 


In-transit data is always encrypted and sent over an encrypted channel utilizing TLS 1.2/1.3. When performing the backup and recovery of SaaS platforms like Microsoft 365, we only use the officially supported APIs that enforce encrypted connections. 


At rest, the default policy is for data to be encrypted by an AvePoint-managed key. Each customer tenant is protected by a unique key. Customers also have the choice of bringing their own key for an additional level of security and control.

Immutable, Isolated, and Logically Air-Gapped Backups 

True immutability requires that the data stored is not changed, modified, encrypted, etc., over a specified period of time. This is to ensure the integrity of that data and that it should not be deleted until the official retention or policy window is reached. 

This, coupled with air-gapped backup copies, ensures the highest level of data integrity against all kinds of malicious or accidental data loss events. A true air gap is when data is isolated from all other networks and, most importantly, the public internet.


Today, we cannot store copies of all our data inside an underground salt mine, nor can we keep all data forever in the face of valid GDRP data deletion requests. How can we balance the needs for business continuity and compliance in a cloud world? Here’s a look at how AvePoint helps organizations with this delicate balancing act:

Storage Isolation 

AvePoint operates its services across 14 global Azure data centers. For US Public Sector customers, this includes the operation of services that meet the security controls for a FedRAMP (moderate) authorized solution. AvePoint allows customers the choice of isolating their data to a single region, support for multi-geo configurations, and customer-owned storage.

Data is never replicated across data center regions and remains physically isolated within the region. Backup data is entirely segregated and held in copies based on the organization’s policies outside of the Microsoft Trust Boundary. 

Logical Isolation

AvePoint has been audited by a third party to conform to SOC 2 Type II and ISO 27001:2013. Part of these audits include AvePoint’s ability to document and prove logical and physical access controls through least-privileged access policies as defined in NIST 800-64 and OWASP development standards.

AvePoint Cloud Backup is segregated from your production environment and includes delegated administration and role-based access controls. This ensures that unprivileged users will not have access to AvePoint Cloud Backup, preventing them from modifying and deleting backups. 

Immutable Storage 

Backup data copies cannot be directly accessed through the product user interface or API and cannot be compromised by either privileged or non-privileged users of the platform. Data can only be exported, restored to production, or defensibly destroyed when a pre-defined data retention policy is met. 

AvePoint also provides optional support for customer-owned WORM storage, such as Immutable Azure Blob Storage 

Immutability and the Right to be Forgotten 

Under special circumstances, there may be reasons data needs to be deleted outside of a standard retention policy. A customer can request manual deletion of backup data through direct contact with AvePoint Support (included with AvePoint Cloud Backup) and provide verification to proceed with the deletion.  

Another scenario is a DSAR (Data Subject Access Request) where an individual has requested for their personal information to be removed from an organization’s systems. These can be performed by authorized admins only or disabled completely within our platform for an added level of protection 

Ransomware Protection

The need for Backup as a Service in 2023 is greater than ever before, with a steady increase in ransomware attacks and a larger need for companies to protect data in SaaS applications. In the recent Gartner Market Guide for Backup as a Service, AvePoint was recognized as a Representative Vendor.

AvePoint Cloud Backup learns from your backups and alerts you of unusual activities that could indicate a compromise or ransomware attack. Recovery points prior to the incident are clearly identified, and alerts can be configured to reach administrators to minimize the impact of a breach. 

AvePoint Cloud Backup – Never Compromise Between Compliance and Business Continuity Again 

AvePoint’s strategy is designed to never force customers to have to choose between a recovery SLA and meeting compliance requirements. We ensure customers can have as many copies of their data stored on their terms, and ready for recovery in minutes while providing peace of mind that the organization can comply with their specific regulatory requirements. 


John Hodges
John Hodges
John Hodges is Senior Vice President of Product Strategy at AvePoint, focusing on developing compliance solutions that address modern data privacy, classification, and data protection needs for organizations worldwide. Since joining AvePoint in 2008, John has worked directly with the company’s product management and research & development teams to cultivate creative ideas and bridge the gap between sales and technology – providing a practical target for innovation and a focused message for sales and marketing. John has been actively engaged in the SharePoint community for several years, working with many Fortune 500 companies to drive sustainable adoption of Microsoft technology and optimize SharePoint’s larger purpose-built implementations. John’s insights and opinions on modern Information Technology can be found in various industry publications, as well as throughout this numerous speaking sessions in webinars and at events worldwide.

More Stories