Azure Storage Stamp: A Guide to Data Retention and Compliance

Author

Reads 1.1K

Computer server in data center room
Credit: pexels.com, Computer server in data center room

Azure Storage Stamp is a service that helps you manage your data storage and retention needs. It's designed to help you meet compliance requirements and reduce costs.

Azure Storage Stamp offers a range of features, including data retention policies, compliance scans, and audit logs. These features help you ensure that your data is stored and managed in a way that meets regulatory requirements.

By using Azure Storage Stamp, you can avoid costly fines and penalties associated with non-compliance. For example, the General Data Protection Regulation (GDPR) requires organizations to store personal data for a minimum of 6 years.

Azure Storage Stamp also provides a centralized dashboard to monitor and manage your data storage and retention. This makes it easier to identify and address any compliance issues before they become major problems.

Related reading: What Is Azure Storage

Azure Storage Configuration

Azure Storage Configuration is a crucial aspect of setting up an Azure Storage Stamp. You can configure Azure Storage to use a private endpoint, which is a network interface within a virtual network that connects to a storage account.

Credit: youtube.com, SFTP with Azure Storage is now Generally Availability

To enable private endpoint, you need to create a private endpoint connection in the Azure portal, as described in the "Creating a Private Endpoint" section. This allows your storage account to communicate with your virtual network securely.

Azure Storage also supports hierarchical namespace, which means you can store and manage files in a hierarchical structure, as explained in the "Hierarchical Namespace" section. This is particularly useful for storing and managing large amounts of data.

Scope

When configuring a time-based retention policy in Azure Storage, it's essential to understand the different scopes available. You can configure a time-based retention policy at the account, container, or version level.

At the account level, a time-based retention policy will be inherited by all blobs in the respective account. This means that if you configure a retention policy at the account level, all blobs within that account will be subject to the same retention period.

A time-based retention policy configured at the container level applies to all blobs in that container. This means that if you have a container with multiple blobs, a retention policy set at the container level will apply to all of them.

For another approach, see: Azure Storage Container

Credit: youtube.com, IBM Storage Protect for Cloud Azure – How to configure backup scopes

A time-based retention policy can't be configured for individual blobs; they can only be configured at the account, container, or version level. This is because individual blobs can't have their own immutability policies.

Here are the available scopes for a time-based retention policy:

  • Version-level WORM policy: account, container, or version level
  • Container-level WORM policy: container level only

Access Tiers

Azure Storage offers a range of access tiers that allow you to manage your storage costs and performance.

All blob access tiers support immutable storage.

You can change the access tier of a blob with the Set Blob Tier operation.

Storage Options and Compliance

Microsoft has validated its immutable storage for blobs as compliant with specific regulations in the financial services industry, including CFTC Rule 1.31(c)-(d), FINRA Rule 4511, and SEC Rule 17a-4(f).

You can find the Cohasset report, which confirms this compliance, in the Microsoft Service Trust Center. The Azure Trust Center also contains detailed information about Microsoft's compliance certifications.

Immutable storage in Azure offers two feature options: container-level WORM and version-level WORM. The table below summarizes the main differences between these two options:

Immutable Storage Options

Credit: youtube.com, Wasabi Immutable Storage

Immutable storage is a crucial aspect of compliance, and there are two types of WORM (Write Once, Read Many) policies to consider: container-level WORM and version-level WORM.

Container-level WORM policies can be configured only at the container level, and each object uploaded into the container inherits the immutable policy set.

Version-level WORM policies, on the other hand, can be configured at the account, container, or blob level, with the order of precedence being Blob -> Container -> Account.

The types of policies available differ between the two options: container-level WORM offers two types of policies, time-based retention policies and legal holds, while version-level WORM only offers time-based retention policies at the account and container level.

Versioning is a prerequisite for version-level WORM to function, whereas container-level WORM has no feature dependencies.

If you're considering enabling WORM policies on existing containers or accounts, keep in mind that container-level WORM can be enabled at any time, but version-level WORM might not be enabled for all existing accounts or containers.

Here's a comparison of the two options:

Regulatory Compliance

Credit: youtube.com, Cybersecurity & Regulatory Compliance

Microsoft has validated the compliance of its immutable storage for blobs with specific regulations in the financial services industry. They worked with Cohasset Associates, a leading independent assessment firm, to evaluate this compliance.

Cohasset Associates validated that immutable storage meets the storage requirements of CFTC Rule 1.31(c)-(d), FINRA Rule 4511, and SEC Rule 17a-4(f). These rules represent the most prescriptive guidance globally for records retention for financial institutions.

The Cohasset report is available in the Microsoft Service Trust Center. This report provides evidence of Microsoft's compliance with these regulations.

Azure Support can provide a letter of attestation from Microsoft regarding WORM immutability compliance upon request. This letter can be useful for organizations that need to verify Microsoft's compliance with these regulations.

Gilbert Deckow

Senior Writer

Gilbert Deckow is a seasoned writer with a knack for breaking down complex technical topics into engaging and accessible content. With a focus on the ever-evolving world of cloud computing, Gilbert has established himself as a go-to expert on Azure Storage Options and related topics. Gilbert's writing style is characterized by clarity, precision, and a dash of humor, making even the most intricate concepts feel approachable and enjoyable to read.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.