hamburger icon close icon
Ransomware Recovery

Introducing Cloud Backup DataLock: A New Way to Keep Backup Data Immutable

After being hit by ransomware, a business often has two options: pay the ransom or restore from backup. But with recent cybersecurity trends indicating an increase in attacks targeting backup data, it’s imperative to protect backup data copies. How can you ensure your ransomware recovery capabilities are protected?

NetApp Cloud Backup can help. In addition to its existing safety features—ransomware protection and the dark site deployment option—Cloud Backup’s new DataLock feature allows your backup copies to remain immutable in the destination object storage. In this blog we’ll take a deep dive into DataLock’s capabilities, the deployment options available, and the use cases for the technology.

Read on below or use these links to jump down:

What Is DataLock?

DataLock integrates the WORM (Write Once Read Many) capabilities of the cloud provider’s object storage services with NetApp Cloud Backup, making it possible to lock backup data as WORM in the destination storage service.

DataLock uses NetApp’s proprietary technologies to implement this functionality. DataLock also supports Cloud Backup’s integration with SnapLock®, which means you can replicate WORM volumes created by SnapLock to an object storage repository that will remain WORM. This means your backup data will stay immutable and protected end to end from ransomware attacks, both at source and in the destination.

DataLock is supported for use in the cloud and on-prem with NetApp StorageGRID® appliances. It currently offers full integration with Amazon S3 and StorageGRID, with Azure Blob and Google Cloud Storage support coming around December 2022. DataLock leverages the native object lock capabilities of these services.

Amazon S3 object lock helps store objects in the WORM format so that it is not deleted or overwritten. The StorageGRID S3 Object Lock feature emulates the WORM capabilities of Amazon S3 storage on-premises, where WORM storage buckets can be created to make any data stored in them immutable. Azure Blob storage supports immutability policies that help create time-based retention policies or create a legal hold where data is stored until the hold is cleared by an administrator. Cloud Storage Bucket Lock in Google Cloud Storage also provides the same capabilities.

Types of DataLock

There are three retention modes for Cloud Backup DataLock for WORM storage: None, Enterprise, and Compliance.

  • None: This is the default mode, which does not enable WORM protection.
  • Governance: In this mode, administrators will have the flexibility to overwrite or delete protected object storage data during the retention period.
  • Compliance: If this mode is selected, no user can overwrite or delete the data during the specified retention period. Compliance mode is helpful in highly regulated environments with stringent data retention requirements.

The three modes offer flexibility for users to choose the protection level that best fits their businesses’ backup requirements.

DataLock Use Cases

DataLock offers an added layer of protection for your backup copies from malware infection. Let’s look at some of the use cases that the feature supports:

  • Air-gapped backups

    Using NetApp DataLock, it is possible to make an immutable backup copy that is logically air-gapped. When using Cloud Backup, your copies are stored in a different format (object storage). This backup copy provides the additional security layer with WORM storage using DataLock. It also augments the ransomware protection of organizations with 3-2-1 backup strategy, where one copy of the backup is stored in an immutable remote object storage.

  • Immutability

    Without DataLock, it’s possible for backup data copies at the destination storage to be changed, deleted, or corrupted—either by malware infection or through human error. This could impact the recovery timelines should the backup data ever need to be restored or give ransomware victims no choice but to pay the attackers to recover the data. With immutability enabled by DataLock, this risk can be eliminated, fully securing your backup data copy and creating a failsafe against ransomware.

  • Indelibility

    Organizations with very strict compliance requirements might be required to store the backup data safely for longer periods of time. This data could be accessed during audits and hence should always remain available. To meet this requirement, users can rely on DataLock’s Compliance mode. Using this mode, data cannot be removed during the retention period, which helps meet these high compliance standards.

  • End-to-end protection

    NetApp SnapLock is a feature built into ONTAP storage systems that allows immutable data volumes to be created at the source. With DataLock, Cloud Backup can replicate SnapLock protected volumes to destination object storage environments that are also enabled for WORM. The backup data remains immutable with end-to-end protection over the course of its entire lifecycle.

  • Dark-site deployments

    In the software-only mode offered by Cloud Backup, it’s possible to back up your data to object storage without any external internet connectivity. In this dark-site deployment mode Cloud Backup leverages StorageGRID as the backup destination, which fully supports the DataLock immutability feature.


DataLock currently offers full integration with Amazon S3 and StorageGRID, with Azure Blob and Google Cloud Storage support coming around December 2022.

The supported sources for Cloud Backup DataLock are for data created using on-prem ONTAP devices and Cloud Volumes ONTAP. You will also need to be running ONTAP 9.11.1 or later to configure DataLock for Cloud Backup. DataLock is applicable to new backup activations, so any existing backup copies created by Cloud Backup will remain in standard object storage. It is also not interoperable with archival policy.


Your mission-critical business data is protected by an additional layer of security, thanks to DataLock-enabled WORM volumes in Cloud Backup. DataLock provides true ransomware protection, where backup copies cannot be changed, modified, or deleted. It also provides the flexibility required in modern day enterprises, where the WORM protection can be controlled and managed by administrators and the target storage can either be in the cloud or on-premises.

Ransomware protection is the need of the hour and backup copies protected by DataLock help address this requirement head-on. It enables enterprises to ensure business continuity and meet the defined SLAs in the unforeseen event of a ransomware attack. Read more on how to increase your cyber resilience here.

Watch the NetApp Cloud Backup DataLock demo.New call-to-action

Semion Mazor, Product Evangelist

Product Evangelist