WORM Storage and Retention for Cloud Storage

You can enable write once ready many (WORM) storage and retention for Amazon S3 and Microsoft Azure Storage. Worm storage prevents the accidental deletion of data that is not qualified for aging.

Enabling WORM storage automatically enables compliance lock, which prevents retention settings from being changed. If you enable WORM storage and compliance lock, you cannot disable WORM storage, and the data will remain immutable in the storage for the duration of the retention period.

After you enable WORM storage, the size of the storage footprint will be slightly more than double the size of the protected front end data for Amazon S3 or Azure Storage, due to overhead associated with object lock storage and handling of deduplicated data. For this reason, WORM storage is more appropriate for secondary or tertiary copies of data than for primary copies.

If you add a custom backup plan that uses WORM storage, the backup plan inherits its retention settings from the storage pool.

• WORM storage lock. You can use the WORM storage lock option for both deduplicated and non-deduplicated data for Amazon S3 and Azure Storage. WORM storage lock provides data security at the cloud storage level.

  Note

  Air Gap Protect is not supported for WORM storage lock.

• Compliance lock. Compliance lock is a security control that provides protection from destructive tasks such as deleting backups, storage, apps, servers, and backup destination copies, and reducing retention for cloud storage vendors. Compliance lock provides data security at the software level. You can enable compliance lock at the storage level, and all associated backup destination copies will be locked and protected.

  Note

  Cloud app workloads that use bundled Commvault Cloud are not supported for compliance lock.

Before You Begin

• Complete the following tasks on the platform that you use:

  Platform	Tasks
  Amazon S3	Create a bucket in Amazon S3, with Object Lock enabled and default retention disabled. Verify that the PutObjectRetention permission is assigned to the bucket, along with the other permissions that are required to configure Amazon S3. To download a Commvault-provided identity-based policy for protection of Amazon S3, see Permission Requirements for AWS Resource Protection. .
  Azure Storage	Create a storage account and a container with version-level immutability support enabled in Azure Storage. Verify that the Storage Blob Owner role is assigned in Azure.

Procedure

1. From the Command Center navigation pane, go to Storage > Cloud.

   The Cloud page appears.

2. Click the cloud storage.

   The cloud storage page appears.

3. To enable WORM storage lock, do the following:

   1. Move the WORM storage lock toggle key to the right.

      The Retention rules page appears.

   2. In the Retention period option, specify the amount of time to retain the backups, and then click OK.

      The Do you want to enable WORM storage lock? dialog box appears.

   3. Select the options to confirm your agreement, type Confirm in the confirmation box, and then click CONFIRM.

      Note

      • Both WORM storage lock and WORM compliance lock will be enabled on all associated backup destinations. This action is irreversible and you cannot lower the retention.

      • If you enabled WORM storage lock unintentionally, we recommend you to create a new storage pool with a new storage pointing to a new container or bucket.

4. To enable only compliance lock, do the following:

   1. Move the Compliance lock toggle key to the right.

      The Do you want to enable Compliance lock? dialog box appears.

   2. Select the option to confirm your agreement, and then click YES.

      Note

      Compliance lock will be enabled on all associated backup destinations. This action is irreversible and you cannot lower the retention.