Data Compliance in Cloud with Immutable Blob Storage

Many BFSI companies are not moving data to cloud because of regulatory compliance issues.

BFSI organizations are required to retain business-related communications in a Write-Once-Read-Many (WORM) or immutable state that ensures they are non-erasable and non-modifiable for a specific retention interval by regulators such as Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), Financial Industry Regulatory Authority (FINRA), Investment Industry Regulatory Organization of Canada (IIROC), Financial Conduct Authority (FCA) and more in different countries.

IMMUTABLE STORAGE FOR AZURE BLOB (OBJECT) STORAGE

Immutable storage for Azure Blob (object) storage helps financial institutions and related industries to store data securely.

Immutable storage for Azure Blob (object) storage enables users to store business-critical data in a WORM (write once, read many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. Blobs can be created and read, but not modified or deleted, for the duration of the retention interval.

WORM (WRITE ONCE, READ MANY) POLICY TYPES

Immutable storage for Azure Blob storage supports two types of WORM or immutable policies: time-based retention and legal holds. 

Time Based Retention: With time-based retention policy all blobs in the container will stay in the immutable state for the duration of the effective retention period.

Legal Hold: With legal hold policy all blobs in the container will stay in the immutable state until the legal hold is cleared.

STORAGE ACCOUNT REQUIREMENT FOR IMMUTABLE BLOB STORAGE

Container must be created in GPv2 or Blob Storage Account.

IMMUTABLE STORAGE FOR AZURE USE CASES

Regulatory compliance: Immutable storage for Azure Blob storage helps organizations address SEC 17a-4(f), CFTC 1.31(d), FINRA, and other regulations.

Secure document retention: Blob storage ensures that data can’t be modified or deleted by any user, including users with account administrative privileges.

Legal hold: Immutable storage for Azure Blob storage enables users to store sensitive information that’s critical to litigation or a criminal investigation in a tamper-proof state for the desired duration.

EXERCISE: APPLYING TIME BASED RETENTION POLICY

Note: We will use Pre created GPv2 Account (hk410) and Blob Container (hk410).

1.      Log to on Azure portal @ https://portal.azure.com

2.      Go to Storage Account hk410 dashboard>Storage Account dashborad opens>In Service pane Click Blobs>In Blob Storage dashboard click container hk410 in right pane.

3. In Container hk410 dashboard click Access Policy in left pane> In right pane click +Add Policy under Immutable Blob Storage> In dropdown box in right pane select Policy type as Time-based retention> In set retention period enter number of days as per your requirement and click ok.

4. As you can see in the screenshot below, the initial state of the policy is unlocked. You make changes to the policy before you lock it. Locking is essential for compliance with regulations such as SEC 17a-4.

5. To lock the policy, click the ellipsis (…), and in the drop down menu select lock policy>click yes>Click ok.

6. The policy state now appears as locked as shown below. After the policy is locked, it can’t be deleted, and only extensions of the retention interval will be allowed.

PRICING

Immutable data is priced in the same way as mutable data and there is no additional charge for using this feature. 

As you can see from the above that Immutable storage for Azure Blob storage helps address Data regulations such as SEC 17a-4(f), CFTC 1.31(d), FINRA and other regulations. Enabling Immutable storage does not requires massive administrative and cost overhead.

To know more about Azure Blob Storage, refer to Azure Storage chapter in Architecting Microsoft Azure Solutions Study & Lab Guide Part 1: Exam 70-535

You can also read above article in blog post @ Data Compliance in Cloud with Immutable Blob Storage.