Immutable Backup vs Air-Gapped Backup: What UK MSPs Need to Know

11 May 2026 BOBcloud

Two terms get thrown around interchangeably in ransomware-resistant backup conversations: immutable and air-gapped. They sound like the same thing, and vendors often market them as if they are. They're not. Each defends against a different attack pattern, and a serious backup strategy uses both.

This article explains the practical difference, where each technology is appropriate, and what UK MSPs should look for when evaluating backup platforms.

Immutable Backup, Briefly

Immutable backup means data that cannot be modified or deleted for a defined retention period — even by an administrator with full credentials. The protection operates at the storage layer, not the access-control layer.

Technically this is implemented through object lock on modern cloud storage (Wasabi, Azure, AWS S3) using a feature called WORM — Write Once, Read Many. When a backup is written with object lock, the storage system itself refuses any attempt to delete or modify the file until the retention clock expires.

We covered immutable backup in depth in a previous post. The short version: if ransomware compromises your client's environment and steals your backup admin credentials, immutable storage still won't let them delete the backups.

Air-Gapped Backup, Briefly

An air gap is the separation between two systems — historically a literal physical disconnect (the backup tape sitting on a shelf, the offline disk in the safe). The idea is simple: if attackers can't reach the backup over the network, they can't delete it.

In 2026, true physical air gaps are rare in cloud-era MSP deployments. Almost no one wheels a tape library into a vault any more. Instead, the term has shifted to mean logical air gap — backup storage that's network-isolated and credential-isolated from the production environment.

The distinction matters because cloud-era "air gaps" aren't air gaps in the original sense. They're better described as isolation.

Where the Two Concepts Differ

The confusion comes from the fact that both technologies are sold under the umbrella of "ransomware-proof backup." But they protect against different things.

Threat Immutable backup Air-gapped backup
Attacker deletes backups with stolen admin credentials Blocks Doesn't help if attacker has reached the gap
Attacker encrypts backup files in place Blocks Doesn't help if attacker has reached the gap
Attacker compromises the backup management server itself Blocks data destruction Helps if backup storage is isolated
Insider deletes backups maliciously Blocks Helps only if insider can't reach the gap
Backup vendor's infrastructure is compromised Doesn't help Helps if storage is separate from vendor
Account takeover of cloud storage account Doesn't help if attacker can disable object lock Helps if storage credentials are separate

The pattern is clear: immutable storage is strong against in-environment threats (compromised admin, ransomware running with admin rights). Air-gapped storage is strong against vendor-side and account-takeover threats (attacker gets your cloud storage credentials, vendor itself is breached).

Together, they cover more ground than either alone.

What "Logical Air Gap" Actually Means in 2026

Almost every backup vendor now claims to offer "air-gapped" backup. What they usually mean is some combination of:

  • Separate credentials for backup storage vs production environment
  • Separate network — backup traffic doesn't share the production network path
  • Separate IAM — the backup storage account isn't accessible from the same identity provider that compromised admin tokens would come from
  • Vaulted copies — a delayed copy of backups held in a separate account that operations staff can't reach

None of these are a literal air gap. They're isolation measures. Good ones, usually — but worth understanding for what they are.

A pragmatic UK MSP should ask any vendor claiming "air-gapped backup":

  • Whose credentials control the air-gapped copy? If it's the same login as your reseller portal, it's not air-gapped — it's just storage in a different bucket.
  • What happens if that vendor's master account is compromised? A real air gap is opaque even to the vendor.
  • Can the air-gapped copy be deleted by an emergency support request? If yes, an attacker with social engineering skills can reach it.

What UK MSPs Should Look For

A backup platform serious about ransomware resistance should offer both of these:

Immutable storage, backed by:

  • Object lock at the storage layer (Wasabi, Azure, S3-compatible)
  • Compliance mode where retention cannot be shortened once set
  • Per-backup-set or per-client retention configuration
  • A clear answer to "what would it take to delete this data early?" — ideally, nothing within the MSP's or vendor's normal admin scope

Isolated storage, backed by:

  • Storage credentials separate from the backup portal's
  • Multi-factor authentication on the storage account
  • An audit trail showing all delete or retention-modification attempts
  • Documented procedure for the unlikely case of needing to recover from vendor-side compromise

Neither alone is sufficient. A platform with immutable storage but no isolation is exposed to vendor-side breach. A platform with isolation but no immutability is exposed to in-environment compromise.

What This Looks Like Day-to-Day

For a typical UK MSP managing 20-50 client backup accounts, the practical implementation looks like this:

  1. Default to immutable for every client. Object lock turned on by default. 30-day retention as a baseline; longer for clients with regulatory requirements.
  2. Use a separate identity for the storage layer. The reseller portal credential is one identity; the cloud storage credential is another. Don't reuse passwords or share IAM roles.
  3. Monitor for delete attempts. Most cloud storage providers can alert on object lock policy modification attempts. This is a tripwire — the attempt itself is a signal of compromise, regardless of whether it succeeds.
  4. Test restores from immutable copies. Immutability protects the data, but only restore testing proves it's recoverable. Add this to your monthly client review process.
  5. Document the threat model. When a client asks "what protects my backup from ransomware?", a one-paragraph answer that names immutable storage and credential isolation is more compelling than vague reassurance.

Where BOBcloud Fits

BOBcloud's backup platform supports immutable storage on Wasabi with object lock in compliance mode. Storage credentials sit on a separate account from the reseller portal, providing the credential isolation that real-world air-gap claims should mean in 2026.

If you're evaluating backup platforms specifically for ransomware resistance, the free 30-day trial includes immutable storage by default — no payment details required. Create your free reseller account →

For UK MSPs switching from a vendor whose ransomware story doesn't add up, BOBcloud offers up to £250 switching credit applied across your first three months. Get in touch to discuss migrating an existing client base.