In this episode from RSAC Conference 2025, Sterling Wilson, Field CTO at Object First, explains why true immutability and zero trust principles must be built into your backup architecture—not just your network. He shares real-world insights, including how one school district was able to recover from a ransomware attack because their immutable backups were untouchable.
In today’s threat environment, it’s not enough to back up your data—you have to be able to trust that those backups will be there when you need them. That’s the message from Sterling Wilson, Field CTO at Object First, during his conversation at RSAC Conference 2025.
Object First is purpose-built for Veeam environments, offering out-of-the-box immutability (OOTBI) with a hardened, on-premises appliance. The goal is simple but critical: make backup security both powerful and practical. With backup credentials often doubling as access credentials for storage infrastructure, organizations expose themselves to unnecessary risk. Object First separates those duties by design, reducing the attack surface and protecting data even when attackers have admin credentials in hand.
Immutability as a Foundation—Not a Feature
The conversation highlights data from a recent ESG study showing that 81% of respondents recognize immutable object storage as the most secure way to protect backup data. True immutability means data cannot be modified or deleted until a set retention period expires—an essential safeguard when facing ransomware or insider threats. But Sterling emphasizes that immutability alone isn’t enough. Backup policies, storage access, and data workflows must be segmented and secured.
Zero Trust for Backup Infrastructure
Zero trust principles—verify explicitly, assume breach, enforce least privilege—have gained ground across networks and applications. But few organizations extend those principles into the backup layer. Object First applies zero trust directly to backup infrastructure through what they call zero trust data resilience. That includes verifying credentials at every step and ensuring backup jobs can’t alter storage configurations.
A Real-World Test: Marysville School District
When Marysville School District suffered a ransomware attack, nearly every system was compromised—except the Object First appliance. The attacker had administrative credentials, but couldn’t access or encrypt the immutable backups. Thanks to the secure design and separation of permissions, recovery was possible—demonstrating that trust in your backups can’t be assumed; it must be enforced by design.
Meeting Customers Where They Are
To support both partners and end customers, Object First now offers OOTBI through a consumption-based model. Whether organizations are managing remote offices or scaling their environments quickly, the new model provides flexibility without compromising security or simplicity.
Learn more about Object First: https://itspm.ag/object-first-2gjl
Note: This story contains promotional content. Learn more.
Guest:
Sterling Wilson, Field CTO, Object First | https://www.linkedin.com/in/sterling-wilson/
Resources
Learn more and catch more stories from Object First: https://www.itspmagazine.com/directory/object-first
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25
______________________
Keywords:
sean martin, sterling wilson, ransomware, immutability, backups, cybersecurity, zero trust, data protection, veeam, recovery, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
When Ransomware Strikes, Will Your Backups Hold the Line? | A Brand Story with Sterling Wilson from Object First | An On Location RSAC Conference 2025 Brand Story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And here we are. We're at RSAC conference. Sterling Wilson. How are you man? I'm doing very well. How are you today? I'm very good myself. So good to see you. It's great to see you again. We have, we've had some good chats already. I'm excited for, uh, excited for today's conversation.
Absolutely. A lot of, some announcements. We have a few announcements, some research. Absolutely. And, uh, some, some scenarios I think people want to hear, which we're gonna get to. So as well think so. Um, before we dig into all the good, not that this isn't cool and fun, what's your role?
Sterling Wilson: Sterling Wilson Field, CTO, with object first.
And we're here to keep people's data safe.
Sean Martin: That's right. And I have to say the field CTO role, probably one I'd love to have, you know, you get to see a lot of stuff.
Sterling Wilson: It's, it's one of the reason I like it is yes, you get to see a lot of stuff. But you get to be out there right? Where the people are, right.
Where the customers are. So you get to listen and take some of that feedback, which ultimately improves the product. Yep,
Sean Martin: absolutely. And, and their environment hopefully as well. Yeah, yeah, that's for sure. So let's, um, [00:01:00] let's start off with, I know there's some ESG research that was put together that highlights some things that organizations need to look at with absolutely respect to data, data protection.
So what, what are some of the highlights that you wanna. Kind of pull out for us. Yeah,
Sterling Wilson: absolutely. You know, that ESG report really drew the, drew the, uh, drew home that 81% of people understand that immutable object storage is really the only way to totally secure your data today. Now, of course, it means it's still a multifaceted approach, but I think it draws down that immutability itself is no longer an option.
So
Sean Martin: maybe for, I, I'm gonna presume a lot of people understand what immutable storage is, but maybe. Let's give a definition of that. Yeah. Just to ensure that we're all on the same page. With respect to what you're talking about,
Sterling Wilson: I, I think that that's a great place to start. I actually just gave a chat, uh, across in Moscone South there go a little bit ago where we really, really, really started to talk about what is immutability and what is true immutability.[00:02:00]
Um, I've heard it called by many other names, worm and all of these other things, and, and at the root of it, um, it's all true. Um, but immutable, immutable storage and immutable data sitting on immutable storage are attributes of the data that cannot be changed until a scheduled period has elapsed. So data that is marked as immutable, if it's in a safe zone, it is about as safe as you can get.
Because even if bad guys can get to where that data rests, they can't change the data, they can't encrypt the data and they can't do anything else to the data that would, that would change a set of circumstances.
Sean Martin: It's indelible. Okay, so maybe not quite exactly like the safe in a, in a seven 11 that only opens 10, 10:00 PM or whatever it is, but some schedule or some, some attributes that say this is when something can happen.
Sterling Wilson: That, that, that's exactly right. And to just build very quickly upon that, uh, the set of attributes will, would be immutable itself, but it's really important to have that segmentation of backup data [00:03:00] for of, of the backup permissions from the storage permissions. Because you can change those attributes as well.
Yeah. So the mutability is part of it, but it's part of a larger, multi-layered story.
Sean Martin: So tell me about where the, the customers you're working with in terms of what their business looks like, how storage fits into that, how mutable storage fits into that and, and the connection to risk management.
Cybersecurity. Yeah. Business resilience. I said a lot there, but kind of Yeah. What that, what that picture looks like. It's so
Sterling Wilson: funny how security touches everything today. Right. Um, you know, I've been in, in the data management, uh, data recovery, data resilience arena for some time. Mm-hmm. Uh, and you know what we've, what we've seen certainly today are customers are doing more with less, uh, they're wearing many hats.
They've had different types of storage and storage that was really geared towards. Faster recovery or ease of use or, um, honestly sometimes lack of budget. Uh, and today there really needs to have that security [00:04:00] component. So a lot of my time is actually spent with customers making sure they understand how they can still have the performance they need with the security attributes they want.
And we see that they're struggling with some of the complexity of building those things themselves. Right. They're dealing with, uh, slow recovery times. It's not a matter of if, it's a matter of when that we hear so much. Um, but they're also, they're also not getting the security that they need, the set of attributes with the actual box.
Right. And we're here to solve that.
Sean Martin: So who, who's the responsible, what's the relationship between the key stakeholders in terms of setting policy, managing? Yeah, I guess keeping track of what's where and who's, who has what and. And how that impacts, uh, business workflows.
Sterling Wilson: Yeah. You know, um, I think everything really does touch security.
Now, 10 years ago, that would've been the sole responsibility of a virtual administrator, right? Or maybe a person that wears two hats of the storage team and the virtual team. But at this point, [00:05:00] everybody has a hand in it to understand where the data and security and when we'll talk about in a little bit, uh, when we talk about some of our customers that have recovered.
Mm-hmm. How many hands are really in the pot now, and when it comes down to it to be able to, to trust your data, uh, at the root of it.
Sean Martin: So I'll, I'll lean into to the trusting, um, you have to be able to demonstrate that this is actually what's happening, right? So I don't know if you have some new announcements or something that might help paint a picture for folks of what, what you actually deliver and how you can demonstrate that.
They can trust what you're doing. Absolutely.
Sterling Wilson: Uh, at the root of it, we are on premises hardware appliance that is hardened from right outta the box. So we are 15 minutes box to backup as we like to say. Uh, a couple of IP addresses, cluster ip and you're pretty much in, in the gui, so it's easy and simple to use, um, to be able to put it into the, the Veeam architecture itself.
Sean Martin: Right. Um, but we [00:06:00] haven't touched on yet. Maybe, maybe mention that.
Sterling Wilson: Solid point. Solid point. We are purpose built. For Veeam Architectures. So, uh, we understand that Veeam Admins Veeam as a solution itself is a very large framework. Mm-hmm. You can build it in many different ways. As a matter of fact, the flexibility of Veeam is what makes it so powerful.
Uh, it gives the, the customer a choice of how and where and, and to, to, to use their data. We believe that, that the customers shouldn't have to be security experts mm-hmm. To adopt the highest level of security for their data. So when you have data that you absolutely cannot have taken, cannot have ransomware, uh, encrypted or, or, or cannot, uh, it is the highest level of what you need.
That is when you look at an object first. OOTBI one of the things that we've done is we've listened to customers and what we've heard is. We love your, your, your product. We wanna use it in different ways. We have, uh, robo, uh, remote office branch offices. Mm-hmm. So we have, uh, smaller areas. We need different size boxes.
Right. And so one of our announcements, uh, just a couple of weeks ago is we [00:07:00] announced three new sizes. Two that were smaller, 20 and 40 terabyte and one that's much larger. Okay. A 432 terabyte that, that in a clustered situation goes almost to 1.7 petabytes. I'm gonna
Sean Martin: fill that one with music.
Sterling Wilson: That's absolutely.
Sean Martin: What about, um, what about governance? I gonna touch on a little bit in terms of de demonstr ability, but Yes. Also sovereignty. Mm-hmm. Which has become. Yeah. Pretty significant, uh, topic of late. Yeah. So how, how do you guys play with, with that? Yeah,
Sterling Wilson: absolutely. Um, basically the, the governance is done with within the box itself.
When you create a bucket, uh, you can choose whether that bucket is versioned or not. Okay? Uh, and that will set that, that immutability stage in that everything else is done within Vem. So we wanna make sure that we keep it simple enough for two reasons. We wanna make sure that, that the, that the Veeam administrator, the Veeam architect, can leverage the best facets of Veeam.
That means their encryption. Their deduplication, their jobs to put the data where it needs [00:08:00] to be onto that object first. But the second part of that is about reducing the attack surface. When you use solutions where you have to control your own encryption on the box, or you have to lower certain roles in order to provide updates to that box, that actually increases your attack surface.
And worse, it sends data unencrypted in flight, right? So we shut all that down to make sure that's
Sean Martin: governed in the proper way. Are there any other challenges in a Veeam environment without object first, that might be a sign that, that they're exposed, that they might be vulnerable to an attack that, that ex filtrates data or destructs data or damages data.
Sterling Wilson: You know, uh, it really depends on what they're using today, right? A lot of times we talk to customers and once again, because Veeam is so flexible, Veeam can be architected to run all from the same server. Uh, Veeam has made some advancements and they're, they're, they're using different, um, you know, they have an appliance that just came out that runs on Linux, but traditionally it's a Windows server.
And so if you're [00:09:00] using, uh, just a bunch of discs that we like to say J bod, you know, in that server, uh, it really provides some sub, some substantial risks. One of the largest risks, no matter what you're using, um, is using the exact same backup credentials that is transmitting the backup data. Two, the backup credentials that have the, the credentials on the storage itself.
We believe very firmly that they should remain separate. We have to assume a breach in all scenarios. Object First is designed to work when all secrets are known, right? That means when you have all the passwords, you're able to. To to transverse back and forth throughout the architecture. You still will not be able to break into an object first OOTBI device and steal the data.
Ube. That's right. I love the name. I love the name. Can we just say that name again? U ube. There we go. Said it together. Stands
Sean Martin: for out of the box Immutability. Look at that. I want to touch on, 'cause we're kind of saying it without saying it. Zero trust. Zero trust. Which is, has become, I dunno, I think people laughed at it a few years back.
I think it's starting to take hold. [00:10:00] I think it's not. Not a single process, not a single set of technologies. It's a mindset. Yep. Um, and if you apply that mindset to a, a policy and an implementation and a way of managing things, you're in much better shape. That's my personal view. Absolutely. What, what do you think about, and what, what does Object first do with, with respect to Zero Trust?
Sterling Wilson: Absolutely. I mentioned a little bit before that immutability is necessary. It's, I, I hate to use the term table stakes, but you really need to have that around your data today. But that's just not all, you know, zero trust has been around for a while, and zero trust can mean so many different things to so many different people.
Yes. Um, but at, at the root of it, it's really all about making sure the person is who they are at every step. So that if you steal somebody's credentials in a true zero trust scenario, you have to verify it explicitly at every single step. That has been seen at pretty much all parts of the architectures from CAS Bs at the edge, to VPNs, to logging in to different applications [00:11:00] under, uh, wildly.
It has never been applied to the backup architecture itself. And so now we have a scenario where you have a bunch of, um, uh, deployments where the same set of credentials are used, right? So when we set immutability, when we set all those things, the data has all of the wrappers it needs around it. Well, a nefarious actor can come in and just lower those wrappers ad nausea.
So what we've done is apply the best facets of zero trust. To the segmentation of the backup data. We call that zero trust data resilience, and we actually wrote a white paper with Veeam on it to make sure that people understand that we really need to apply the zero trust directly to the backup. That means verify explicitly every single time that you do a backup job.
It means making sure that the credentials that do the backup jobs and pull those backups from the production architecture don't have the rights to elevate themselves on the box itself. And of course, it means. Using a mutable storage S3 connection from the beginning.
Sean Martin: Well, I'm a nerd this way, but I'm gonna, I'm gonna [00:12:00] wanna read that white paper now.
Absolutely. I think everyone should. Let's, um, let's talk about a scenario or two. Um, I know we have one in particular we want to talk about where things happen. Yeah. Life, life is real. Mm-hmm. Businesses are running. Oh yeah. Threat actors are active and, uh. Malware and ransomware, it happens are, uh, prevalence.
It happens. So talk to us about some, at least one customer, if you have more, that's fine too, but at least one where object first was in place and helped a customer recover.
Sterling Wilson: Yeah, absolutely. You know, these are always delicate subjects. Mm-hmm. You know, it's, it's tough, uh, sometimes for customers to admit, you know, right.
Maybe that they got, you know, caught in, in a tough situation. We have one particular customer, uh, Marysville School District in Marysville, Ohio. It's about nine particular schools in a district. And they were taken down and taken down hard. Um, and they actually came out and wanted [00:13:00] to be vocal about this story because they understand that other school districts and companies alike maybe struggling with those same types of things.
Uh, and so they had a ransomware attack. They had everything done right. They had. Uh, carbon black. They had, uh, all of the types of, of edge devices. Mm-hmm. They had, uh, all of the things set up within their architecture to keep ransomware out. What we always talk about is we have to assume that there's already been a breach.
Right. We have to assume that there has already been some sort of incursion where there are just lying in wait and waiting to take over your systems. That's exactly what happened to Marysville and Marysville, Ohio. So they took all of their systems down. Um, and, uh, you know, some of the names remain nameless of, of some of the others that we were on the calls with, uh, to, to, to go, uh, to try to bring their data back.
But let's just say on this call, we went around the call doing a check from every single vendor and system, every single vendor and system was taken down. [00:14:00] But yet when they got to object first, we were able to unmute ourselves on the call and say. Our data is solvent and ready to be brought back. In fact, we were ready to be brought back the moment that they started the recovery, but we actually had to delay a little bit because there was an FBI investigation that was ongoing at that time.
Interesting. It was because of the segmentation of those credentials that the admin account that had been taken and was used for all that nefarious activity, still was not able to get into the object first box and encrypt those backups. Those backups were safe, and Marysville was able to recover.
Separation of duties for the win.
Sean Martin: Exactly right. Oh boy. Yeah. Let's, um, I'm gonna ask you this, the, you work with a lot of organizations. It, the, you just gave an example of a successful attack, successful recovery. What, what's the rest of [00:15:00] the scenario look like for customers? Because they're, they're making investment in their data.
They're making an investment to protect it. What's, what's the feedback you get in terms of working with you and your team? The, I'm, I'm gonna presume the, the, the, the easiness of, of the solution and, and limited impact on their operations of the business and, and the team's responsible for managing the data.
Tell me, gimme some stories about how they
Sterling Wilson: work with you. You, that, that's really a great question. We are a year three startup. And it's important, it's imperative that we listen to our customers and listen to our partners. In fact, uh, just last week, we, uh, had a partner advisory council where we had a round table where we got some honest feedback of not only what would help them deliver better business to their customers, but how they were growing themselves.
We took that feedback and we actually made another announcement last week. That announcement was that we now offer Otbi Otbi [00:16:00] out of the box immutability. In a consumption service. Okay. So we still offer CapEx where a partner or the customer themselves can go out and buy that box. Mm-hmm. And do what that box, what they need.
But what we also understand are there are some customers where maybe they don't understand their budget upfront. Maybe they know that they are going to acquire another company within that year and they're placing their budgets and money in a certain place. Mm-hmm. We can offer them the ability to pay as they go.
It gives them all of the same uh, uh, updates, hardening. Support from us, but gives them the flexibility to really grow as their business grows as it needs. We also listen to our partners. Many are service providers. Many provide Object first Uppi as a service to their customers. What they wanted to do was to be able to scale quickly, to be able to move customers where they needed to at a moment's notice.
This consumption service allows them to consume as they go, not have to worry about the hardware or the boxes themselves. That is a risk that [00:17:00] object first takes for them to allow them to focus on their business and grow as they need to grow. So it's predictable monthly cost, one year yearly, uh, yearly sign on and subscription and renew every year.
And they literally side, we do a sizing with them to make sure that they get the right size. That's important of consumption service. That is the most important at this point to make sure that everyone's happy and that's a large part of the feedback that we've heard.
Sean Martin: Very cool. Well, Sterling. I love the energy.
I love being here. I love the OOTBI. Love the OOTBI, and uh, appreciate you and uh, this conversation, my friend.
Sterling Wilson: Thank you so much for, for having me here. Yeah, we really appreciate you all and I hope I can come back soon.
Sean Martin: I hope so as well. Thanks everybody for, uh, listening to this brand store here from RSAC conference.
Be sure to check out OOTBI Connect with Sterling Connect with Object first. Stay tuned. Itsp magazine.com/rsac two five for more coverage. Catch you on the next one.