Immutable Storage in Azure Storage

Financial Services organizations regulated by the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), Financial Industry Regulatory Authority (FINRA), Investment Industry Regulatory Organization of Canada (IIROC), Financial Conduct Authority (FCA), and more are required to retain business-related communications in a Write-Once-Read-Many (WORM) or immutable state that ensures they are non-erasable and non-modifiable for a specific retention interval. The immutable storage requirement is not limited to financial organizations but also applies to industries such as healthcare, insurance, media, public safety, and legal services.

Immutable storage for Azure Storage Blobs enables:

• Time-based retention policy support: Users set policies to store data immutably for a specified interval of time.
• Legal hold policy support: When the retention interval is not known, users can set legal holds to store data immutably until the legal hold is cleared.
• Support for all Blob tiers: WORM policies are independent of the Azure Blob Storage tier and will apply to all the tiers, hot, cool and archive. This allows customers to store the data in the most cost-optimized tier for their workloads while maintaining the data immutability.
• Blob Container level configuration: Immutable storage for Azure Storage Blobs allows users to configure time-based retention policies and legal hold tags at the container level. Users can create time-based retention policies, lock policies, extend retention intervals, set legal holds, clear legal holds etc. through simple container level settings. The policies apply to all the Blobs in the container, both existing and new Blobs.

How to enable this feature?

1. Head over to Azure Portal

2. Create a new container or select an existing container to store the blobs that need to be kept in the immutable state. The container must be in a general-purpose v2 or Blob storage account.

3. Select Access policy in the container settings. Then select Add policy under Immutable blob storage.

4. To enable time-based retention, select Time-based retention from the drop-down menu. Enter the retention interval in days 

5. The initial state of the policy is unlocked allowing you to test the feature and make changes to the policy before you lock it. Locking the policy is essential for compliance with regulations like SEC 17a-4. Lock the policy. Right-click the ellipsis (...), and the following menu appears with additional actions:

6. Select Lock Policy and confirm the lock. The policy is now locked and cannot be deleted, only extensions of the retention interval will be allowed. Blob deletes and overrides are not permitted.

7. Follow the same process to enable Legal Holds.

Conclusion

Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. For the duration of the retention interval, blobs can be created and read, but cannot be modified or deleted. Immutable storage is available for general-purpose v2 and Blob storage accounts in all Azure regions.