For the past decade, object storage has replaced many legacy enterprise storage platforms like tape, virtual tape library (VTL), purpose-built backup appliances, and others due to its inherent advantages with performance and scale. IDC estimates that by 2025 the sum of all data in the world will be in the order of 175 zettabytes (one zettabyte is 10^21 bytes), and of this data, IDC expects 80% to be unstructured data like objects. With increasing adoption of object storage comes increasing responsibility to protect data from sophisticated cyberattacks and meet regulatory and compliance requirements.
Pure Storage has been a pioneer in supporting scale-out object storage through FlashBlade®, our unified fast file and object (UFFO) platform. Market analysts like GigaOm and Gartner rate Pure Storage as a leader in innovation and as a leader in the distributed file systems and object storage space. The latest release of our Purity//FB software, version 4.1, enhances the existing capability around object storage with the addition of new features around data protection, data management, and data monitoring. Object Lock is one such feature that enhances the data protection capability in FlashBlade.
Tamper-proofing Data with Object Lock
Data protection systems, as well as many other critical systems of record like picture archiving and communication systems (PACS) or healthcare management systems (HMS), are often mandated by compliance and regulatory requirements to protect data for a defined period of time or in perpetuity.
With increases in cybercrime and ransomware attacks, data is compromised when the system is compromised. Organizations need a reliable mechanism where data is protected not just from cybercriminals and ransomware attacks, but even from a malicious administrator or simple human error.
Object Lock provides that protection by safeguarding specific versions of objects from accidental deletion. Object Lock is a data protection mechanism to protect objects and object versions for a predefined time period or even forever. When you lock an object or object version, FlashBlade stores the lock information in the metadata for the object. It doesn’t prevent newer versions of the object from being created or older versions of the objects from being deleted. But any attempt to delete or overwrite the specific object or object version on which the Object Lock is configured will be blocked. FlashBlade exposes a specific set of industry-standard S3 APIs through which a storage administrator or application with the right set of credentials can configure and manage the Object Lock feature. FlashBlade storage administrators can manage Object Lock features through the GUI interface, as well.
Pure Storage Enhancements to Object Lock
Object storage doesn’t support modification of an object; instead, objects are modified by overwriting the existing objects or by completely deleting them. To retrieve objects that have been deleted or modified, S3 supports object versioning. However, versioning doesn’t provide any protection from the deletion of a specific version of an object.
Along with providing a standard set of Object Lock features, Pure Storage has developed powerful enhancements to Object Lock. These extend the use cases and the supported operations:
- FlashBlade supports setting up Object Lock not only on versioned buckets but also on unversioned buckets, thus extending the Object Lock capability and protections to unversioned objects and buckets.
- Storage administrators can configure when a bucket can be deleted, which provides more control and better upkeep of storage resources. In the standard Object Lock implementation, a bucket can be deleted only when it is empty. But with FlashBlade, this feature is configurable.
Object Lock finds wide use cases:
- Supporting the write once, read many (WORM) model: After the data is written, data cannot be modified or deleted for a defined period of time, which can help replace LTO and tape drives.*
- Protecting sensitive data: Data like health records are under regulatory mandates like HIPAA to be protected for several years.
- Protecting data from cybercrimes and ransomware attacks: Object Lock prevents data from being altered or deleted for a set period of time.
*Note: Other features may be required for specific compliance certifications.
Enabling Object Lock on FlashBlade
FlashBlade supports configuring Object Lock through both the GUI and CLI. Bucket-level Object Lock settings can be set by the storage administrator using either interface. Bucket-level configurations are possible only when a bucket is empty; Object Lock configuration changes on existing non-empty buckets are not supported. Once the bucket-level setting is configured, every object created within the bucket inherits these bucket-level settings.
Figure 1: Bucket-level Object Lock features available under the bucket configuration option.
In addition to configuration through the GUI or CLI, FlashBlade also supports the configuration of Object Lock through AWS-compatible S3 APIs. Through these standard S3 APIs, retention periods and retention modes can be set on objects and buckets by applications with the right set of access permissions.
With Object Lock, FlashBlade provides a simple yet powerful tool to protect object data. The feature is not only compatible with industry standards but is also highly secured with granular access permissions. Through the S3 APIs and GUI/CLI interfaces, these features are exposed to storage administrators and application developers. They can configure and manage these capabilities with minimal to no assistance from Pure technical support engineers. This puts a robust and powerful tool in the hands of FlashBlade customers to provide an industry-leading data protection solution that impacts multiple use cases like rapid restore, health records, PACS imaging, and many more.
Object Lock enhances the security of objects and buckets through Object Lock and Retention Lock capabilities. While Object Lock provides the capability to lock objects or object versions from being deleted or overwritten, Retention Lock limits users to modify Object Lock settings and to delete buckets. FlashBlade’s object storage implementation follows AWS S3 permission standards to define access controls required to perform specific management activities.
Object Versions When Using the Delete-version Operation
When you lock an object version, FlashBlade stores the lock information in the metadata for that object version. Placing a retention period or legal hold on an object protects only the version specified in the request. It doesn’t prevent newer versions of the object from being created or created with different retention periods or/and retention modes.
Without Object Lock enabled, the delete-version operation deletes the specified version permanently leading to data loss:
Calling delete-version will permanently delete the object version and hence can cause loss of data. Without Object Lock enabled, data can be lost by accident or by malicious intent.
The delete-version operation when Object Lock is enabled blocks the call:
Calling delete-version on an object version protected by Object Lock with a valid retention period will block the delete call. This protects data from accidental (or maliciously intentional) deletion when Object Lock is enabled.
Object version as a capability protects the history of the object, but it doesn’t provide any protection from the deletion of a specific version of the object. Object Lock provides that protection by safeguarding specific versions of the objects from accidental deletion.
FlashBlade Is an Ideal Platform for Mission-critical Unstructured Data
The addition of Object Lock makes FlashBlade an even more robust and resilient data platform for your organization’s unstructured data needs. It provides added protection from accidental or malicious deletion for a rapidly growing area of data storage, and in combination with SafeMode™ for file systems, it means that you can be sure that your data is safe when stored on FlashBlade. But the best part is that enabling and leveraging these features doesn’t add unnecessary layers of complexity. FlashBlade remains simple to use and easy to scale while offering multi-dimensional performance for any file or object workload.