Folder (WORM) Compliance: CTERA Vault

WORM (write once, read many) compliance ensures that data cannot be tampered with or deleted. In many industries, and especially regulated industries such as financial services and government sectors, organizations are required to store certain types of data in unalterable formats. CTERA Vault uses WORM technology to prevent editing, overwriting, renaming or erasing this data.

When a cloud drive folder is defined with folder compliance and added to the CTERA Vault, after an initial, optional, grace period, the contents of the folder can be protected from any attempt to change the folder content such as by renaming, moving, modifying, or deleting content for a specified retention period.

Any file in a folder in the CTERA Vault has the same compliance restrictions when accessed by CTERA Edge filers, CTERA Drive Connect, and when accessed from an S3 Browser after the cloud drive folder is set up as a bucket, as described in Setting Up Access to Portal Content Using the S3 API: CTERA Fusion.

CTERA Drive Share/Protect (Agent) cannot sync content that is in the CTERA Vault.

Enabling CTERA Vault

CTERA provides a role, Compliance Officer and a permission, Manage Compliance Settings that you use to manage folder compliance. You can also set the Manage Compliance Settings permission for a Read/Write Administrator.

Only administrators with the Manage Compliance Settings can set up CTERA Vault on a folder.

To enable CTERA Vault:

• Make sure that the administrator has the Manage Compliance Settings permission.
  For details, see Managing Administrator Users.

The Compliance Officer role automatically has the Manage Compliance Settings permission.

Setting Up CTERA Vault on a Folder

A folder can only be added to the CTERA Vault when it is created.

To protect a cloud folder with CTERA Vault:

1. Select Folders > Cloud Drive Folders in the navigation pane.
   The CLOUD DRIVE FOLDERS page opens, displaying all cloud drive folders.
   

2. Click New Folder.
   The New Cloud Drive Folder window is displayed.
   

3. Complete the fields:
   Name – A name for the folder.

   Note

   Renaming a nested cloud drive folder makes the folder inaccessible to every edge filer that includes this share.

   Description (Optional) – A description for the folder.
   Owner – The user to own the folder. The owner controls access to the folder.
   Folder Group – A folder group for the folder.
   Use Owner Quota – The storage quota allowed for this folder is taken from the storage quota of the folder owner. If the owner attempts to use more than this amount of storage, for example, by uploading a file to the folder that causes the quota to be exceeded, the file is not uploaded. The quota is also enforced on the folder on CTERA Edge Filers.
   Use Folder Quota – The amount of storage allowed for this folder, which cannot be more than the storage quota of the team portal. The value must be an integer value. If a user attempts to use more than this amount of storage, for example, by uploading a file to the folder after the folder quota has been reached, the file is not uploaded. A file that when uploaded causes the quota to be exceeded will be uploaded, but no files after that. The quota is also enforced on the folder on CTERA Edge Filers.

   Note

   The CTERA Messaging service must be implemented by the global administrator for the folder quota to be applied to CTERA Edge Filers. For details about setting up the CTERA Messaging service, see Managing the CTERA Messaging Service.

   Enable Windows ACLs – Check Enable Windows ACLs. The files are saved in the portal using the NT ACL settings defined on the files. For more information, see Maintaining Windows File Server Structure and ACLs in CTERA Portal Folders.

4. If you are a Compliance Officer or a Read/Write Administrator with the Manage Compliance Settings permission, described in Managing Administrator Users, you can set the compliance that will apply to the cloud folder.

   Note

   The Compliance option can only be defined when first defining the cloud drive folder. For details, see Folder Compliance.

5. Click the Compliance option.

   Note

   If you do not set up Compliance when creating the cloud drive folder, you cannot set it up later.

   The CTERA Vault configuration is displayed.
   

6. Check WORM (Write Once Read Many) to enable CTERA Vault.

7. Define the required compliance:
   Grace Period – The period of time before the compliance restrictions are applied.
   Retention Mode – The level of compliance:

   • None – Files in the cloud folder, after the Grace Period, cannot be renamed or modified but they can be deleted.
   • Enterprise – After the Grace Period and for the duration of the Retention Period, the Compliance Officer or a Read/Write Administrator with the Manage Compliance Settings permission can permanently delete files. This mode is useful when the enterprise does not have external compliance regulations but wants to impose enterprise-wide regulations. In this case, compliance is enforced for everyone in the enterprise except for administrators with the Manage Compliance Settings permission.
     Note

     An administrator with the Allow Files/Folders Permanent Deletion permission can permanently delete folder content with the Retention Mode set to Enterprise, even if the administrator does not have the Manage Compliance Settings permission.

   • Compliance – After the Grace Period and for the duration of the Retention Period no-one can delete or make changes to files in the folder.
     
     

   Retention Period – How long the compliance is applied.

8. Click SAVE.

Changing the Compliance Settings for a Folder

Unless WORM (Write Once Read Many) in the Compliance option was checked when the folder was created in the New Cloud Drive Folder window, even if the Retention Mode was set to None, compliance cannot be set for the folder. If WORM (Write Once Read Many) was checked when the folder was created, you can edit the compliance settings.

To edit a cloud folder in CTERA Vault:

1. Select Folders > Cloud Drive Folders in the navigation pane.
   The CLOUD DRIVE FOLDERS page opens, displaying all cloud drive folders.
   
2. Click the folder to edit.
   The folder window is displayed with the folder name as the window title.
   
3. Click the Compliance option.
   The CTERA Vault configuration is displayed.
   
4. Edit the compliance settings:
   Grace Period – The period of time before the compliance restrictions are applied. Changes to the Grace Period only apply to content added to the folder after the change. Existing content complies with the old setting.
   Retention Mode – The level of compliance. The Retention Mode can be changed from None to Enterprise or Compliance and from Enterprise to None or Compliance but Compliance cannot be changed.
   Retention Period – How long the compliance has to be applied. Changes to the Retention Period only apply to content added to the folder after the change. Existing content complies with the old setting. When the Retention Mode is Compliance the Retention Period can be extended but not shortened.
5. Click SAVE.

The changes only apply to new files added to the cloud folder and not files that are already in the cloud folder.

Attempting to Break Compliance

If an attempt is made to change content that is in the CTERA Vault, an error is displayed and written to the audit log.

Examples

• Attempting to delete a file:
  
• Attempting to rename a file:
  

Viewing Compliance Content Details

As an administrator with the Manage Compliance Settings permission you can display details of the content in the CTERA Vault.
When displaying the folder that has compliance set, clicking the icon displays content details as well as compliance details in a separate tab.

• For a single item, which includes the retention mode and when the compliance period ends:
  
• For multiple items:
  

CTERA Vault Log Entries

If an attempt is made to change content that is in the CTERA Vault, an error is written to the System log.