How StorageGRID protects compliant data

When StorageGRID is properly configured and when compliant S3 buckets, information lifecycle management (ILM) rules, and ILM policies have been correctly applied, StorageGRID provides functionality that prevents objects in S3 buckets from being overwritten, deleted, or altered until the specified retention period has expired.

StorageGRID meets the relevant storage requirements of these regulations:

Compliance and retention

When the global Compliance setting is enabled for the StorageGRID system, you can create compliant buckets for object data, such as legal and financial records, that needs to be preserved for a certain amount of time. When creating a compliant bucket, you can specify the retention period for bucket objects and select whether object data will be automatically deleted when the retention period expires.

Each object's retention period starts when the object is ingested into the bucket. During the retention period, the object can be retrieved, but it cannot be modified or deleted. As required, you can increase a bucket's retention period, place the bucket under a legal hold (meaning that objects cannot be deleted when their retention period expires), remove a legal hold, or change the auto-delete setting.

Compliance and the storage of duplicate data

StorageGRID ensures that duplicate copies of each compliant object are stored on the grid for the entire retention period. When the global Compliance setting is enabled, grid administrators must use a compliant rule as the default rule in the ILM policy. At least two copies of each object must exist from the time the object is ingested until the object is deleted.

Compliance and security features

StorageGRID protects compliant objects with the following platform security features:
  • Internal public key infrastructure and node certificates are used to authenticate and encrypt internode communication. Internode communication is secured by TLS.
  • Rules for firewalls and iptables are automatically configured to control incoming and outgoing network traffic, as well as closing unused ports.
  • The base operating system of StorageGRID appliances and virtual nodes is hardened; unrelated software packages are removed.
  • Root login over SSH is disabled on all grid nodes. SSH access between nodes uses certificate authentication.
  • Separate networks are available for Client, Admin, and internal Grid traffic