The Storage Savings Sale starts now! 24 hours of insanely good deals. Shop now>>
This month only – get free shipping with no minimum purchase! Order early to avoid holiday shipping delays. Shop now
Find the perfect storage for your loved ones with our holiday gift guide! Shop now
Resource Center Blog Open Source Partners
Search
Products
Knowledge Base
Support Downloads
Articles
suggested searches
Products Solutions Innovation Support About Store
0 Cart
0 Cart

Your shopping cart is empty

You're just [0] away from FREE shipping!

Your cart

All discounts, shipping & taxes calculated at checkout

Continue to Checkout
View Cart

We're sorry, your session has expired. Please re-add any items you had in your cart to continue.

Open
Seagate Store Shop All Products What’s New Best Sellers Shop the Deals Holiday Gift Guide
By Type External Hard Drives Internal Hard Drives External SSDs Internal SSDs Enterprise Hard Drives & SSDs Data Storage Systems Enterprise Storage Services
By Category Personal Storage Devices Gaming Storage Devices Creative Professional Network Attached Storage (NAS) Video Analytics Cloud, Edge, & Data Center
By Brand LaCie
Stay in the loop.
Two individuals on couch playing video games together.
Sign Up for Email and Text Alerts

From hot storage deals and brand-new tech to insider news, we’ll keep you in the know!
By Use Case Backup & Recovery Big Data Analytics (AI/ML) Cloud Backup Data Migration Data Transfer High Performance Computing (HPC) Storage as a Service Video Analytics
By Environment Edge Multicloud Private Cloud Public Cloud
By Partner IBM AWS Commvault Veeam VMWare Milestone Equinix EVS NI View All Seagate Technology Partners
By Industry Autonomous Vehicles Healthcare Media & Entertainment Surveillance & Security Telecommunications Geosciences & Energy
Read the Article
Read the Article

Perspectives Storage for the AI Era Why Areal Density Matters Composable Infrastructure
Data Storage Innovations Mozaic 3+ Platform MACH.2 Multi-Actuator Hard Drives Seagate Secure
Data Management Innovations Circularity Program Open-Source Developer Community
Read the Article
Read the Article

General Support Home Product Support Seagate Software Downloads LaCie Software Downloads Seagate Product Registration LaCie Product Registration Seagate Store Support
Warranty & Data Recovery Warranty & Replacements Data Recovery Services
Enterprise Seagate Systems Support Lyve Mobile Support Lyve Cloud Support
Read the Article
Read the Article

Our Story Leadership Team Board of Directors ESG Trust Center Quality Assurance
Join our Seagate Team Life at Seagate Diversity, Equity, and Inclusion Employee Resource Groups University Programs
Investors
Press Center News Media Kits Seagate Brand Portal LaCie Brand Portal
Read the Article
Read the Article

Article

S3 Object Lock: What Is It and How Can It Protect Against Ransomware

S3 Object Lock is a feature of the AWS S3 product that controls who can make significant changes to data. Learn how this protects data.

Table of Contents

S3 Object Lock: What Is It and How Can It Protect Against Ransomware

The rate of ransomware attacks is increasing rapidly (up over 400% in 2020), and the cost of these attacks is significant. Many businesses are rightly concerned about mitigating ransomware threats.

One simple step that many businesses can take to protect themselves against ransomware is to implement S3 Object Lock on their AWS S3 object storage.

Below, we’ll show you:

  • What S3 Object Lock is
  • How it works
  • Why you should use it
  • Five ways S3 Object Lock protects against ransomware attacks

What Is S3 Object Lock?

S3 Object Lock is a feature in Amazon S3 that allows users and businesses to store files in a highly secure, tamper-proof way. It’s used for situations in which businesses must be able to prove that data has not been modified or destroyed after it was written, and it relies on a model known as write once, read many (WORM).

Many businesses rely on S3 Object Lock and WORM when they need to demonstrate compliance or if they want an unchangeable permanent copy of data for auditing or recordkeeping.

How Does S3 Object Lock Work?

So, how does S3 Object Lock work? First, be aware that it’s part of the object storage approach to storing large volumes of often unstructured data, where content is organized into buckets of varying size but not limited to fixed-sized block storage or file hierarchy storage systems. It’s not applicable to those other methods.

The specific details of how S3 Object Lock operates are complex and multifaceted. We’ll break the process down in the sections below.

S3 Object Lock Functionality

Object storage is less well understood than file hierarchy storage systems (which we all use on our personal machines) and block storage (which has been an enterprise storage standard for a while). For this reason, it’s worth reviewing S3 object lock functionality at a general level before drilling deeper.

S3 object lock functionality revolves around keeping objects free from tampering, either for a set period (retention) or indefinitely until you remove the lock (legal hold). In object storage, data is organized into buckets with shared metadata, so the simplest way to implement Object Lock is at the bucket level. In S3 environments with Object Lock, users can create buckets with Object Lock enabled for the entire bucket.

Users can then define retention settings for the bucket. For example, a financial services firm might set retention for seven years, based either on client agreements or audit requirements. Once the Object Lock is established, the data cannot be deleted, rewritten, or tampered with for seven years. After the retention expires, the data may be deleted or overwritten.

In some situations, business users do not want an expiration date applied to certain objects. Setting an indefinite retention period, or legal hold, prevents the object from being deleted or overwritten indefinitely until the customer explicitly removes the hold.

While applying retention settings to an entire bucket is the most straightforward application, it isn’t the ideal method in many scenarios. Amazon S3 Object Lock offers users the ability to define and apply retention settings at the object level as well as at the bucket level. That same financial services firm could set some records to be retained for five years, others for seven years, and others indefinitely—while keeping all such records within a single bucket.

At present, object-level retention settings are exclusive to Amazon S3 environments.

S3 Object Lock Protection Modes

S3 Object Lock includes two levels of protection, either of which can be chosen as part of the retention period or legal hold process. Every object and bucket with Object Lock enabled includes the choice of either governance or compliance mode.

Governance Mode

  • Enforces the general rules of a retention period or a legal hold
  • Specific users who have special permission possess the ability to temporarily override retention settings or remove them
  • This mode is best for storage that does not require compliance

Compliance Mode

  • Stricter mode compared to governance
  • Data cannot be deleted or changed by anyone, including the user with root privileges
  • Retention settings cannot be overridden or relaxed by anyone, including the user with root privileges
  • Users must wait for retention parameters to expire
  • Best for environments where businesses store data that requires regular compliance monitoring

Retention settings for either mode can be set in the following ways:

  • “Retain-until-date” – specifying the date when the object will no longer be protected
  • An ON/OFF “legal hold”

Why Should You Use S3 Object Lock?

Using S3 Object Lock is unquestionably a good idea for most businesses. Consider these reasons why:

  • Protect files against accidental deletion: Objects and files under object lock literally cannot be deleted—not intentionally, not accidentally.
  • Prevent tampering with sensitive files: Some files, even when compliance isn’t a factor, need to remain secure and tamper-proof. For example, files that could be evidence or could be used in an audit will benefit from object locks so there’s no question of their integrity.
  • Show compliance: In industries with compliance considerations (medical, financial, etc.), compliance-level object locks serve as proof of compliance.
  • Protect against ransomware: If a threat actor cannot physically destroy your files, their ransomware threats are virtually meaningless.

Expert Recommended: Most data security professionals recommend S3 Object Lock as a protective measure for crucial data.

How Does Object Lock Work Against Ransomware?

Object Lock is an excellent defense against ransomware attacks. Consider these six ways Object Lock protects your business from this threat.

Already battling the aftermath of a ransomware attack? Learn more about cloud recovery.

Compatible with Additional Storage Services for Added Protection

S3 Object Lock is an AWS-specific implementation, but it’s compatible with additional storage services—including Seagate Lyve Cloud object storage as a service. By diversifying your data across multiple platforms, you’ll experience added protection in both disaster recovery and ransomware scenarios.

Data Protected by Object Lock is Unchangeable

Because data under Object Lock cannot be changed, threat actors can’t threaten to modify or destroy the data. Even if they gain access, the damage they can do is limited to accessing and possibly disseminating information.

WORM Creates Added Protection

The WORM model is the underlying reason that data protected by Object Lock can’t be edited, rewritten, deleted, or otherwise damaged. WORM is a functionality of LTO tapes, and it's similar to the old air-gap concept, where physical backup tapes were removed from the premises so they couldn’t be accessed or corrupted.

WORM essentially takes that concept and makes it digital. No matter how serious an attack is, companies can retrieve data stored in the WORM model and start again.

Unauthorized Users Can’t Tamper with Data

Internal threats, whether intentional or accidental, are another source of concern for many businesses. Whether the unauthorized user is a part of your organization or an external threat, tampering with data simply isn’t possible without special permissions (in governance mode) or at all (in compliance mode).

Replaces Tapes and Retrieves Data

S3 Object Lock renders LTO tape and air-gapped backups irrelevant by distributing immutable data across the cloud. Data storage and retrieval both happen via the cloud, eliminating the need for costly tape solutions.

Provides Added Cushion to Your Enterprise Disaster Recovery Plan

S3 Object Lock doesn’t replace your enterprise disaster recovery plan, but it adds cushion to it. By giving you another layer of unchangeable object storage, you’ll have another location to pull from if you need to execute your disaster recovery plan.

Want to learn more about enterprise cloud storage? Check out our guide to backup challenges.

Multicloud Maturity Report

Find Out How Your Business Can Thrive in the Multicloud
Seagate Store  Shop the Deals  Best Sellers  What's New  Store FAQs  Store Return Policy  Store Support  Where to Buy 
About Seagate Our Story  ESG  Trust Center  Quality Assurance 
Support  Product Support  Seagate Software Downloads  LaCie Software Downloads  Seagate Product Registration  LaCie Product Registration  Warranty & Replacements  Seagate Systems  Contact Us 
Press Center  News  Media Kits  Brand Portal  LaCie Brand Portal 
Investors 
Partners  Indirect Partners & Resellers  Seagate Training Portal  Seagate Direct & Suppliers  Seagate Technology Alliance Program 
Jobs  Life at Seagate  Diversity, Equity, and Inclusion  University Programs 
facebook logo linkedin logo youtube logo x logo instagram logo
©2024 Seagate Technology LLC Legal Privacy Vulnerability Disclosure Cookie Settings
Site Map