hamburger icon close icon

WORM Storage Meets the Cloud: AWS, Azure, GCP and NetApp

Not all data is equal. Some of it is so sensitive or critical that it must be kept in a completely immutable form. For that purpose, organizations can turn to Write Once Read Many (WORM) storage. While this has traditionally been a type of storage used exclusively on-prem, the cloud is finally beginning to offer this data protection technology at scale.

While all the major cloud vendors now provide WORM storage solutions for object storage, Cloud Volumes ONTAP and NetApp SnapLock® give users the ability to treat regular NFS and SMB/ CIFS file shares as WORM compliant storage, which provides additional benefits, such as easier integration with existing workflows and processes.

In this article, we will review the native WORM storage capabilities of AWS, Azure, and Google Cloud Platform, and describe the added value provided by Cloud Volumes ONTAP via SnapLock®.

What Is WORM Storage?

Organizations require WORM (Write Once Read Many) storage for a variety of purposes, including compliance with industry regulations, enforcing data retention policies, and preserving original content. In each case, the data storage platform must prevent renaming, deleting, or changing the existing data during the configured retention period, while at the same time allowing users to read data as normal.

Monetary penalties or legal action can be incurred for not protecting data and complying with mandates such as SEC 17a-4, HIPAA, Sarbanes-Oxley, GDPR, DACH, and self-regulatory policies. The legal risks of violating these rules are not the only reason to use WORM storage. WORM can also prevent competitive loss and limit the security impact and sky-high recovery costs that come with malicious acts caused by rogue admins, malicious insiders, viruses, and ransomware attacks.

The types of files that are typically protected via WORM storage are intellectual property records, historical records, surveillance data, voice recordings such as emergency services recordings, and motion picture films.

The cloud has been slower to adopt WORM storage mostly because of compliance concerns. But with more and more companies opting for all-in cloud deployments, the technology is becoming a data protection feature offered by AWS, Azure, and Google Cloud Platform.

Public Cloud Options for WORM

In this section, we will take a look at the available options for deploying WORM storage in the cloud and the different features offered by each solution.

Glacier Vault Lock on Amazon Glacier Storage

Glacier Vault Lock makes WORM storage available on Amazon S3 Glacier, the storage service used on AWS for the long-term storage of infrequently accessed data. On Amazon S3 Glacier, customers benefit from extremely cost-effective storage for archive data and backups, with some additional costs incurred for data retrieval. All user data is organized into archives, and each archive resides in a particular vault. To protect data in a vault from being modified, users create a Glacier Vault Lock policy using the standard IAM policy language. After enabling a Glacier Vault Lock policy, data within the vault will remain protected until the policy expires or no longer applies, and the vault lock policy itself cannot be removed or modified until that time.

IAM policies allow for both time-based retention of vault archives or for a legal hold to be put in place, which prevents any data modifications until the hold is removed. Other than the charges for storing the data, there are no added fees for keeping WORM data on Glacier, which is the least-expensive storage type that AWS has available.

Azure Blobs Immutable Storage

Azure provides users with WORM compliant storage across all Azure Blob storage tiers, including hot, cool, and archive, by applying retention policies and legal hold locks at the blob container level. This ensures that all blobs held within a container are protected from future data modifications until the retention period expires or the locks are removed, and all blobs added to the container will automatically be made immutable. Immutable storage extends to all blob tiers and also includes audit logging.

There is no added charge for using this feature on top of the normal storage charges for keeping data in blobs.

Bucket Lock for Google Cloud Storage

Google Cloud Platform allows a retention policy to be placed on cloud storage buckets, which prevents all current and future objects placed in the bucket from being deleted or modified for the duration of the retention period, or unless the retention policy is removed. The retention policy itself can also be locked, which prevents any attempt to remove the policy, the bucket, or the objects it contains. This gives you the ability to have either a soft or temporary lock in place, or a hard lock that cannot be overridden. Retention policies can also be used at the individual object level, as an alternative to protecting an entire container.

Bucket Lock offers event based locking. In addition, object lifecycle management can be used to move locked data into colder storage tiers.

GCP also offers consulting services via an outside contractor to help determine customers’ compliance requirements, which will assist in mapping the data that would be required to be stored with WORM in the cloud.

Cloud Volumes ONTAP and NetApp SnapLock

Cloud Volumes ONTAP is a complete data management solution for AWS and Azure. SnapLock Enterprise has been the NetApp WORM storage solution that enterprises have depended on for years. Now, those two technologies are able to combine their capabilities to offer Cloud WORM for AWS and Azure storage management.

SnapLock has been a standard for organizations using NetApp storage systems in on-prem data centers for many years, so it’s not only an effective technology, but a tested and trusted one. With Cloud Volumes ONTAP, SnapLock extends WORM storage into the cloud. Cloud WORM storage can be accessed by SMB / CIFS or NFS applications.

NetApp Cloud WORM Advantages

The biggest advantage that cloud WORM with SnapLock has over the other cloud-based solutions is the ability to use the data. The options on GCP, AWS, and Azure are basically just archives; with NetApp SnapLock there is granularity to the commit process and the ability to mix WORM and non-WORM data in the same location. Users can modify the data in the cloud as needed, but only before it is locked and protected as WORM storage.

SnapLock’s commit method to WORM storage allows  more flexibility: you only need to mark the file as read-only to dedicate it to WORM. Users can also set retention periods at the file level, instead of locking an entire volume. This is something that isn't possible in the public cloud.

Another benefit is SnapLock’s append mode and volume append mode. With these you can  incrementally dedicate data to WORM storage in 256K chunks. This is used for data such as audio, streaming video streaming, logging, and more. None of the public clouds offer anything like these append mode options with their cloud WORM offerings.

SnapLock Benefits Summary

  • Modify data in the cloud before you commit to WORM.
  • Keep WORM data alongside non-WORM data in the same repository.
  • Incremental WORM locking with append mode and volume append mode.
  • Retention periods can be set at the file and volume levels.

Cloud Volumes ONTAP Added Values

SnapLock is also integrated into ONTAP/Cloud Volumes ONTAP’s licensed-based features such as SnapVault®, SnapMirror® data replication, NetApp Snapshots™ technology, and Azure high availability or AWS high availability via the Cloud Volumes ONTAP HA configuration. Cloud Volumes ONTAP can also help you save on WORM storage costs through the use of its deduplication, compression, and thin provisioning storage efficiency features. You can also move your WORM data between the AWS and Azure clouds and on-prem storage to take advantage of hybrid or multicloud architectures.

How it Works

A SnapLock install activation code can be activated through OnCommand Cloud Manager, Cloud Volumes ONTAP’s GUI control panel, which initializes the compliance clock, as the local clock is not trusted.

Setting up WORM storage in Cloud Manager

Setting up WORM storage in Cloud Manager.

After that you can create cloud volumes that will be completely protected for WORM storage. Files can be copied to the volume using any applications or scripts that support SMB / CIFS or NFS. You can also set an individual WORM protection expiration date (per the compliance clock) for each file. Marking the files as read-only, will commit them to WORM storage. From that point, no information stored in the file will be able to change. SnapMirror lets you copy the data to another ONTAP system, with the copy retaining all WORM metadata, retention periods, expiration dates, etc. as the original.

For more on how Cloud Volumes ONTAP and SnapLock work together to protect your most important data, watch the complete webinar here.


With more and more companies deciding to move to cloud-only environments, the important data that needs to remain unchanged and undeleted should get the same level of protection that was provided on-prem. The public cloud has just started to offer options for WORM in the cloud. SnapLock is the same WORM storage that companies have used for years, now extended to the cloud with Cloud Volumes ONTAP, giving you a wide range of unique features to use for both your locked and unlocked data.

To try the new data locking features with Cloud Volumes ONTAP, register for a trial preview of cloud WORM powered by SnapLock today.

New call-to-action

Sr. Product Manager, Data Protection