All the features of tape storage without the actual tape
Didier Van Hoye wants you to wake up. The future, he says, is uncertain, while failure is inevitable. In a self-described long-winded blog post, Van Hoye paints a picture of an interconnected world in the very near future, subject to much more coordinated attacks than we’ve ever seen. It’s critical, he says, to make sure your data backups are air-gapped.
IT departments in the past relied on tape backups, which offered the “write once, read many” feature, or WORM. Some companies are going back to tape, even though, as Van Hoye points out, the downsides of tape are many.
How, then, does the security-conscious IT leader create a modern WORM system, air-gapped from other systems and safe from remote hacking attempts?
The answer is here, says Van Hoye. “All you need is AWS-compatible S3 storage that supports immutability. Technically, we are talking about Amazon S3 Object Lock in compliance mode.”
What is S3 Object Lock and why it matters
With AWS’s API, you can store objects using a write-once-read-many (WORM) model. You can use it to prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely. Object Lock helps meet regulatory requirements that require WORM storage or simply add another layer of protection against object changes and deletion.
The feature is available in RING and the open source Cloudserver, compatible with the AWS specification. Any extensions to the specification will be explicitly documented.
A typical enterprise use of S3-compatible object storage is as a destination for backups. Backup files are prime targets of ransomware: recent attacks lock not only the live data on active volumes, but also the backups. This way the victim has really no way to restart their business without paying the ransom. It happens, too many times.
By supporting S3 Object Lock API, Scality RING8 now offers enhanced ransomware protection. RING8 qualifies as Veeam Ready Object with Immutability: provides for air-gapped, tamper-proof backup data that stays immune to ransomware. Read the full announcement.Didier Van Hoye wants you to wake up. The future, he says, is uncertain, while failure is inevitable. The answer to air-gapped, secure data seems to be Amazon S3’s Object Lock. Here’s how to use it. Click To Tweet
How to lock your data
To use Object Lock well, you’ll need to ensure a few things. The Object lock flag must be set while creating a bucket and versioning needs to be enabled on that bucket. In addition, object lock must be enabled on a bucket in order to write a lock configuration using the PUT Object Lock Configuration API that has its object lock flag set.
Unfortunately, the AWS S3 specification does not have a way of setting object lock on existing buckets. To enable object-lock flag on an existing bucket, Scality is developing a tool that will be released soon.
How to control the locking of an object
How do we lock an object? S3 provides a few ways through which the lock configuration of an object can be set. Retention modes, including Governance and Compliance modes, retain the lock on an object until a set period of time expires.
Governance mode allows delegating permission to certain users to override the lock settings. Only the root account or a user with s3:BypassGovernanceRetention permission can send a delete request with x-amz-bypass-governance-retention:true header to override and delete the object. This can be useful to protect a backup file from accidental deletion from a ransomware attack. Governance mode is also used to test retention-period settings before creating a compliance-mode retention period.
When a lock is placed on an object using Compliance mode, the object version cannot be deleted by any user until the retention period expires. This includes the root user (account credentials) in the account — no other user can be given permission either to override the settings or delete the version.
The retention period (the term during which an object is protected from deletion) can be set on the bucket level, which acts as a default for all objects put in that bucket after the setting is applied.
The default retention period set on a bucket can be overridden on the object level by setting the date and time using the header x-amz-object-lock-retain-until-date.
- Buckets – the retention period can be set in either days or years, but not both at the same time.
- Objects – the retention period can be set as date and time when the object is expected to expire.
Legal hold can also be enabled on an object version. Once a legal hold is enabled, regardless of the object’s retention date or retention mode, the object version cannot be deleted until the legal hold is removed.
Legal hold can be set on an object version during PUT Object request by setting the x-amz-object-lock-legal-hold header or using PUT Object Legal Hold API request. Root users with account credentials or IAM users who are given the permission s3:PutObjectLegalHold are allowed to set Legal hold on an object version.
APIs covering S3 Object Lock
- Put Bucket – this can extend the bucket creation API to include configuration for enabling object lock on the bucket. Note: Versioning is automatically enabled on buckets that have object lock enabled as part of a Put Bucket request
- Put Object – extend put object API to parse x-amz-object-lock-mode, x-amz-object-lock-retain-until-date, x-amz-object-lock-legal-hold headers and store the configuration on an object.
- Copy Object – extend the API to accept the same lock configuration headers as the PUT Object request
- Create Multipart Upload – extend the API to accept the same lock configuration headers as the PUT Object request
- Put Object Lock Configuration – allows setting a default lock configuration for objects that are going to be stored in the bucket. This request is accepted only on buckets that have object lock enabled.
- Get Object Lock Configuration – gets the object lock configuration set on the bucket metadata
- Put Object Retention – sets the retention mode/period configuration on an object version
- Get Object Retention – gets the retention mode/period configuration set on an object version
- Put Object Legal Hold – sets legal hold configuration on an object version
- Get Object Legal Hold – gets the legal hold status for an object version
This S3 functionality is now available to our customers in S3C version 7.7.0 and the open source Zenko Cloudserver version 7.7.0.
Ultimately, it’s up to each of us to keep our data private, secure, and backed up. As the world gets more connected and cybercrime becomes more and more sophisticated, it’s only a matter of time before your company’s data is affected. Using Object Lock for your critical data is another tool to reduce your risks.