How object locking works
1) INTRODUCTION TO OBJECT LOCKING
Object locking prevents the deletion or replacement of objects for a set period of time.
Your objects will then be stored using a WORM (write-one-read-many) model.
2) BENEFITS OF OBJECT LOCKING
Object locking has many advantages:
For data integrity reasons.
For regulatory compliance: if you need to store data in WORM format, or for legal proceedings.
To add an extra layer of protection against object modification and deletion.
It's the best defense against Ransomware attacks: cybercriminals will attack backups and archives, but they'll be powerless against an object lock in compliance mode (see explanation below).
Avoid accidental or intentional deletion of data.
3) THE DIFFERENT OBJECT LOCKING MODES
3.1 MANUAL MODE
In this mode, you don't set a default retention time, as a third-party application will determine the lock duration.
Leviia resources for setting up your applications:
Veeam Backup & Replication V12
HyperBackup
Iperius Backup
Hybrid Backup Sync / NAS Qnap
TrueNAS
3.1 COMPLIANCE MODE
By enabling retention by default, your bucket switches from manual mode to compliance mode locking: no user can replace or delete protected object versions during the retention period.
When an object is locked in Conformity mode, its retention mode cannot be changed and its retention period cannot be shortened: An object is therefore immutable until its retention date has passed. This mode guarantees that an object version cannot be overwritten or deleted during the retention period.
To delete objects with this configuration before the end of the chosen retention period, you will need to cancel your object storage subscription, as well as your Leviia customer account.
3.1 GOVERNANCE MODE
Please be patient: this mode will be available soon.
In Governance mode, logins cannot replace or delete an object version, or modify its lock settings, unless they have special authorization.
This mode enables you to protect objects from deletion by most users, while allowing you to grant certain users authorization to modify retention settings or delete the object if necessary. You can also use Governance mode to test retention period settings, before creating a retention period in Compliance mode.
4) OBJECT LOCKING FUNCTIONALITY
To use object locking, you need to create a bucket with object locking enabled (versioning will activate automatically), and set a default retention period for objects placed in the bucket.
Warning: this option can only be activated when the bucket is created!
Once activated:
Anyone with the appropriate authorizations can place non-modifiable objects in the bucket.
Deletion of objects and the bucket before the end of the retention period will then only be possible via governance mode and according to sub-identifier rights.
You cannot disable this option, nor interrupt version management.
As with all other object lock settings, retention periods apply to individual object versions. Different versions of a single object can have different retention modes and periods.
To help you, here's an example:
You place the object leviia.png with a retention period of 30 days in a bucket.
You then place the same leviia.png object in the same bucket, this time with a 90-day retention period.
The operation will generate a version of the leviia.png object with a 90-day retention period.
5) ADDITIONAL RESOURCES
Create a bucket
Create an object storage identifier
How version management works
Object locking prevents the deletion or replacement of objects for a set period of time.
Your objects will then be stored using a WORM (write-one-read-many) model.
2) BENEFITS OF OBJECT LOCKING
Object locking has many advantages:
For data integrity reasons.
For regulatory compliance: if you need to store data in WORM format, or for legal proceedings.
To add an extra layer of protection against object modification and deletion.
It's the best defense against Ransomware attacks: cybercriminals will attack backups and archives, but they'll be powerless against an object lock in compliance mode (see explanation below).
Avoid accidental or intentional deletion of data.
3) THE DIFFERENT OBJECT LOCKING MODES
3.1 MANUAL MODE
In this mode, you don't set a default retention time, as a third-party application will determine the lock duration.
Leviia resources for setting up your applications:
Veeam Backup & Replication V12
HyperBackup
Iperius Backup
Hybrid Backup Sync / NAS Qnap
TrueNAS
3.1 COMPLIANCE MODE
By enabling retention by default, your bucket switches from manual mode to compliance mode locking: no user can replace or delete protected object versions during the retention period.
When an object is locked in Conformity mode, its retention mode cannot be changed and its retention period cannot be shortened: An object is therefore immutable until its retention date has passed. This mode guarantees that an object version cannot be overwritten or deleted during the retention period.
To delete objects with this configuration before the end of the chosen retention period, you will need to cancel your object storage subscription, as well as your Leviia customer account.
3.1 GOVERNANCE MODE
Please be patient: this mode will be available soon.
In Governance mode, logins cannot replace or delete an object version, or modify its lock settings, unless they have special authorization.
This mode enables you to protect objects from deletion by most users, while allowing you to grant certain users authorization to modify retention settings or delete the object if necessary. You can also use Governance mode to test retention period settings, before creating a retention period in Compliance mode.
4) OBJECT LOCKING FUNCTIONALITY
To use object locking, you need to create a bucket with object locking enabled (versioning will activate automatically), and set a default retention period for objects placed in the bucket.
Warning: this option can only be activated when the bucket is created!
Once activated:
Anyone with the appropriate authorizations can place non-modifiable objects in the bucket.
Deletion of objects and the bucket before the end of the retention period will then only be possible via governance mode and according to sub-identifier rights.
You cannot disable this option, nor interrupt version management.
As with all other object lock settings, retention periods apply to individual object versions. Different versions of a single object can have different retention modes and periods.
To help you, here's an example:
You place the object leviia.png with a retention period of 30 days in a bucket.
You then place the same leviia.png object in the same bucket, this time with a 90-day retention period.
The operation will generate a version of the leviia.png object with a 90-day retention period.
5) ADDITIONAL RESOURCES
Create a bucket
Create an object storage identifier
How version management works
Updated on: 05/01/2024
Thank you!