Google Cloud Storage is the object storage service on Google Cloud. Among the built-in features it offers out-of-the-box and without any added cost is the ability to set retention policies for the data you store there. This can be an essential part of your Google Cloud backup and compliance strategy.
In this post we will take a look at the data protection capabilities of Google Cloud Storage retention policies and show you how to define these policies for your buckets.
A retention policy is a term used in storage for a document or configuration that specifies how long data will be kept. A retention policy can be enforced by the system to enable organizations to meet compliance and governance requirements.
When you store data in Google Cloud Storage buckets, it is possible (and recommended) to protect your data and narrow down who is allowed to use it. Using Google Cloud IAM and ACLs, users can define fine-grained permissions to limit who can access and what can be done in the bucket. However, those permissions don’t enforce data retention policies. If a user has a valid permission to make changes to the bucket, they will be able to delete data at any point in time.
A Google Cloud Storage retention policy can be used to address this situation by defining rules so that the data in a specific bucket can only be deleted after a specified amount of time, regardless of the Cloud IAM and ACL permissions. Furthermore, a one-time lock can be placed on top of that retention policy to prevent anyone, even you, from deleting the policy or decreasing the chosen retention time.
There are different business cases that benefit from this out-of-the-box bucket-locking functionality, but perhaps the most crucial one is to ensure compliance. When using Google Cloud Storage for audit trails and logs of your system, you can enable the retention policy feature and thus, prove to an auditor that the information is being kept for a certain amount of time.
The first step to defining retention policies in Google Cloud Storage is to create a new bucket. This is a fairly simple process. Read how to create a new Google Cloud Storage bucket here.
Using the newly created Google Cloud Storage bucket, we are going to create a new retention policy with a specific time period. This will enforce that only objects older than that defined time period can be deleted.
1. Navigate to the Google Cloud Storage service and under the bucket browser list, open the details page of the newly created bucket.
2. Find the Bucket Lock tab and press the “+” button to add a new retention policy to the Google Cloud Storage bucket.
Google Cloud Storage Bucket details
3. Define the duration (time required) for the new bucket retention policy. In the example below we are specifying that period will be two days. This means that you won’t be able to delete objects inside the bucket that were created sooner than two days ago
Setting a retention policy dialog
1. Similar to the way you created a new policy, you can also delete it. To do so, press the delete button.
Google Cloud Storage Bucket details
2. A confirmation dialog will appear. Press the “Delete” button to confirm the removal of the Google Cloud Storage bucket retention policy.
You may have noticed that while the bucket retention policy existed, a message was displayed stating that the “Lock status” was “Unlocked”. As the name suggests, a lock is an optional step that enables you to permanently lock the retention policy in the bucket.
1. Create a Google Cloud Storage retention policy as we described above with a time duration of your preference.
2. Press the padlock icon in the bucket details to initiate the retention policy locking process.
Google Cloud Storage Bucket details
3. A dialog will appear requesting your confirmation. You can proceed by writing your bucket name and pressing the “Lock Policy” button.
BE CAREFUL: Once this action is done, you won’t be able to revert it or shorten the retention policy duration. However, you will still be able to extend the duration of the policy.
Bucket Lock retention policy dialog
4. If everything was successful, the retention policy will now be locked. From this point onwards you won’t have the option to delete the retention policy without destroying and re-creating the bucket and its contents.
Google Cloud Storage Bucket details
Google Cloud Storage is the object storage service offered by Google Cloud that enables near-unlimited growth storage capacity for a low cost per GB using different methods such as the Google Cloud Storage API or the Console.
However, it is definitely worth taking into use those extra features such as your Google Cloud Storage Retention Policy. This article demonstrated step by step how to enable and leverage this functionality and how it can improve your data protection capabilities, help you to meet compliance standards and overall save you precious time.
If you are interested in even more advanced data protection capabilities you can also use Cloud Volumes ONTAP, the premier cloud data management platform from NetApp. The same features that have been popular in Cloud Volumes ONTAP for AWS and Azure such as storage efficiency, data protection and cloning are now available for Google Cloud.
If your organization’s data retention policies also require a WORM (Write Once Read Many) storage solution, Cloud Volumes ONTAP leverages NetApp SnapLock® for enterprise-grade WORM features in the cloud.
Find out more about other aspects of Google Cloud backup here:
Try a demo of the new Cloud Volumes ONTAP for Google Cloud today.