Immutable storage for Azure Blobs enables organizations to store business-critical data in a read-only manner, also know as the write once, read many (WORM) state. Organizations can only create and read data while disallowing modification and deletion for a specific time, also known as the retention interval that organizations define.
Latest posts by Baki Onur Okutucu (see all)

Especially for financial institutions, legal services, and organizations operating in the healthcare and insurance industries, it is crucial to store data securely for a specific period in accordance with certain regulations. Thus, they are required to protect all of their business-related data against any kind of modification or deletion for a certain time. After enabling this feature, any user (including those with admin privileges) can't modify or delete data.

With Azure storage accounts (general purpose v2 and Blob storage only), organizations can now either enable Legal holds or Time-based retention or both.

Azure Blob storage supports two types of immutable storage policies.

Time-based retention:

This type of policy ensures immutable data storage for a specified interval of time.

Legal holds:

In case the retention interval is not clear, organizations can configure legal holds to store data immutably. Users can clear legal holds to release the restriction at any time. Legal hold policies must be associated with at least one or more tags to identify the resource.

Users can also apply both time-based retention policies and legal holds at the container level. Then the assigned policies automatically affect all new and existing blobs in the container.

You must lock time-based retention policies for the blob to be in an immutable state. Once locked, even administrators cannot unlock or delete the policies until the retention period is over. You can extend the retention interval at any time but cannot decrease it. So if you want to test this feature, I strongly recommend not locking it for a long time.

Here are some limitations of immutable storage:

  • The minimum retention interval for time-based retention policies is one day; the maximum value is 400 years or 146,000 days.
  • The maximum number of containers in a single storage account with locked immutable policies is 1,000.
  • The maximum number of containers in a single storage account with legal hold settings is 1,000.

Creating required resources ^

First, we need to make sure we've installed an appropriate Azure Resource Manager module. Otherwise, you can use the following command to install it:

Install-Module PowerShellGet –Repository PSGallery ‑Force
Install-Module -Name AzureRM.Storage -AllowPrerelease -Repository PSGallery ‑AllowClobber –Force

To enable and configure immutable storage features, we first need to create a new storage account with a general purpose v2 or Blob type, or use an existing one that is compliant.

$ResourceGroupName = "Immutable-Storage-Test-00"
$StorageAccountName = "immutablestorage00"
$containerName01 = "storagecontainer01"
$containerName02 = "storagecontainer02"
$location = "WestEurope"

New-AzureRmStorageAccount -ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName `
-SkuName Standard_LRS `
-Location $location `
-Kind StorageV2
Creating a new storage account

Creating a new storage account

Now we can create two containers in the storage account with the following commands:

New-AzureRmStorageContainer `
-ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName `
-Name $containerName01

New-AzureRmStorageContainer `
-ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName `
-Name $containerName02
Creating containers

Creating containers

Legal hold operations ^

Now we can apply a legal hold policy to "storagecontainer01" using the command below:

Add-AzureRmStorageContainerLegalHold `
-ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName `
-Name $containerName01 -Tag sampletag
Enabling a legal hold on a container

Enabling a legal hold on a container

So when we try to remove this storage container, the following error occurs, and the attempt to delete the resources fails:

Remove-AzureRmStorageContainer : The storage account immutablestorage00 container storagecontainer01 is protected from deletion due to LegalHold.

The legal hold prevents data deletion

The legal hold prevents data deletion

To remove a legal hold from a container, use the following command:

Remove-AzureRmStorageContainerLegalHold `
-ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName `
-Name $containerName01 -Tag sampletag

Immutable storage operations ^

This concerns immutability policies (time-based retention). To set an immutability policy over a container, use the command below:

Set-AzureRmStorageContainerImmutabilityPolicy `
-ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName `
-ContainerName $containerName02 `
-ImmutabilityPeriod 5
Setting up an immutability policy on a container

Setting up an immutability policy on a container

The above command now protects the container against update and delete operations.

Note that this sets the "state" of the container as "Unlocked" now. Even though users are not able to modify or delete any blobs in this container, the admin users are still able to remove this immutability setting from there since it is not "Locked" yet.

Testing ^

Let's try to delete a blob in a container protected by an immutable policy:

$ctx=New-AzureStorageContext `
-StorageAccountName $StorageAccountName `
-StorageAccountKey "[YOURSTORAGACCOUNTKEY]”

Remove-AzureStorageBlob -Container $containername02 -Blob "app1.txt" -Context $ctx
Immutability policies protect data against deletion and modification

Immutability policies protect data against deletion and modification

$policy = Get-AzureRmStorageContainerImmutabilityPolicy `
-ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName `
-ContainerName $containerName01

Lock-AzureRmStorageContainerImmutabilityPolicy -ImmutabilityPolicy $policy -force
Locking immutability policies provides unmodifiable protection

Locking immutability policies provides unmodifiable protection

Now we've locked the immutability policy on the container. This means, for one day, nobody will be able to modify or remove this container without any exception.

When we try to remove the container, we get the following error:

Immutable containers are not subject to deletion or modification

Immutable containers are not subject to deletion or modification

Even if we tried to remove the entire storage account, the result would be the same:

Users cannot delete or modify storage accounts with immutable containers

Users cannot delete or modify storage accounts with immutable containers

As general data protection rules are already in place, protecting sensitive data has become more important than ever. With this in mind, the immutable storage feature of storage accounts in Azure provides a simple yet effective solution to organizations that need to protect data in a compliant way.

avatar
0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account