Azure Storage Stamp: A Guide to Data Retention and Compliance

Azure Storage Stamp is a service that helps you manage your data storage and retention needs. It's designed to help you meet compliance requirements and reduce costs.

Azure Storage Stamp offers a range of features, including data retention policies, compliance scans, and audit logs. These features help you ensure that your data is stored and managed in a way that meets regulatory requirements.

By using Azure Storage Stamp, you can avoid costly fines and penalties associated with non-compliance. For example, the General Data Protection Regulation (GDPR) requires organizations to store personal data for a minimum of 6 years.

Azure Storage Stamp also provides a centralized dashboard to monitor and manage your data storage and retention. This makes it easier to identify and address any compliance issues before they become major problems.

Related reading: What Is Azure Storage

Azure Storage Configuration is a crucial aspect of setting up an Azure Storage Stamp. You can configure Azure Storage to use a private endpoint, which is a network interface within a virtual network that connects to a storage account.

To enable private endpoint, you need to create a private endpoint connection in the Azure portal, as described in the "Creating a Private Endpoint" section. This allows your storage account to communicate with your virtual network securely.

Azure Storage also supports hierarchical namespace, which means you can store and manage files in a hierarchical structure, as explained in the "Hierarchical Namespace" section. This is particularly useful for storing and managing large amounts of data.

When configuring a time-based retention policy in Azure Storage, it's essential to understand the different scopes available. You can configure a time-based retention policy at the account, container, or version level.

At the account level, a time-based retention policy will be inherited by all blobs in the respective account. This means that if you configure a retention policy at the account level, all blobs within that account will be subject to the same retention period.

A time-based retention policy configured at the container level applies to all blobs in that container. This means that if you have a container with multiple blobs, a retention policy set at the container level will apply to all of them.

For another approach, see: Azure Storage Container

A time-based retention policy can't be configured for individual blobs; they can only be configured at the account, container, or version level. This is because individual blobs can't have their own immutability policies.

Here are the available scopes for a time-based retention policy:

Azure Storage offers a range of access tiers that allow you to manage your storage costs and performance.

All blob access tiers support immutable storage.

You can change the access tier of a blob with the Set Blob Tier operation.

Discover more: Access Azure Blob Storage

Microsoft has validated its immutable storage for blobs as compliant with specific regulations in the financial services industry, including CFTC Rule 1.31(c)-(d), FINRA Rule 4511, and SEC Rule 17a-4(f).

You can find the Cohasset report, which confirms this compliance, in the Microsoft Service Trust Center. The Azure Trust Center also contains detailed information about Microsoft's compliance certifications.

Immutable storage in Azure offers two feature options: container-level WORM and version-level WORM. The table below summarizes the main differences between these two options:

Immutable storage is a crucial aspect of compliance, and there are two types of WORM (Write Once, Read Many) policies to consider: container-level WORM and version-level WORM.

Container-level WORM policies can be configured only at the container level, and each object uploaded into the container inherits the immutable policy set.

Version-level WORM policies, on the other hand, can be configured at the account, container, or blob level, with the order of precedence being Blob -> Container -> Account.

The types of policies available differ between the two options: container-level WORM offers two types of policies, time-based retention policies and legal holds, while version-level WORM only offers time-based retention policies at the account and container level.

Versioning is a prerequisite for version-level WORM to function, whereas container-level WORM has no feature dependencies.

If you're considering enabling WORM policies on existing containers or accounts, keep in mind that container-level WORM can be enabled at any time, but version-level WORM might not be enabled for all existing accounts or containers.

Here's a comparison of the two options:

Microsoft has validated the compliance of its immutable storage for blobs with specific regulations in the financial services industry. They worked with Cohasset Associates, a leading independent assessment firm, to evaluate this compliance.

Cohasset Associates validated that immutable storage meets the storage requirements of CFTC Rule 1.31(c)-(d), FINRA Rule 4511, and SEC Rule 17a-4(f). These rules represent the most prescriptive guidance globally for records retention for financial institutions.

The Cohasset report is available in the Microsoft Service Trust Center. This report provides evidence of Microsoft's compliance with these regulations.

Azure Support can provide a letter of attestation from Microsoft regarding WORM immutability compliance upon request. This letter can be useful for organizations that need to verify Microsoft's compliance with these regulations.