Azure - Soft delete

[frankive]

We were doing a deletion of a customer in Azure today, deleted all the resources.
We eventually came to the Recovery Vault for the Backup VMs. It had of course soft delete enabled.
"Well, we just have to disable it and then wait for 14 days before we can delete it, I said".
BUT..
my colleague then just tried to delete the backups and recovery vaults anyway, AND, he succeded....

What on earth did just happen, I said, and we started to read about Azure Backup and soft delete.
And actually; even when its a part of Microsoft Randsomware protection for Azure backup, it actually cannot stop an owner account of the tenant to delete the backup, even when in soft delete. Eventually it is also possible to delete the backup, remove soft delete, undelete, and then undelete to delete the backup data..
I have since 2019 always treated soft-delete like a "ok alternative" to immutable backup in Azure..

Is my understaing correct? There is actually many ways to buypass the soft delete for a potentical hacker with an owner account with Azure native backup of VMs?

(Cant wait to get Veeam Agents with direct backup to immutable object storage........)

[HannesK]

Hello,
to me, everything looks expected and that technology cannot be used as alternative to immutability. The name is "soft-delete" and not "immutable". "Soft" means for me the opposite of "hard". Soft-limit vs. Hard-Limit etc.

Best regards,
Hannes

[frankive]

More I read it seems like you are right, but I think Microsoft never should have included Ransomware-protection as part of soft delete. This doesnt seem to be ransomware-protection at all. The first thing a hacker would do is disable this soft delete, and if you can even delete the soft-deleted files.... well....

Will the veeam agent be able to backup to object storage (amazon s3 immutable) in the next version?

[veremin]

Yes, it will. Thanks!