Ben WestlakeHead of Managed Services
Article
Cloud Storage is not a Recovery Plan. Here is the difference that matters
Most organisations running backup workloads in the cloud have storage. What they often do not have is a tested recovery capability with a service level attached to it. That distinction is now one of the most important gaps in UK IT resilience.
Ben WestlakeHead of Managed Services
96% of ransomware attacks target backup repositories, and 76% of those attempts successfully compromise them.
Veeam 2024 Data Protection Trends Report
Why Cloud Storage alone leaves you exposed
Cloud object storage has become the default destination for backup workloads. It is resilient by design, scales without the operational burden of on-premises hardware, and removes significant management overhead from internal IT teams. Those are genuine advantages.
But a passive bucket does not validate your backups. It does not schedule and document restore tests. It does not provide an accountable service level when an incident occurs at two in the morning. And it does not produce the evidence trail that a cyber-insurer or regulator will ask for following a notifiable event.
Organisations that treat cloud storage as a complete backup strategy typically discover the gap at the worst possible moment. During an incident, a failed restore, or an insurance audit, the absence of tested recovery capability becomes very visible, very quickly.
“A passive storage bucket does not validate restores, monitor backup jobs, or answer the phone at 3am. Those are managed service functions, not storage functions.”
What Wasabi brings to the architecture
Wasabi is a purpose-built cloud object storage platform designed for high-durability workloads. It is S3-compatible, which means it integrates directly with Veeam and other leading backup platforms without additional tooling or configuration complexity.
Immutability and Covert Copy
Wasabi’s Object Lock prevents backup data from being altered or deleted during the retention period. That is a well-established immutability control. Covert Copy goes further.
Launched in December 2025, Covert Copy is a patent-pending feature included at no additional charge with Wasabi Hot Cloud Storage. It creates a hidden, immutable secondary copy of a selected storage bucket. That copied bucket cannot be viewed, modified, or deleted without multi-user authorisation. No single user or administrator, however highly privileged, can access or remove it unilaterally. Access requires both MFA and approval from multiple trusted administrators.
In practical terms, a ransomware operator who compromises an administrative credential cannot find the Covert Copy, let alone destroy it. That is a meaningful architectural control, not a marketing claim.
UK and EU storage regions
Wasabi provides dedicated UK and EU storage regions. For UK and Irish organisations with data residency obligations under UK GDPR, FCA SYSC, or NHS DSP Toolkit requirements, this means backup data stays where it is required to stay, without relying on configuration promises or data transfer agreements.
Eleven-nines durability
Wasabi is designed for 99.999999999% data durability. For a backup repository, durability is the minimum requirement. It is not a differentiator on its own. What differentiates a backup capability is what happens around the storage: the monitoring, the testing, and the recovery.
What Covenco adds
Covenco provides the operational layer that storage infrastructure cannot. That means the people, the processes, and the service level agreement that sit around the Wasabi platform.
24/7 monitoring and restore testing
Covenco monitors backup jobs around the clock, identifies failures before they accumulate, and runs scheduled restore tests to confirm that recovery points are genuinely usable. The test results are documented. That documentation satisfies the evidence requirements of cyber-insurers and, where relevant, regulatory frameworks including the UK Cyber Security and Resilience Bill and DORA.
Recovery orchestration and rental hardware
In the event of a ransomware incident or infrastructure failure, Covenco provides recovery orchestration against a defined recovery time objective. Where production systems cannot be brought back online quickly enough, rental hardware is available to deploy backup data to, avoiding the delays that come with sourcing replacement equipment under pressure.
A single UK contract
For an IT Operations Manager managing a CSRB incident reporting obligation, or a Head of IT Operations satisfying a cyber-insurer’s evidence requirements, the accountability chain matters as much as the technology. Covenco operates the joint service under a single UK contract, holds ISO 27001 and Cyber Essentials accreditation, and can provide the data residency and recovery documentation that audit requires.
The 3-2-1-1-0 Architecture
Covenco configures the Wasabi platform as part of a 3-2-1-1-0 resilience architecture. The logic is straightforward:
- Three copies of data
- On two different media types
- With one copy stored off-site
- One copy immutable and air-gapped via Wasabi Covert Copy
- Zero unverified backups: every recovery point is tested before it counts
The final point is the one most organisations miss. A backup that has not been restored is not a backup. It is a belief. The zero in 3-2-1-1-0 requires verification, not assumption. Covenco builds that verification into the managed service and documents every test result.
Who owns what
The joint service works because the responsibilities are unambiguous. Wasabi owns the storage infrastructure. Covenco owns the managed service around it. There is no overlap and no gap between them.
| Capability | Wasabi | Covenco |
|---|---|---|
| Cloud storage infrastructure | S3-compatible hot storage with eleven-nines durability | Architecture design, Veeam integration, and ongoing configuration management |
| Immutability controls | Object Lock and Covert Copy, hidden and indestructible without multi-user authorisation | Policy setup, retention configuration, and insurer-ready documentation |
| Monitoring and recovery | A durable, highly available backup repository | 24/7 monitoring, restore testing, recovery orchestration, and rental hardware on standby |
| Compliance and sovereignty | Dedicated UK and EU storage regions | UK-operated service with ISO 27001, Cyber Essentials, and audit-ready documentation |
The regulatory context
The backup conversation has moved up the governance stack. Under the UK Cyber Security and Resilience Bill, organisations face a 24-hour incident reporting requirement. To meet it credibly, they need to know the state of their backup estate at any given moment, not just whether a job ran, but whether the resulting recovery points are clean, verified, and recoverable within the required timeframe.
DORA imposes similar requirements on UK financial services firms doing business with EU counterparties. It mandates threat-led penetration testing and requires organisations to maintain documented evidence of their operational resilience capability, including recovery testing results.
A passive cloud storage account does not produce that evidence. A managed service, configured against a defined architecture and tested against a documented SLA, does.
Frequently Asked Questions
What is Wasabi Covert Copy?
Wasabi Covert Copy is a patent-pending feature of Wasabi Hot Cloud Storage, launched in December 2025 and included at no extra charge. It creates a hidden, immutable secondary copy of a selected storage bucket. The copied bucket cannot be accessed, modified, or deleted by any single user or administrator without multi-user authorisation, requiring both MFA and approval from multiple trusted administrators. This makes it highly resistant to ransomware and insider threats.
What is the 3-2-1-1-0 backup rule?
The 3-2-1-1-0 rule is a backup architecture standard requiring three copies of data, on two different media types, with one copy stored off-site, one copy immutable or air-gapped, and zero unverified backups. The final zero requires that every recovery point is tested and confirmed restorable. Covenco configures and manages this architecture using Wasabi as the immutable off-site storage layer.
Is Wasabi cloud storage compliant with UK GDPR?
Wasabi provides dedicated UK and EU storage regions. When managed by Covenco under a UK contract with ISO 27001 and Cyber Essentials accreditation, the joint service supports UK GDPR, FCA SYSC, NHS DSP Toolkit, and NIS2 data residency requirements. Covenco can provide the residency and recovery documentation required by internal audit and regulators.
Why is cloud storage alone not enough for ransomware protection?
According to Veeam’s 2024 Data Protection Trends Report, attackers targeted backup repositories in 96% of ransomware incidents and successfully compromised them 76% of the time. Standard cloud storage without immutability controls, tested recovery procedures, and 24/7 managed oversight can be identified and destroyed during an attack. Immutable storage combined with a managed recovery service closes this gap.
What a Managed Resilience review involves
Covenco offers a no-obligation review of your current backup estate against the joint Wasabi architecture. It covers what your current configuration actually delivers in terms of recovery capability, where the gaps are against a 3-2-1-1-0 standard, and what a managed service with defined recovery SLAs would look like in practice.
If you are running backups to cloud storage, managing Veeam internally, and cannot answer with confidence when recovery points were last validated end-to-end or how long a full restore would take, that conversation is worth having before an incident forces it.
Cloud storage is not recovery. The question is whether your current arrangement knows the difference.
Request a Free Managed Resilience Review
We will assess your current backup estate and show you what a managed Covenco and Wasabi architecture would deliver and what it would recover.