Folder (WORM) Compliance: CTERA Vault
  • 7 Minutes to read
  • Dark
    Light
  • PDF

Folder (WORM) Compliance: CTERA Vault

  • Dark
    Light
  • PDF

Article Summary

WORM (write once, read many) compliance ensures that data cannot be tampered with or deleted. In may industries, and especially regulated industries such as financial services and government sectors, organizations are required to store certain types of data in unalterable formats. CTERA Vault uses WORM technology to prevent editing, overwriting, renaming or erasing this data.

When a cloud drive folder is defined with folder compliance and added to the CTERA Vault, after an initial, optional, grace period, the contents of the folder can be protected from any attempt to change the folder content such as by renaming, moving, modifying, or deleting content for a specified retention period.

Any file in a folder in the CTERA Vault has the same compliance restrictions when accessed by CTERA Edge filers, CTERA Drive Connect, and when accessed from an S3 Browser after the cloud drive folder is set up as a bucket, as described in Setting Up Access to Portal Content Using the S3 API: CTERA Fusion.

CTERA Drive Share/Protect (Agent) cannot sync content that is in the CTERA Vault.

Enabling CTERA Vault

CTERA provides a role, Compliance Officer and a permission, Manage Compliance Settings that you use to manage folder compliance. You can also set the Manage Compliance Settings permission for a Read/Write Administrator.

Only administrators with the Manage Compliance Settings can set up CTERA Vault on a folder.

To enable CTERA Vault:

The Compliance Officer role automatically has the Manage Compliance Settings permission.

Setting Up CTERA Vault on a Folder

A folder can only be added to the CTERA Vault when it is created.

To protect a cloud folder with CTERA Vault:

  1. Select Folders > Cloud Drive Folders in the navigation pane.
    The CLOUD DRIVE FOLDERS page opens, displaying all cloud drive folders.
    image.png

  2. Click New Folder.
    The New Cloud Drive Folder window is displayed.
    image.png

  3. Complete the fields:
    Name – A name for the folder.

    Note

    Renaming a nested cloud drive folder makes the folder inaccessible to every edge filer that includes this share.

    Description (Optional) – A description for the folder.
    Owner – The user to own the folder. The owner controls access to the folder.
    Folder Group – A folder group for the folder.
    Use Owner Quota – The storage quota allowed for this folder is taken from the storage quota of the folder owner. If the owner attempts to use more than this amount of storage, for example, by uploading a file to the folder that causes the quota to be exceeded, the file is not uploaded. The quota is also enforced on the folder on CTERA Edge Filers.
    Use Folder Quota – The amount of storage allowed for this folder, which cannot be more than the storage quota of the team portal. The value must be an integer value. If a user attempts to use more than this amount of storage, for example, by uploading a file to the folder after the folder quota has been reached, the file is not uploaded. A file that when uploaded causes the quota to be exceeded will be uploaded, but no files after that. The quota is also enforced on the folder on CTERA Edge Filers.

    Note

    The CTERA Messaging service must be implemented by the global administrator for the folder quota to be applied to CTERA Edge Filers. For details about setting up the CTERA Messaging service, see Managing the CTERA Messaging Service.

    Enable Windows ACLs – Check Enable Windows ACLs. The files are saved in the portal using the NT ACL settings defined on the files. For more information, see Maintaining Windows File Server Structure and ACLs in CTERA Portal Folders.
    Extended Attributes – Select this option if you are syncing a CTERA Edge Filer share to a CTERA Portal including macOS extended attributes on the CTERA Edge Filer. The files are saved in the portal using the macOS extended attributes defined on the files. Files defined with macOS tags defined can be synced to multiple edge filers with their tags. The macOS extended file attributes are part of the item’s metadata and macOS tags are only supported when defining a new cloud folder, by checking Extended Attributes in the New Cloud Drive Folder window in the CTERA Portal.

    Note

    Tags can only be defined for a new cloud folder. When macOS Tages are enabled for the cloud folder, Windows ACLs are also enabled and cannot be disabled.

  4. If you are a Compliance Officer or a Read/Write Administrator with the Manage Compliance Settings permission, described in Managing Administrator Users, you can set the compliance that will apply to the cloud folder.

    Note

    The Compliance option can only be defined when first defining the cloud drive folder. For details, see Folder Compliance.

  5. Click the Compliance option.

    Note

    If you do not set up Compliance when creating the cloud drive folder, you cannot set it up later.

    The CTERA Vault configuration is displayed.
    image.png

  6. Check WORM (Write Once Read Many) to enable CTERA Vault.

  7. Define the required compliance:
    Grace Period – The period of time before the compliance restrictions are applied.
    Retention Mode – The level of compliance:

    • None – Files in the cloud folder, after the Grace Period, cannot be renamed or modified but they can be deleted.
    • Enterprise – After the Grace Period and for the duration of the Retention Period, the Compliance Officer or a Read/Write Administrator with the Manage Compliance Settings permission can permanently delete files. This mode is useful when the enterprise does not have external compliance regulations but wants to impose enterprise-wide regulations. In this case, compliance is enforced for everyone in the enterprise except for administrators with the Manage Compliance Settings permission.
      Note

      An administrator with the Allow Files/Folders Permanent Deletion permission can permanently delete folder content with the Retention Mode set to Enterprise, even if the administrator does not have the Manage Compliance Settings permission.

    • Compliance – After the Grace Period and for the duration of the Retention Period no-one can delete or make changes to files in the folder.

    Retention Period – How long the compliance is applied.

  8. Click SAVE.

Changing the Compliance Settings for a Folder

Unless WORM (Write Once Read Many) in the Compliance option was checked when the folder was created in the New Cloud Drive Folder window, even if the Retention Mode was set to None, compliance cannot be set for the folder. If WORM (Write Once Read Many) was checked when the folder was created, you can edit the compliance settings.

To edit a cloud folder in CTERA Vault:

  1. Select Folders > Cloud Drive Folders in the navigation pane.
    The CLOUD DRIVE FOLDERS page opens, displaying all cloud drive folders.
    image.png
  2. Click the folder to edit.
    The folder window is displayed with the folder name as the window title.
    image.png
  3. Click the Compliance option.
    The CTERA Vault configuration is displayed.
    image.png
  4. Edit the compliance settings:
    Grace Period – The period of time before the compliance restrictions are applied. Changes to the Grace Period only apply to content added to the folder after the change. Existing content complies with the old setting.
    Retention Mode – The level of compliance. The Retention Mode can be changed from None to Enterprise or Compliance and from Enterprise to None or Compliance but Compliance cannot be changed.
    Retention Period – How long the compliance has to be applied. Changes to the Retention Period only apply to content added to the folder after the change. Existing content complies with the old setting. When the Retention Mode is Compliance the Retention Period can be extended but not shortened.
  5. Click SAVE.

The changes only apply to new files added to the cloud folder and not files that are already in the cloud folder.

Attempting to Break Compliance

If an attempt is made to change content that is in the CTERA Vault, an error is displayed and written to the audit log.

Note

When the Retention Mode is set to Compliance, when attempting to permanently delete content, the permanent deletion process will delete all the files marked for permanent deletion, including all previous versions of these files, until the first file that is in the CTERA Vault that cannot be deleted. The permanent deletion process will then stop.

Examples

  • Attempting to delete a file:
    image.png
  • Attempting to rename a file:
    image.png

Viewing Compliance Content Details

As an administrator with the Manage Compliance Settings permission you can display details of the content in the CTERA Vault.
When displaying the folder that has compliance set, clicking the image.png icon displays content details as well as WORM details in a separate tab.

  • For a single item, which includes the retention mode and when the compliance period ends:
    image.png
  • For multiple items:
    image.png

CTERA Vault Log Entries

If an attempt is made to change content that is in the CTERA Vault, an error is written to the System log.

Note

Attempting to rename a file in the CTERA Vault is logged as a Move operation.


Was this article helpful?