Discussions related to using object storage as a backup target.
Post Reply
np-mast
Service Provider
Posts: 8
Liked: never
Joined: Apr 13, 2023 6:00 pm
Full Name: Maximilian Stumpf
Contact:
Contact np-mast

S3 Object Lock compliance vs governance mode

Post by np-mast »

Currently, Veeam by default uses the more stringent compliance mode of Object Lock when writing data to a S3 repository.

For those who are not that deep into the modes:
Compliance mode is more stringent in the way that also the S3 storage system admin cannot delete data. (Without wiping disk or physical destruction, of course.)
Governance mode is a bit more relaxed in the way that while data deletion is not possible via the S3 frontend until the lock has expired, it is for example possible for the S3 admin to delete entire buckets, even though some buckets might still contain locked objects.

While compliance mode is usually preferred for security reasons in most applications where the S3 storages system is operated by the same entity as the backup server, for us as a service provider, providing S3-aaS to our customers, this is becoming a huge problem once a customer cancels his contract or stops paying, while still having stored a large amount of data which is locked.
This might get us into a situation where we have to store data which is not getting payed for.

As the security tradeoff isn't that bad in this SP situation, as the storage system is managed by a complete different company than the backup server, It would be a valid option to switch to governance mode.
However, Veeam only gives us the option to do this globally for ALL S3 repos via a registry key: https://community.veeam.com/blogs-and-p ... art-7-6757
This is obviously not an option for many customers who are utilizing both self-hosted S3 as well as S3-aaS at the same time (usually seld-hosted as primary and aaS as offsite backup storage).

Therefore, I would really appreciate it if Veeam would give us this option on a more granular level, for example on a per-repository level during repo creation.
Top
Mildur
Product Manager
Posts: 11366
Liked: 3152 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:
Contact Mildur

Re: S3 Object Lock compliance vs governance mode

Post by Mildur »

Hi Maximilian,

Thanks for your feedback.
You’re right — currently, it’s a global option.
I can’t confirm yet whether more granular options will make it into the product, but I’ve noted your request.

Best regards,
Fabian
Product Management Analyst @ Veeam Software
Top
Post Reply

Return to “Object Storage as Backup Target”



Who is online

Users browsing this forum: No registered users and 1 guest