WORM Storage in Microsoft Azure

Protection August 16, 2022

Write-once read-many (WORM) storage is an essential capability for multiple compliance requirements such as SEC Rule 17a-4.

At Veritas, we receive a constant flow of inquiries from IT, data security, and compliance leaders in search of immutable storage. They often want WORM-compliant storage in the cloud with Microsoft Azure so they can bypass the usual headaches associated with satisfying these requirements on-premises.

In this post, we will discuss the WORM storage requirement and how you can support it in the cloud with Azure and Veritas. 

What is WORM storage?

WORM just means that the data written to the storage media is immutable. No changes can occur. A file can be read as many times as necessary, but it cannot be overwritten, deleted, or modified in any way.

Disk-based WORM storage was popularized by EMC’s Centera product line in the early 2000’s. The precedent exists that storage media which is inherently not WORM-compliant (e.g. hard disk drives) can be accepted as WORM if it has a software layer that governs access, deletion, and auditing in a compliant manner.

WORM retention periods

With solutions that rely on software to achieve WORM compliance, you will typically find the concept of WORM retention periods. Retention periods define how long a particular item must be held in a WORM state. When the retention period expires, the item is eligible for deletion.

For compliance with SEC rules, retention periods can be lengthened but never shortened.


Another standard compliance requirement that accompanies WORM is redundancy. Content and indexes should be maintained with replicas. In Azure, synchronous storage redundancy on Azure Blob Storage along with active geo-replication on the databases meets the requirements conveniently.

Veritas Azure WORM storage feature

By design, with versioning enabled, Veritas NetBackup SaaS Protection's integration with Microsoft Azure is a high-performing data management solution at enterprise scale. Veritas NetBackup enables businesses to maximize their Azure Stack investments while controlling risks with advanced capabilities like Auto Image Replication, which ensures data recovery in case of stack failure.

NetBackup SaaS Protection does include a central deletion feature that is secured with authorization and an immutable audit trail. To meet WORM requirements alongside the deletion function, Veritas’s WORM policies ensure content is not purged before it is eligible for deletion.

There are two types of WORM policies in NetBackup SaaS Protection:

  1. Item-level WORM – Granular policies that can evaluate access rights, folder location, and any item-level attributes to apply particular WORM retention periods on individual files.
  2. Storage account-level WORM – Specifies a standard retention period for all items within the storage account.

Most Veritas clients that need WORM retention controls use item-level WORM because of its flexibility.

Both WORM options in NetBackup SaaS Protection are applied in real-time during the process of writing the data to Azure.

Event-based retention

Veritas’s NetBackup SaaS Protection solution includes a patent-pending feature for managing event-based retention. Our approach simplifies event-based retention by removing the need to occasionally extend retention periods on WORM-protected items before the end of their final retention period is reached.

You can trigger event-based retention using any metadata, including custom attributes. For instance, if the content has an associated AccountID, this can be enabled for event-based retention so that when a client account closes you can quickly look up all the content relating to that account and trigger application of the final retention period.

Advanced data management and auditing

Eventually, you will want to audit WORM retention periods in your archive to report on data volumes and retention workloads.

Managing content deletion is another important task – as retention periods expire, you will want to maintain a close watch on content that is free for removal and defensibly purge it.

Veritas’s data-aware storage concept gives you a complete visualization of what is in your archive. You can query the storage to model policies, generate reports, and perform investigations.

Azure deployment requirements

For NetBackup SaaS Protection deployments, Veritas lets you bring your Azure account, or your Veritas tenant can run under an Azure account owned by Veritas

Today, many clients that need WORM-compliance for NetBackup SaaS Protection run under a Veritas-owned Azure account because the provides an added layer in preventing their own employees from potentially deleting data early.

Microsoft has added immutability to Azure Blob Storage, which allows NetBackup SaaS Protection us to meet the WORM requirement when a customer chooses to run in their own Azure account.

Whenever Infrastructure-as-a-Service (IaaS)-level enhancements come out that seem to overlap features at the Software-as-a-Service (SaaS) level, we must remind people that functions available at the infrastructure level are not turnkey or user-friendly for business use cases. The application software layer needs to plug these capabilities into workflows and interfaces that are meaningful to the business.

Letter of attestation or compliance certified

When it comes to WORM compliance requirements, we often hear questions like, “is your technology certified for compliance with [name of the regulation that requires WORM].”

It is important to understand that the regulatory bodies that put forward WORM compliance requirements do not certify or endorse vendor technologies. Furthermore, the technology itself does not fulfill the requirement of compliance entirely – it is a combination of process and technology.

Your compliance requirements may stipulate that the WORM technology vendor must attest to the regulatory body that their solution meets the WORM requirements. Even if the regulatory body does not require such attestation, it is a good idea to obtain this from your vendor for your records.

Vendors might also commission a third-party to evaluate their technology’s fit for a compliance standard. The third-party might issue an opinion or statement that can help you sleep better at night.

Designated third party or Business Associates Agreement (BAA)

SEC/FINRA rules require a designated third-party (D3P) that can satisfy audits and requests for information in the event the regulated entity is non-responsive. In the case of cloud services, D3P is often included by the vendor as an add-on service.

For HIPAA, a similar construct exists and is referred to as a Business Associates Agreement (BAA). The BAA covers a broad spectrum of data security requirements about Personally Identifiable Information (PII) as well as audits and investigations. The BAA is not typically an add-on service like D3P, but instead a contractual requirement to do business.

Next Steps

NetBackup SaaS Protection running on Azure gives you policy controls, data management, query, analytics, and auditing above and beyond those available from IaaS-level WORM protection.

Learn More

Want to learn more about how NetBackup SaaS Protection’s features work with Azure WORM storage?

Contact us today to schedule a call or demo with Veritas.

Geoff Bourgeois
Chief Cloud Strategist