Solved

Difference between retention lock ,Enabling WORM , compliance lock

  • 1 August 2023
  • 13 replies
  • 1935 views

Userlevel 1
Badge +13

can anyone help me know the difference between Difference between retention lock ,Enabling WORM , compliance lock 

if we execute enable retention lock workflow will we be able to disable it later ? 

 

 

icon

Best answer by Prasad Nara 1 August 2023, 18:01

View original

13 replies

Userlevel 3
Badge +10

@Ajal 

Please find the details below:

Compliance lock is a security control that provides protection from destructive tasks such as deleting backups, storage, apps, servers, and backup destination copies, and reducing retention for cloud storage and disk storage vendors within the CommCell Console interface. You can enable the Compliance lock at the storage level, and all associated backup destination copies will be locked and protected.

https://documentation.commvault.com/2023/expert/157455_locking_retention_and_deletions_with_compliance_lock.html

  1. Compliance Lock (WORM Copy): This is WORM functionality at CV product side where we block any premature deletions. This option doesn’t need DDB sealing.

 

  1. WORM Storage :  This is WORM functionality from storage side. Here DDB sealing is needed, and we can’t do micro pruning. This feature is not supported for MCSS. 

You can find the below-related articles.

https://kb.commvault.com/article/81103

https://documentation.commvault.com/2022e/expert/157745_enabling_worm.html

 

The Enable Retention Lock workflow enables software WORM on all the dependent copies of a selected storage pool. The above DOC has the information for enabling the disabling the same.

 To disable that you can reach out to support. “ https://documentation.commvault.com/2022e/expert/151438_enable_retention_lock_workflow.html

 

Userlevel 1
Badge +13

@Navneet Singh  thanks navneet , i couldnt clearly understand this ,

 

we are having hyperscale x storage pool, as per the securty hardening we are folowing the document , there is says regarding the retention lock workflow 

could you help me to understand if i run this workflow what actuallty happens? 

and i know you can just enable WORM on storage policies these all are same ?

 

i am bit confused with the terms, are these all are referring to same thing

enable retention lock workflow 

worm storage lock workflow

complaince lock workflow 

 

 

Userlevel 3
Badge +10

@Ajal 

The Enable Retention Lock workflow enables software WORM on all the dependent copies of a selected storage pool.

After you run this workflow to enable the retention lock, for entities that have valid jobs, you cannot decrease the retention or delete the entities.

Compliance lock provides data security at the software level and does not enable storage-level immutability controls.

Please go with the below DOC which will explain to you about both things:

https://documentation.commvault.com/2023/expert/9251_old_configuring_worm_storage_mode_on_cloud_storage.html

Userlevel 1
Badge +13

thank you @Navneet Singh Appreciated, just a quick one too , how it differs if i enable WORK on a storage policy properties  

Userlevel 3
Badge +10

@Ajal 

If you enable worm on the storage policy copy then you can’t change the retention manually.

You need to wait till the jobs meet its specified retention defined on the SP copy.

https://documentation.commvault.com/2023/expert/13938_worm_copies.html

Userlevel 1
Badge +13

@Navneet Singh Correct me if i am wrong .

if i enable retention lock - i wont be able to delete or change retention for existing jobs , but i can change the retention on the storage policies and the new jobs will have the updated retention, please confirm if we can have extended retention for such scenarios 

 

compliance lock -this will protect anyone deleting libraries or storage pools etc 

 

so we can have compliance and retention lock at the same time right

Userlevel 4
Badge +6

Retention Lock, Compliance Lock, Software WORM,  WORM Copy →  All these refers to same CV software level WORM protection. It prevents users from deleting jobs, client, backupset, subclient...etc data bearing entities when they have valid jobs, and also it prevents reducing retention. 

Before 11.30 → you can use either Java Console to enable this at storage policy copy level by selecting WORM copy option or use Enable Retention Lock workflow to enable WORM copy option on all copies of a selected storage pool.

11.30 onwards → we renamed this option as “Compliance Lock” to avoid confusion with “WORM storage” and exposed it in both Command Center and Java Console under storage pool properties. Simply select the toggle “Compliance Lock” on the storage pool to enable this. 

 

WORM Storage  → Refers to hardware level (storage vendor side) WORM protection. With this option data is locked at storage side to prevent any direct deletions and/or modifications from storage side.

We automatically enables “Compliance Lock” when WORM Storage is enabled to prevent retention changes to align with storage side lock. 

Before 11.30 → use “Enable WORM Storage” workflow to enable this.

From 11.30 → we exposed this option in both Command Center and Java Console under storage pool properties. Simply select toggle “WORM Storage” on the storage pool to enable this. 

Userlevel 1
Badge +13

@Prasad Nara thank you so much, that cleared all my confusion , since we are enabling it in strorage pool level or policy level how is the client are getting protected 

the jobs storage pool or policy hold dependent client ,apps getting protected ? thats the logic?

Compliance lock is a security control that provides protection from destructive tasks such as deleting backups, storage, apps, servers, and backup destination copies

 

again thank you very much @Prasad Nara @Navneet Singh 

Userlevel 4
Badge +6

yes, the logic is based on the jobs storage pool/policy having. 

Userlevel 2
Badge +11

Hello @Prasad Nara and @Navneet Singh 

So, basically the advantage of WORM Storage vs Compliance Lock is the ability to control also the Storage side for “accidentally” deletions, right?

Userlevel 4
Badge +6

Hello @Prasad Nara and @Navneet Singh 

So, basically the advantage of WORM Storage vs Compliance Lock is the ability to control also the Storage side for “accidentally” deletions, right?

yes, Compliance Lock gives protection at Commvault software level. Any Commvault application admins and users won’t be able to prematurely delete data. This covers only any actions going via Commvault application. This won’t cover direct deletions from storage without involving Commvault application, user who is having access to storage disk/array can login to storage box and can delete data from disk file system directly. WORM Storage Locks gives protection at storage level and prevent any direct deletions from storage. 

Userlevel 2
Badge +11

Dear @Prasad Nara 

Thanks again for your reply.

One last thing, in order to enable WORM Storage Lock in a Azure Blob Storage, must be also enable immutability from Azure side?

Also, Commvaul’t WORM Storage Lock, can prevent Azure Storage account from deletion? (also from Azure side)
 

Thank you in advance,
Nikos

Badge

@Nikos.Kyrm yes according to this article it requires version immutability be enabled on the azure storage account and then you enable the worm storage account setting.

https://docs.metallic.io/metallic/worm_storage_and_retention_for_cloud_storage.html

Reply