1

My company maintains data for a number of large corporate customers. The data is everything in the company, and loss of the data would probably mean losing all our customers. This means I ideally need a backup strategy that really secures the data no matter what (motivated hackers, disgruntled employees, ex-girlfriends, myself after drinking too much, etc).

Amazon Glacier with Vault Lock seems to be able to do just that: it allows storage with a policy (possibly a never-allow-delete policy) that, once in place, can never be revoked. Perfect!

However I can imagine some (extreme) cases when deletion is necessary:

  • My backup script ran amok and copied my 1 TB backup file 10,000 times to the Glacier vault, instead of just once, resulting in now a $70,000 per month storage price
  • A customer decides not to use our service anymore and demands that all his data is deleted
  • Future privacy-laws (or jurisprudence) may mean that we need to remove some collected data
  • At some point in the future we find out that we can store the data more efficiently thereby reducing the storage needs.

I have been unable to find any information on whether deletion at all would be possible. I recon that Amazon will have a way to delete the data (i.e. if I stopped paying I guess they would delete the data at some point..). I'm imagining it could be enough if Amazon would allow me to delete a whole vault but only after some proof of id (e.g. through a public notary --- in the cases mentioned above I would not mind if I had to pay say $500 to delete the data).

Something else that actually might be acceptable (however I'd have to check if it would be possible at all in Vault Lock -- any pointers to information on this would be appreciated) would be that once I decide that some files can be deleted, I can tag them for deletion, and deletion only happens 30 days later.

I did consider other backup systems (e.g. a DVD burner at the office, and then encrypting and storing the backups in different physical locations), but obviously an automated system is much preferred!

Claude
  • 196
  • 1
  • 3

1 Answers1

3

Your imagined scenarios all seem pretty unlikely to prompt Amazon to backtrack on the following statement, from the document you cited:

The vault’s state will be set to Locked, and the policy will remain in effect until the heat death of the universe.

This seems a bit at odds with your perspective:

I'm imagining it could be enough if Amazon would allow me to delete a whole vault but only after some proof of id

I'd say don't bet on it.

And $500 seems like an incredibly small amount. You'll need lawyers if you don't get a written commitment from AWS that you can expect "exceptions."

Fundamentally, though, vault locks are not really about security, as much as they are an answer to legal and regulatory compliance issues.

"No, my clients have not removed or modified any files, your honor. As our expert witnesses will testify, these records have been stored using a technology that does not allow overwrites or deletions."

Amazon would jeopardize the very market they are attempting to capture if they permitted arbitrary exceptions.

And, of course, locking a vault is in fact freezing the policy, not the contents. The policy could be relatively benign, such as requiring archives to persist for 90 days before deletion. And, the policy can still do that without the lock. The lock is a policy freeze.

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86
  • I wonder what happens if you delete your account, if they reclaim the space. – Tim Jul 09 '16 at 05:19
  • Yeah, true @Tim. It seems reasonable that this would take care of deletions. :) They are not promising to keep providing a service that you stop paying for, but to enforce the policy, so I don't see any obvious reason why they wouldn't purge it in that case. It's not a matter of general knowledge -- or if it is, I missed the memo -- how the internals of Glacier actually work. Multi-later Bluray discs is one interesting theory, in which case "reclaim the space" takes on an amusingly different definition. – Michael - sqlbot Jul 09 '16 at 14:34
  • (I know this is a necro.) I feel like the market they are shooting for, as well as the market OP is in, would be better served by a policy that can't be locked, but instead have a permanent record of all vault policies and when they went into effect. Then, in the legal case, we could just provide the policy history to show that a compliant policy has been in effect for the relevant time period. And we would still be permitted by Amazon to change the policy in case we need to delete things under exceptional circumstances. – cdhowie May 27 '18 at 02:07
  • @cdhowie as you know, this isn't a forum, so by extension a necro [isn't a bad thing](https://serverfault.com/help/badges/17/necromancer). Relevant comments to old posts are quite valid, as far as I know. With a locked policy, we know that it is unchanged because that's in the definition... but keeping a queriable history of the policy (not merely logs, but something the service can authoritatively return to you as a list of everything over time) does seem like it might have been viable as well. Still, I assume AWS was working with subject matter experts to arrive at the solution they created. – Michael - sqlbot May 27 '18 at 15:10
  • The OP's identification of the case where *"Future privacy-laws (or jurisprudence) may mean that we need to remove some collected data"* was quite prescient, and illustrates what seems like a major potential problem under GDPR. I recognize the valid claims of data subjects to have data removed that the controller or processor is not entitled to possess or retain, but the law leaves the impression that legitimate business records that might be necessary for difficult-to-identify future purposes might be subject to deletion, when this is unreasonable and they should not in fact be. – Michael - sqlbot May 27 '18 at 15:12
  • @Michael-sqlbot Yeah, it's an interesting situation we find ourselves in. I expect that Amazon may be getting many support requests to change a locked vault policy in the wake of GDPR and hopefully they are looking into alternative ways that businesses can prove compliance in a different way from creating an immutable policy. Their current approach of a policy lock only works under a legal system that never changes. – cdhowie May 27 '18 at 15:30