Many organizations still view cloud storage as less secure than air-gapped, offline storage. These organizations feel that if data is connected to a network, it can be accidentally deleted or susceptible to ransomware. The traditional method of air gapping data for protection meant that an organization’s data was stored offline in an LTO tape cartridge or HDD that was disconnected from power sources. Retrieving data stored in this fashion could take many hours to days and is vulnerable to bit rot or damage that could ultimately destroy the data. Object Lock removes the perceived vulnerability of errant deletion or ransomware while keeping the integrity of the data, and having the data readily available and instantly accessible. Here’s a blog post about the Object Lock feature offered by Wasabi with Veeam Backup & Replication.
What is Object Lock?
Object Lock is a data protection feature wherein a user can designate certain files or “objects” to be immutable, meaning they cannot be altered or deleted by anyone. Via the policies of data management applications, users set an allotted time for an object to be immutable, after which it can be altered or deleted.
Example of Veeam and Wasabi architecture (secure by design):
Note: Veeam B&R v12 comes out with its support for backing up directly to object storage.
Veeam and Wasabi spotlight (immutable/Object Lock feature):
The first step is to add the S3 bucket in Veeam B&R, then create a Scale-Out Backup Repository (with Veeam B&R v11, with v12, Veeam will support backing up directly to object storage). Inside, there are the local repository (here’s a Windows ReFS volume) and the Wasabi bucket (S3). Basically, you can set it with Copy and/or Move mode.
Then, start the Backup Job:
So, you can try deleting the backup data from Veeam B&R console:
The message says that “Error: Unable to delete the backup because it marked as immutable until..”.
And now from Wasabi interface (deleting the bucket):
The message says that “Error: The bucket you tried to force delete has Object Lock enabled and is not empty”.
To set Object Lock permissions you must first create a new bucket with Object Lock enabled. You can not add Object Lock capabilities to an existing bucket. In an Object Lock-enabled bucket, retention periods can be set at the object level for each individual object. Alternatively, buckets can be configured to allow for a default retention setting for all objects that are placed in them. For example, if the bucket level policy is set to retain an object for 30 days, the 30-day retention is calculated and applied as each object is added. Therefore, users do not have to set each object’s retention individually. Wasabi also supports immutable buckets. In an immutable bucket, all objects are made immutable according to a uniform set of parameters. All of the objects in the bucket share the same expiration date. There can be no variation in the retention period between individual objects. This form of data protection is a great fit for protecting archival data or primary data that may not have additional copies.
Both Object Lock and immutable buckets prevent the most common causes of data loss and tampering:
• Combat ransomware and viruses
• Avoid accidental data erasure
• Ensure regulatory compliance
• Mitigate financial risks and legal exposure
Use object immutability for greater control over individual object retention rates, and use bucket immutability for protecting large swaths of data.
Veeam and Wasabi offer trusted immutability.
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] Veeam User Group France #1: Record
Veeam is not affected by Log4J vulnerability: Blog Post
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post.