Why Object First Says Most Immutable Backups Are Not Truly Immutable

[00:00:05] Today on the Business of Cybersecurity podcast, we're going to go after the word that gets thrown around so casually in cybersecurity, and I would argue dangerously thrown around, because it can often lull teams into a false sense of safety.

[00:00:24] Yeah, I'm talking about immutability, because if you've ever sat in a vendor demo or heard immutable backups delivered like a magic spell, you already know the problem. There is often several asterisks hiding in the checkbox, and my guest today has spent years in the backup world, and he has a clear line between some of those marketing claims that we've all seen,

[00:00:50] and what actually holds up when attackers arrive with admin credentials and a little patience. So today we're going to talk about why backups have become the bullseye in ransomware campaigns, what absolute immutability, what that actually looks like and means in practice, and the architecture choices that separate real resilience from just wishful thinking.

[00:01:13] So if you are a CISO infrastructure lead or the backup admin who everyone suddenly notices on the worst day of the year, this one's for you. So enough from me. Let me introduce you to my guest right now. So a massive warm welcome to the show. Can you tell everyone listening a little about who you are and what you do? Sure thing. Name's Anthony Cusimano. I am the director of solutions marketing here at Object First, and that might sound like a little bit of a mysterious title,

[00:01:43] but basically my role is to ensure that everyone, both internally and externally, knows all about the coolness that is Object First and the solutions we provide. Awesome. Well, there's so much I want to talk with you about today. One of the things I try and do every day on this podcast is demystify some of the big hype and buzzwords that surround cybersecurity and technology. And one word that keeps cropping up is immutability.

[00:02:10] It gets used a lot in cybersecurity, marketing in particular. But from your perspective at Object First, what does true immutable backup storage, what does it actually require at a technical level? Tell me more about that and maybe we can bust a few myths along the way. Yeah. So this has become something that is so core to our value. We've had to create a new term for it. We actually call it absolute immutability now because unfortunately,

[00:02:38] the word immutability itself has become a little bit tarnished in our industry. And you asked the question, what is it? And I think when we distill it down to its basics, immutability is the inability to delete, alter, update, or change data in some sort of form factor. Right. So you put storage on a CD-ROM and the CD-ROM is write or read only, you know, write once, read only. That's immutable.

[00:03:06] You're never going to take that data off that disk unless you melt it, destroy it, or disk rot happens. Tape was great for immutable storage because once it's unplugged and it's, you know, locked away in a vault, it's technically immutable. Right. You can only change that thing once you plug it back in. And if it's, if it's write once, then again, you're done. What's, what's happened in the industry is a lot of storage vendors who are doing disk, NVMe, SSD, whatever, they're saying they offer immutable storage.

[00:03:34] But what they're actually offering is a checkbox or some kind of marketing claim. Basically, yeah, we have immutable storage. You can write to us and you can click this button and you won't be able to delete it. Dot, dot, dot. Unless you're an admin or, you know, unless you're running a virtualized storage appliance on an ESX host or you're running it in the cloud and you're not a full account admin, right? There's all these little asterisks to immutability. And yes, it, it's better than nothing.

[00:04:04] Absolutely. But I think the sad truth of the matter is when you look at the industry today and you look at how bad actors are specifically going after backup data, just having a checkbox is not enough, right? You have to have something that's more secure. You have to have something that's more impenetrable. And that's why we refer to it as absolute immutability, which I'm sure we're going to talk about. But it has to be more than just a checkbox.

[00:04:33] And one of the reasons I had to ask that, because I did a bit of research on you before you came on to that. I know you're passionate about this stuff. You've actually written about how many vendors out there are claiming immutability without fully delivering it. So I know it's a topic close to your heart, but for what you're, what you're seeing now, and you see here, all those big shiny keynote speeches and the tech on offer and the big promises, what are the most common design flaws, or maybe even shortcuts that leave backup data exposed,

[00:05:01] even when that label says, Hey, it's immutable. Right. Well, I think, you know, the first thing is folks don't even realize what they're backing up or where they're backing it up to, right? Like if, if you've just started a job as a backup admin, which I would argue is one of the most crucial jobs in the industry today, but let's say you just inherited something. So you're maybe for six months on the job, you're coming in, you're looking at the setup, everything seems okay. All your backup policies are running fine.

[00:05:31] But what you don't know is what you don't know, right? This, your previous superior or whoever you're placing might not have covered the entire swath of your company's data, right? They might've only gone into certain pockets of the IT org or certain pockets of the R and D. They might be missing finance, HR, whomever. I think the first key step along the way is ensuring one, you do a sort of a blanket overview of what is my company's business critical data?

[00:05:59] If we were hit tomorrow, what would we be worried about losing? And then ensure that is being backed up, right? Even before we get to the immutability side of things, you got to make sure you're backing up the right things because you could back up the wrong things and put it on the most immutable storage ever. And it doesn't matter because it's all junk. If that's what you're bringing back, you know, it's a problem, right? So it's a twofold issue. You got to one, make sure you know what your business critical data is. And then two, it needs to go somewhere where no matter what happens,

[00:06:29] no matter the level of privilege, administrative level of security, once it lands there, it cannot unland there under any circumstances whatsoever. And that's really where we get into more of the sort of technical nuance that Object First likes to talk about. And one of the reasons I think this is such an important topic is I've been reading a lot lately that we're now seeing 96% of cyber attacks are actively targeting backups.

[00:06:57] And it's that one area that everyone kind of assumes is safe. So why have backups become such a primary target? And what does it tell us about how attackers are starting to think about business continuity now? So it's really sad, actually, because the backup and the backup admin used to kind of be this safe job where you could kind of just go hide in an office somewhere. And as long as the backups are running, as long as I can get that email back

[00:07:23] when the CEO deleted it from his inbox, I look like the golden child. And now when you look at ransomware and how it's evolved, right, it started off as a, hey, I'm going to go see if I can convince your grandparents I'm some kind of bigwig and get them to give me money. And then it evolved into, ooh, I can up this. I can attack companies. I can hold them hostage. I can grab their production data and say, hey, I'm going to leak your secrets. I'm going to stop you from being able to do whatever it is you do until you pay me money.

[00:07:53] And that worked really well for a good chunk of time. And then companies got wise. They said, hey, that backup admin who restores our emails, we can just use that to restore the entire company. If they're doing their job right, we should have a backup. And this is exactly when that pivot happened. We started to see businesses recover from ransomware attacks because, yeah, if you're doing it right, you should be able to recover fairly quickly, especially if you're testing your backups and your backup operations.

[00:08:19] And once that happened, that's when the ransomware started to shift from being this active attack to something that starts to do what we call a dwell phase, where you'll see that malicious software or that insider sort of lie dormant. For weeks, if not months on end, basically sitting around collecting data, kind of exploring the infrastructure of the business and finding that backup data,

[00:08:46] because they know if I take that out first, then I go for the production data. They got to pay the ransom again. They can't go back to those backups. So this pivot is really when the industry started to realize, hey, we got to take backup a lot more seriously. Backup is actually not just an IT operation. It's part of our cybersecurity strategy. And this is also when the word immutability really started to creep up in the market because everyone started to say, yeah, we offer immutability,

[00:09:13] but is it to the level of satisfaction that ensures you can recover and your backup data is safe when it is immutable? And that seems to be really where the challenges hit. And for any IT leaders or indeed business leaders that are listening, just to hammer home the point of what we're talking about here, what are the very real financial and operational consequences of believing that your backups are immutable because you've got that checkbox on a new vendor,

[00:09:41] but when they're actually not, what are the actual consequences of that? I mean, the worst case scenario is you got to pay that ransom, right? And I mean, the real, the true worst case scenario in that case is you pay the ransom and this attack was hosted by some 16-year-old in a country you've never heard of, and they don't actually know if the decryptor works. So you've paid for something that potentially is not going to save you, in which case you are completely hosed on your recovery operations.

[00:10:11] It is start over, right? That's your absolute worst case scenario. Now, best case scenario in this incident is we do have absolutely immutable backups, which means that in no circumstance can this data be altered, deleted, or updated. And yeah, everything's been locked down. And I'll tell a story. In the past, we've had customers of ours who they've lost everything. FBI shows up in their office and is like looking around.

[00:10:41] What's that thing over there with the big orange bezel? I go, that's an object first box. That's the only thing that seems to be operating under any kind of like normal circumstance. So like that's evidence now. I think all of your data is on there. Like this is huge, right? So we believe that data has to be absolutely immutable. And the way that we do this is sort of a threefold tactic.

[00:11:08] It, one, must be physically separated from the backup software. So, you know, it's got to be a physical box. It's got to be something that is dedicated for backup storage specifically. And the reason for this is, you know, because a lot of folks today will go run virtual infrastructure. They'll go with cloud infrastructure, which I'm not dissing either of those two things. They have their point. They have their purpose. But backup storage is not one of them.

[00:11:32] And if you put your data on there, there's always going to be an administrative level or a layer that a bad actor can get access to. And then overwrite privilege downward into that storage layer. So you have to have a physically separated appliance that's going to hold your data. The second thing is you have to ensure that when you're writing data to this appliance, there is zero time delay to immutability. And this is something that I think folks don't think about very often.

[00:11:59] But when you're moving data from point A to point B, a lot of times it will either land in a buffer zone or some kind of high performance NVMe cache. And when it's there, it may not be immutable. One of the things we've done is actually make sure that, you know, even though we use these NVMe caches to speed up ingest speed, that cache is still part of our object storage ecosystem. So there's zero time delay between read, copy, write, land in our box. It's immutable the seconds it's there.

[00:12:29] And that the last and probably one of the most important pillars is the fact that we are using object storage. Object storage is a fairly recent technology that came out, say, a little over 10, 15 years ago. And, you know, calling that recent is kind of sad, but, you know, it's one of the most modern evolutions we've seen in the storage industry. And the reason it's so important is object storage has some really nice software benefits when you set it up, primarily being object lock, compliance mode, and versioning.

[00:12:59] When you use these three features in conjunction with each other, you effectively have something that cannot be overwritten at the software level. So you can kind of see what we've created here is it's a hardware separation, you know, at the operating software level object storage. There's no way that either of these physical or software layers, you can be penetrated by an attacker.

[00:13:21] Now, the other thing object first is done in our box is ensure that we do what's called a zero access approach, meaning that any attacker, any admin, any object first support staff can't actually get access to the various layers of the box operating system, storage layer, software layer, firmware. There's no way to get that access unless you do what's called a four eyes protocol with our support staff.

[00:13:51] So no amount of admin privilege can get you in, which means no matter attacker savvy can get you in. Four eyes is simply a concept that says we expect if you call into support and say, hey, I need to change something on my box. I need to factory reset it. You have to verify you are who you say you are. You have to have one of your coworkers verify you are who you say you are. And our support staff is going to do the exact same thing. And that's actually technically eight eyes. Four eyes is the industry term.

[00:14:20] We believe eight eyes is the way when it comes to immutable backup data. But when you put all of these sort of catch alls and these assurances in your appliance, you effectively have something that is ransomware proof. And, you know, it would be good enough to just put that on our marketing and say, that's it. Job's done. But we also make sure that every year we go off and have third party penetration testers test all these claims to make sure that we're not just saying things out into the ether. Instead, we have them prove it.

[00:14:50] And then we publish those reports so everyone can see. I love it. And I'd also love to bring in another cybersecurity buzzword. Of course, zero trust. Bring that into the conversation. Because behind the hype, it is now a foundational principle across security. So how does zero trust or a zero trust mindset, how does that apply specifically to backup storage, especially in the face of AI-assisted attack techniques that we're starting to increasingly see? What kind of mindset changes required here?

[00:15:20] Zero trust is everything, in my opinion. And I don't think you can have an absolutely immutable storage appliance like we have if you don't start with zero trust, right? Because zero trust is one of those terms that's been in the industry for a while now. And like immutability, I think it became a little bit of a marketing checkbox. However, that doesn't lessen its importance. When you take it out of the backup and just put it in security in general, the idea is zero trust. You have no trust that anyone is who they say they are.

[00:15:49] Your services are acting as you expect them to. You want to create essentially separation at every possible layer inside your infrastructure. Because I don't trust anyone or anything is who they say they are. And I don't want to give them access to anything that they should not have access to. It's kind of like, you know, if you think about the Titanic, if it didn't sink the way it did, the idea was each compartment was meant to kind of flood independently and you would never sink the whole thing.

[00:16:18] Now, obviously that didn't happen, but ships since then have used that approach. And I would say zero trust is very similar, right? If one part of your ecosystem is penetrated by an attacker, if you're following true zero trust model, they should not be able to jump around to any other part because they only have access to that one compromised thing. Now you can build that at the software layer using APIs and really good coding. You can build that at the sort of infrastructure layer by ensuring, you know,

[00:16:46] least privileged access on all of my various infrastructure and components. But when you examine the backup layer, there's a few key things that we recommend specifically on zero trust. The first is separate your backup software and your backup storage, right? It's a good zero trust principle. You do that at the architecture layer for an IT admin. You should do that at the backup layer, backup software, backup storage, two different appliances, two different infrastructures. The more separate they are, the better.

[00:17:14] Different accounts, different username and passwords separate those two things. Now, secondly, again, if you use object storage, you're able to take advantage of things like that compliance mode, the versioning, the object block, which all prevent access and overwrite. And then thirdly, I think, you know, having those resilience zones set in place. Think about if one fails, where do we fall back to? Right. And that's another zero trust principles. You must assume breach.

[00:17:43] You must assume that things will fail. So the old backup strategy of 32110, occasionally it becomes a full zip code. That should still be in play. You should have multiple copies of your backup data stored in multiple locations. Make one cloud, make one a partner or a service provider, whomever. But make sure wherever it lands, it is as immutable as it can be. And we recommend, you know, having as many absolutely immutable copies as well.

[00:18:12] And at the very beginning of our conversation, we're talking about some of the misleading promises from vendors out there when they're talking about immutability. So for people listening, when they're evaluating backup solutions, what kind of practical questions should CIOs, CISOs and infrastructure teams, what should they be asking to verify that that immutability is enforced at the architecture level rather than just simply configured as a feature

[00:18:38] or as a checkbox, as you said, what should they be asking to get the answers that they need? I think a good first question is kind of getting back to that penetration testing that we do on ourselves. Ask the vendor, hey, are you third party verified, right? Before I ask any other questions, I want to know what other experts are saying about you. And are you publishing that information, right? We have no secrets. We publish the full reports.

[00:19:04] You could see all of the faults that we found in our waves of testing and then how we address them. And that's because we have a confidence in our solution. And I would simply say to anyone investigating any vendor out there, whether it's for backup storage, security software, what are they being public about? And what are they being private about, right? Black box is great in theory. But when all secrets are known and when you're confident in your security posture, that's

[00:19:32] infinitely better because then you know everything an attacker would know. Whereas in a black box environment, the attacker might have learned something and you will never know it because you don't have the kind of savvy and privilege they do. So open source, open secret is so much better than sort of a closed source. And third party validation and verification of the claims you make equally important. Now, if you're looking at a vendor, if you're looking at a storage vendor specifically, that's

[00:20:01] where my expertise falls in, right? I think the first thing is, are they able to offer something that is going to give you that physical separation from your backup software to ensure that when the data is written, if your backup software fails, which it likely will, your backup storage doesn't go with it. You're still able to access it. You're still able to get your data back even without the backup software. Secondly, you know, we talked about the physical separation. We talked about a lot of the features of object block. Can they offer immutability with compliance mode?

[00:20:30] Compliance mode, I've mentioned this before, but I don't think I explained it, simply means that unlike governance mode where an admin can come in and basically say, I want to turn off this feature, compliance mode is written for compliance. Registrative, you know, governance. We want to make sure that once it's written, it stays written for legal hold reasons. Now, that's also great for disaster recovery, ransomware recovery, because if you can't change it, they can't change it either. So check for that.

[00:20:57] And then also just ask them questions about how they do things. I think good vendors will be able to back up their claims with proof points, just like I'm doing right now, telling you a little bit of the secret sauce of what we're doing. I mean, it's not really secret if I'm telling you, but giving you those behind the scenes insights into what we're doing, how we're doing it and why we decided to do it this way. A good vendor will do that. And not so good vendor will simply say, trust us, right?

[00:21:26] There's nothing scarier than trust us. And, you know, I think that fits right in with the black box approach to security through obscurity is not security. At the end of the day, it is simply just security for me, but not for thee. And it's also security for the attacker because they're going to figure it out. They always do. And to continue on that, giving listeners a valuable takeaway as we look ahead and AI powered threats, they're inevitably going to be coming more automated, more adaptive. I think we can all see that happening now.

[00:21:55] So how should organizations maybe start rethinking their recovery strategy to ensure that immutable backups truly protect the business rather than almost providing a false sense of security that's going to bite them further on down the line? Any big changes or advice you'd recommend here? AI is, it's such a game changer for the way we work and the way we think. But I would actually say it's a little bit of an empowerment to all of the statements I've made so far.

[00:22:23] It only puts more pressure on everyone to take this more seriously, right? Because as a tool, as a utility, it's certainly, I wouldn't say it's made our lives easier. I would say it's made our lives different, right? It's given us new vectors to how we learn, how we work, how we optimize, how we work. But also it's created a lot of sort of churn and a lot of comfort. I think we, you know, with AI, we've seen ourselves become a little bit more trusting.

[00:22:51] I wouldn't say lazy, but I think trusting is the right word, right? I'm trusting the AI to do the job. Should we give AI, you know, the ability to build our security strategy? It's going to be pulling from a lot of the best sources out there. But where does innovation come from? Machines are people, right? So like, you know, I'm just, I'm a little bit of an AI doubter and it's total efficacy. But I will say like it has its place.

[00:23:17] Machine learning, data aggregation, agentic, they all do some amazing things for businesses when used properly. But I think the first thing is know what AI does well and then know what AI doesn't do well and make sure you have sort of a strategy for those gaps. Don't go all in on something when you're not confident in your ability to sort of manage and recover these things yourself. Now, when it comes to backups specifically, that's an interesting question, right?

[00:23:46] Because what is AI at the end of the day, if not just a very powerful data aggregation engine? And you've got to have data to make that AI good. Now, we've seen things like data poisoning where attackers will actually go in to these AI data sets they're refining and feeding from and they'll insert bad data as a vector of attack. And that's brilliant. It's terrifying, but it's brilliant. And the only way to ensure that if that happens, you can get back to business as usual is again,

[00:24:16] having an immutable copy you can pull back from. Now, the scary thing about this is AI data is so large in mass and in size that it requires much larger immutable storage pools. So another question you got to ask in working with AI is, does my vendor have the ability to scale up to my needs? Am I able to get enough immutable backup storage to actually meet this demand?

[00:24:41] And you will see oftentimes as vendors get bigger and bigger and bigger, their feature sets drop. I think one of the interesting advantages to object first and our solution specifically is because it was built from the onset to be immutable and scalable and use object storage. We don't have that issue. We can pretty much scale to whatever size we need. It's how much data center do you have to fit our boxes in there? It becomes a question of cooling and power.

[00:25:08] AI is going to continue to disrupt and change the way we do business. But I think from a practical perspective, we kind of have to stick to our roots here. Good backup strategy. Three, two, one on the AI data. It's got to have immutable landing zones. We have to ensure that that AI data stays secure and immutable when it's backed up. We need to test this strategy, right? You know, we talk about disaster recovery when it comes to our architecture and our infrastructure,

[00:25:35] but we should probably start thinking about what AI disaster recovery looks like too. If the AI data is poisoned and we bring back the other data, can we get it back to its functional state that we need it to? And taking these strategies that we've learned from things like zero trust, that we've learned from good backups, policies and practices and applying it to AI, I think will actually give us a really good first step forward. Now, things are going to continue to change as we start to step into things like quantum

[00:26:02] with cryptography and the ability to basically unencrypt things very quickly. It does raise into questions things like, well, how do we deal with encryption? How do I stop things like data leakage? And I think we're going to have to fight fire with fire with that, right? Like we're going to have to start using quantum cryptography on our backup data as well as preparing for them to use it against us. But fortunately, we're not there yet. That's maybe a next year or maybe next 10 year problem. I hope it's 10 year problem, but if it's next year problem, we'll deal with it.

[00:26:32] But I do think AI, you know, we're in the thick of it now. We're learning how to deal with it. And it turns out that best practices are still best practices. Are you just talking about a five year problem, 10 year problem? What about the threat of, dare I say, quantum and that threat of get the data now, harvest it later, breaking of cryptography? Does that kind of stuff keep you awake at night or not? Or is that stuff a little bit further on in the distance for you? I'm a bit of a pessimist. So everything keeps me awake at night.

[00:27:04] But it, you know, it does. I think, you know, one of the reasons I joined Object first, I was the fourth, I was the fourth employee when I joined four years ago. And the thing that got me to join was my boss at the time or my future boss said, hey, this is what we're building. And I said, has anyone built this yet? He's like, no. Well, why? Because this seems like bog standard. I'd worked in the backup industry for 12 years at this point. This really seems like something that should have existed.

[00:27:34] And it didn't. There wasn't just a storage vendor that was focused on building purely backup data with immutability at its core. And I had focused so much on the ransomware threat of five years ago. I said, well, this is going to go places simply because ransomware is only going to get worse. Right. With AI powering ransomware now, we know the number of attacks have increased.

[00:27:59] The number of successful attacks have increased because it's brute force times infinity effectively. Right. AI just makes the threat so much worse because now anyone can use it. Anyone can go perpetrate an attack. And the ones that are really good at it can make it better. So I kind of saw the future just like I'm seeing it right now with cryptography. I'm like, this company is going to be the savior for many businesses. And we have. We've helped many of our customers survive ransomware attacks.

[00:28:28] That story I told earlier with the FBI showing up. That was a school that we help put our devices in. And without us, they would have had nothing. And this story has repeated itself over and over again, because at the end of the day, it's, you know, we say it's not a matter of if, but when. And that's true. There's no amount of security posture. There's no amount of zero trust. There's no amount of software you can buy that is going to stop whatever the next generation of threat is. They will always slip past.

[00:28:57] They will always get in and they will always do some kind of damage. And the question you have to ask yourself is, am I able to get that back? Am I able to recover what I need? And I do believe with, you know, our 8i support, our absolute immutability, our physical appliance, we have created something that is truly ransomware proof. It is impenetrable. And we continue to test this every year with the latest threats and attackers through third party verification. It's the only way you're going to get there.

[00:29:26] And, you know, as we start to see these problems of the future, that's what we're building for. I think that's one of the advantages of being a startup is, you know, even though we were recently acquired by Veeam, we're still operating as a startup. We're operating on all of the talent, skill and sort of point and purpose we had when we were independent. We're focused on the future. We're building towards tomorrow's threats. And, you know, the bigger you are, the more, the more sort of spread out you become.

[00:29:51] It really doesn't help you focus in on your core value and your core problem. And that's exactly what we're doing. And we started our conversation today talking about the broken promises or misleading claims from vendors around immutable backup storage. Now, as we come full circle, I've got to ask, is there anything else that people misunderstand most about your industry or any myths and misconceptions about your job or field of expertise that we can just lay the rest today? I'm going to pull out a virtual soapbox.

[00:30:20] The floor is yours. Any myths and misconceptions we can lay the rest today? You know, I think we, I think I've preached enough about the security and immutability side of things. You know, in all honesty, I think it is the backup admin themselves, right? Like we look at them and I, you know, I said they were locked away in a closet. They were kind of the redheaded stepchild of yesteryear. And now it's, it's changed where I feel like the backup admin is probably one of the most important people in the organization, but they're not treated that way.

[00:30:50] I think they're, they're treated with a lot of expectation. And when things go wrong, all eyes immediately focus on them. But in truth, they are the backbone to your business, right? Without a good backup admin, without a team of backup admins, if you're a larger organization that is ensuring that your AI data, your production data, your R and D data, your source code, whatever it is that your business needs to be successful is being protected.

[00:31:19] It's, it's being put in immutable backup storage. It's, you've got multiple copies over a span of time that you're able to pull back and recover from. That's a hard job. And when crap hits the fan, the backup admin is always the one all eyes turn to the security teams looking at you. The CIO is looking at you. The CSO is looking at you. Your GSO is looking at you like, Hey, are we able to get our data back? Right? Are we okay? That is a terrible situation to be in because you could be doing the absolute best job you

[00:31:48] could be doing with the budget you have and still fail. And, you know, it's not your fault. Uh, I think backup admins are truly the superheroes of our industry because when you are able to get your data back, you are looked at and lauded with praise. And when you're not, it is all your fault. And I would argue that is probably not the case. It's probably a cavalcade of decisions that got you there. But, uh, I think the myth I want to bust is, you know, these admins are not just, you know, nerds in a closet, right?

[00:32:16] They are, they are truly, uh, the most important people in your organization. And we need to recognize them as such, uh, give them a pay raise, give them a promotion, give them a cool little trophy for their, their, uh, their office, but really give them the budget. They need to be successful because when you do, uh, you will find that your business becomes incredibly resilient, uh, regardless of what attack comes your way. Wow. And I think that is a powerful moment to end on, but before I let you go, I will leave a link

[00:32:44] in the show notes to a white paper you penned on exactly what qualifies backup storage as immutable, but for anything else, anyone wanting to connect with you, your team, find out more about object first. Where would you like me to point everyone listening? You know, our website is a great place to go. If you want to learn more about what I was talking about or our solution or get just some thought leadership, we have, uh, some really great material on zero trust, absolute immutability. Uh, we've got some, some pretty great blogs that one of my teammates, uh, Sophia, she's

[00:33:14] constantly working on all of these blogs to kind of just focus on the latest threats, features, and things you should be thinking about a lot of good stuff on our website. It's a great place to go. And I'd also say, check out our YouTube channel. Um, we're very focused on creating good educational video content because I know people who listen to your podcast probably aren't, uh, like me. They're not the biggest readers. So when papers fail, video and audio comes to save the day. So, uh, check out our YouTube channel because we pretty much duplicate everything we write into pretty cool videos. Awesome.

[00:33:43] Well, I will add links to everything you mentioned in the show notes and the blog post, associated with this episode over at tech talks network. I'll include one of your YouTube videos as well. So anybody listening, please go over, check that stuff out. And we just covered so much today. And I particularly enjoy demystifying what immutable means. The dangers of thinking data backups are immutable when they're really not, how it can impact the bottom line and how to achieve genuine immutable backup storage. So many big takeaways.

[00:34:13] I invite people listening to also feedback to both of us, share your insights and experiences, but, uh, Anthony, just a big thank you for taking the time to come on and share your story and bust a few myths along the way. Thank you. Thanks for having me. I think if there was one thread that ran through this conversation, it's that resilience starts to look very differently. Once you assume attackers will come for your backups first. And Anthony made a strong case that immutable has to be designed into the architecture,

[00:34:42] not just toggled on as a feature and that proof matters. Third party testing, transparent reporting and clear answers to hard questions. And I'm also glad we had time to touch on zero trust thinking, why that applies to backup storage and why AI powered attacks raise the stakes for getting the basics right. Knowing what really needs to be backed up, validating that it is covered

[00:35:08] and then making sure it lands somewhere that it can never be altered. And I love that reminder that he offered there, that backup admins are no longer a background function. They are part of the security story and they deserve the budget, respect and the planning time to do their job properly. So if that sounds like you, feel free to pass them this episode and let me know what they say.

[00:35:33] And if this episode made you rethink how you define immutability or the questions you ask vendors, I'd love to hear what stood out for you and what you're seeing in your own environments. And as always, techtalksnetwork.com. And I also look forward to speaking to you all again very soon. Take care. Speak to you soon.