Azure Blob Storage is one of the common cloud-based storage for different types of application, included business applications like Dynamics 365 Business Central. Azure Blob Storage is commonly used to store unstructured data like files, PDFs, images or also things like audit logs.
A quite common requirement that I see in different scenarios is to have the possibility to “protect” the storage account data in a particular way: when the data is written, nobody should be able to alter it in any way (including the administrator) in a particular time interval. This is what we call immutability of the data files and often I see problem on respecting immutability.
Do you know that Azure Blob Storage supports this feature now?
Immutable storage for Azure Blob Storage enables users to store business-critical data in a WORM (Write Once, Read Many) state. While in a WORM state, data cannot be modified or deleted for a user-specified interval. By configuring immutability policies for blob data, you can protect your data from overwrites and deletes.
Immutable storage for Azure Blob Storage supports two types of immutability policies:
- Time-based retention policies: With a time-based retention policy, users can set policies to store data for a specified interval. When a time-based retention policy is set, objects can be created and read, but not modified or deleted. After the retention period has expired, objects can be deleted but not overwritten.
- Legal hold policies: A legal hold stores immutable data until the legal hold is explicitly cleared. When a legal hold is set, objects can be created and read, but not modified or deleted.
Both policies can be configured at the container lever (a policy that is configured at the container level applies to all objects in that container) or at the single blob level.
If you have strict security compliance requirements, please rerember that immutable storage, when used to retain blobs in a WORM state, meets the relevant storage requirements of CFTC Rule 1.31(c)-(d), FINRA Rule 4511, and SEC Rule 17a-4(f). Microsoft targeted this set of rules because they represent the most prescriptive guidance globally for records retention for financial institutions.
Configuring Version level Immutability
You can configure an immutable policy for Azure Blob Storage directly from the Azure Portal.
To do that, select your Storage Account and on the Data protection tab, under Access control, select Enable version-level immutability support. When you check this box, the box for Enable versioning for blobs is also automatically checked:
To configure a time-based retention policy on a storage account where version-level immutability is created, under the Data management menu select Data protection. On the Data protection page, locate the Access control section and here the Manage policy button appears:
By clicking on it, the Manage version-level immutability policy pane opens. Click on Add policy:
and here insert your retention period for blobs immutability (for example 90 days):
A new immutability policy will be created:
Please remember that a policy created here will be applied to every new blob version unless it is overwritten with a policy at the container or blob version level.
To enable blobs version-level immutability only for a specific container, on the container creation page expand the Advanced section and here select Enable version-level immutability support (In order to enable version-level immutability support, your storage account must have versioning turned on).
To configure a time-based retention policy on a container,select the More button to the right of the container name and choose Access policy:
In the Access policy dialog, under the Immutable blob storage section, select Add policy
and then select Time-based retention policy and specify the retention interval:
To configure a legal hold on a blob version in that container, locate the target version (which may be the current version or a previous version of a blob), then select the More button and choose Access policy. Under the Immutable blob versions section, select Add policy:
and then choose Legal hold as the policy type:
Select OK to apply it.
Some interesting notes:
- Both immutable policies have support for audit. Any changes that are done to the policies are automatically audited. A nice thing related to it is the period for how long this information is kept and is equal to the lifetime of the container.
- Azure Blob Storage supports change feed. The purpose of the change feed is to provide transaction logs of all the changes that occur to the blobs and the blob metadata in your storage account. This feature is well suited for auditing as it guarantees that all creation, modification, and deletion of files within a storage account are captured and retained. Additionally, one can enable an immutable policy that allows append blob on the $blobchangefeed container which disallows any deletion until a defined time has elapsed.
If you have strict auditing requirements on certain files (directly stored or coming from business applications like Dynamics 365 Business Central), I recommend to check this feature.
For who is particularly sensitive to costs, just remember also that this feature is totally free.
Stefano Demiliani 