{"id":110451,"date":"2023-11-28T09:11:45","date_gmt":"2023-11-28T17:11:45","guid":{"rendered":"https:\/\/www.backblaze.com\/blog\/?p=110451"},"modified":"2024-08-14T11:33:04","modified_gmt":"2024-08-14T18:33:04","slug":"digging-deeper-into-object-lock","status":"publish","type":"post","link":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/","title":{"rendered":"Digging Deeper Into Object Lock"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"583\" src=\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1-1024x583.png\" alt=\"A decorative image showing data inside of a vault.\" class=\"wp-image-110465\" srcset=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1-1024x583.png 1024w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1-300x171.png 300w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1-768x437.png 768w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1.png 1440w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-drop-cap\">Using Object Lock for your data is a smart choice\u2014you can <a href=\"\/blog\/object-lock-101-protecting-data-from-ransomware\/\" target=\"_blank\" rel=\"noreferrer noopener\">protect your data from ransomware<\/a>, meet compliance requirements, <a href=\"\/blog\/how-to-add-object-lock-to-your-it-security-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\">beef up your security policy<\/a>, or preserve data for legal reasons. But, it\u2019s not a simple on\/off switch, and accidentally locking your data for 100 years is a mistake you definitely don\u2019t want to make.<\/p>\n\n\n\n<p>Today we\u2019re taking a deeper dive into Object Lock and the related legal hold feature, examining the different levels of control that are available, explaining why developers might want to build Object Lock into their own applications, and showing exactly how to do that. While the code samples are aimed at our developer audience, anyone looking for a deeper understanding of Object Lock should be able to follow along.<\/p>\n\n\n\n<p>I presented a webinar on this topic earlier this year that covers much the same ground as this blog post, so feel free to watch it instead of, or in addition to, reading this article.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Inside Object Lock: Ransomware Protection for Application Developers\" width=\"750\" height=\"422\" src=\"https:\/\/www.youtube.com\/embed\/LO_XHd1_ZHI?feature=oembed&#038;enablejsapi=1&#038;origin=https:\/\/bzatlasbluestg.wpenginepowered.com\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"abstract\" style=\"line-height: 1.8; margin: 24px 12px; padding: 24px 12px 10px 12px;\">\n<h4>Check Out the Docs<\/h4>\n<p>For even more information on Object Lock, check out our <a href=\"https:\/\/www.backblaze.com\/docs-object-lock\" target=\"_blank\" rel=\"noopener\">Object Lock<\/a> overview in our <a href=\"https:\/\/www.backblaze.com\/docs\" target=\"_blank\" rel=\"noopener\">Technical Documentation Portal<\/a> as well as these how-tos about how to enable Object Lock using the Backblaze web UI, Backblaze B2 Native API, and the Backblaze S3 Compatible API:<\/p>\n<ul><li><a href=\"https:\/\/www.backblaze.com\/docs-enable-object-lock-or-a-legal-hold-on-an-existing-bucket\" target=\"_blank\" rel=\"noopener\">Enable Object Lock on an Existing Bucket<\/a><\/li>\n<li><a href=\"https:\/\/www.backblaze.com\/docs-enable-object-lock-with-the-native-api\" target=\"_blank\" rel=\"noopener\">Enable Object Lock With the Native API<\/a><\/li>\n<li><a href=\"https:\/\/www.backblaze.com\/docs-enable-object-lock-with-the-s3-compatible-api\" target=\"_blank\" rel=\"noopener\">Enable Object Lock With the S3 Compatible API<\/a><\/li><\/ul>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">What Is Object Lock?<\/h2>\n\n\n\n<p>In the simplest explanation, Object Lock is a way to lock objects (aka files) stored in Backblaze B2 so that they are <em>immutable<\/em>\u2014that is, they cannot be deleted or modified, for a given period of time, even by the user account that set the Object Lock rule. Backblaze B2\u2019s implementation of Object Lock was originally known as File Lock, and you may encounter the older terminology in some documentation and articles. For consistency, I\u2019ll use the term \u201cobject\u201d in this blog post, but in this context it has exactly the same meaning as \u201cfile.\u201d<\/p>\n\n\n\n<p>Object Lock is a widely offered feature included with backup applications such as <a href=\"https:\/\/www.backblaze.com\/cloud-storage\/integrations\/veeam\" target=\"_blank\" rel=\"noreferrer noopener\">Veeam<\/a> and <a href=\"https:\/\/www.backblaze.com\/cloud-storage\/integrations\/msp360\" target=\"_blank\" rel=\"noreferrer noopener\">MSP360<\/a>, allowing organizations to ensure that their backups are not vulnerable to deliberate or accidental deletion or modification for some configurable retention period.<\/p>\n\n\n\n<p>Ransomware mitigation is a common motivation for protecting data with Object Lock. Even if an attacker were to compromise an organization\u2019s systems to the extent of accessing the application keys used to manage data in Backblaze B2, they would not be able to delete or change any locked data. Similarly, Object Lock guards against insider threats, where the attacker may try to abuse legitimate access to application credentials.<\/p>\n\n\n\n<p>Object Lock is also used in industries that store sensitive or personal identifiable information (PII) such as banking, <a href=\"https:\/\/www.backblaze.com\/cloud-storage\/industries\/education\" target=\"_blank\" rel=\"noreferrer noopener\">education<\/a>, and <a href=\"https:\/\/www.backblaze.com\/cloud-storage\/industries\/health-science\" target=\"_blank\" rel=\"noreferrer noopener\">healthcare<\/a>. Because they work with such sensitive data, regulatory requirements dictate that data be retained for a given period of time, but data must also be deleted in particular circumstances.\u00a0<\/p>\n\n\n\n<p>For example, the General Data Protection Regulation (GDPR), an important component of the EU\u2019s privacy laws and an international regulatory standard that drives best practices, may dictate that some data must be deleted when a customer closes their account. A related use case is where data must be preserved due to litigation, where the period for which data must be locked is not fixed and depends on the type of lawsuit at hand.&nbsp;<\/p>\n\n\n\n<p>To handle these requirements, Backblaze B2 offers two Object Lock modes\u2014compliance and governance\u2014as well as the legal hold feature. Let\u2019s take a look at the differences between them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance Mode: Near-Absolute Immutability<\/h3>\n\n\n\n<p>When objects are locked in <strong>compliance<\/strong> mode, not only can they not be deleted or modified while the lock is in place, but <strong>the lock also cannot be removed<\/strong> during the specified retention period. It is not possible to remove or override the compliance lock to delete locked data until the lock expires, whether you\u2019re attempting to do so via the Backblaze web UI or either of the S3 Compatible or B2 Native APIs. Similarly, Backblaze Support is unable to unlock or delete data locked under compliance mode in response to a support request, which is a safeguard designed to address social engineering attacks where an attacker impersonates a legitimate user.<\/p>\n\n\n\n<p>What if you inadvertently lock many terabytes of data for several years? Are you on the hook for thousands of dollars of storage costs? Thankfully, no\u2014you have one escape route, which is to close your Backblaze account. Closing the account is a multi-step process that requires access to both the account login credentials and two-factor verification (if it is configured) and results in the deletion of all data in that account, locked or unlocked. This is a drastic step, so we recommend that developers create one or more \u201cburner\u201d Backblaze accounts for use in developing and testing applications that use Object Lock, that can be closed if necessary without disrupting production systems.<\/p>\n\n\n\n<p>There is one lock-related operation you <em>can<\/em> perform on compliance-locked objects: extending the retention period. In fact, you can keep extending the retention period on locked data any number of times, protecting that data from deletion until you let the compliance lock expire.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Governance Mode: Override Permitted<\/h3>\n\n\n\n<p>In our other Object Lock option, objects can be locked in <strong>governance<\/strong> mode for a given retention period. But, in contrast to compliance mode, the <strong>governance lock can be removed or overridden via an API call<\/strong>, if you have an application key with appropriate capabilities. Governance mode handles use cases that require retention of data for some fixed period of time, with exceptions for particular circumstances.<\/p>\n\n\n\n<p>When I\u2019m trying to remember the difference between compliance and governance mode, I think of the phrase, \u201cTwenty seconds to comply!\u201d, uttered by the ED-209 armed robot in the movie \u201c<a href=\"https:\/\/www.imdb.com\/title\/tt0093870\/?ref_=fn_al_tt_1\" target=\"_blank\" rel=\"noreferrer noopener\">RoboCop<\/a>.\u201d It turned out that there was no way to override ED-209\u2019s programming, with dramatic, and fatal, consequences.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"You have 20 seconds to comply.\" width=\"750\" height=\"422\" src=\"https:\/\/www.youtube.com\/embed\/Hzlt7IbTp6M?feature=oembed&#038;enablejsapi=1&#038;origin=https:\/\/bzatlasbluestg.wpenginepowered.com\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\">ED-209: as implacable as compliance mode.<\/figcaption><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Legal Hold: Flexible Preservation<\/h3>\n\n\n\n<p>While the compliance and governance retention modes lock objects for a given retention period, legal hold is more like a toggle switch: you can turn it on and off at any time, again with an application key with sufficient capabilities. As its name suggests, legal hold is ideal for situations where data must be preserved for an unpredictable period of time, such as while litigation is proceeding.<\/p>\n\n\n\n<p>The compliance and governance modes are mutually exclusive, which is to say that only one may be in operation at any time. Objects locked in governance mode can be switched to compliance mode, but, as you might expect from the above explanation, objects locked in compliance mode cannot be switched to governance mode until the compliance lock expires.<\/p>\n\n\n\n<p>Legal hold, on the other hand, operates independently, and can be enabled and disabled regardless of whether an object is locked in compliance or governance mode.<\/p>\n\n\n\n<p>How does this work? Consider an object that is locked in compliance or governance mode <em>and<\/em> has legal hold enabled:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If the legal hold is removed, the object remains locked until the retention period expires.<\/li>\n\n\n\n<li>If the retention period expires, the object remains locked until the legal hold is removed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Object Lock and Versioning<\/h3>\n\n\n\n<p>By default, Backblaze B2 Buckets have versioning enabled, so as you upload successive objects with the same name, previous versions are preserved automatically. None of the Object Lock modes prevent you from uploading a new version of a locked object; the lock is specific to the object version to which it was applied.<\/p>\n\n\n\n<p>You can also hide a locked object so it doesn\u2019t appear in object listings. The hidden version is retained and can be revealed using the Backblaze web UI or an API call.<\/p>\n\n\n\n<p>As you might expect, locked object versions are not subject to deletion by lifecycle rules\u2014any attempt to delete a locked object version via a lifecycle rule will fail.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Use Object Lock in Applications<\/h2>\n\n\n\n<p>Now that you understand the two modes of Object Lock, plus legal hold, and how they all work with object versions, let\u2019s look at how you can take advantage of this functionality in your applications. I\u2019ll include code samples for Backblaze B2\u2019s S3 Compatible API written in Python, using the AWS SDK, aka Boto3, in this blog post. You can find <a href=\"https:\/\/www.backblaze.com\/docs-enable-object-lock-with-the-native-api\" target=\"_blank\" rel=\"noreferrer noopener\">details on working with Backblaze B2\u2019s Native API in the documentation<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Application Key Capabilities for Object Lock<\/h3>\n\n\n\n<p>Every application key you create for Backblaze B2 has an associated set of capabilities; each capability allows access to a specific functionality in Backblaze B2. There are seven capabilities relevant to object lock and legal hold.&nbsp;<\/p>\n\n\n\n<p>Two capabilities relate to bucket settings:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><code>readBucketRetentions&nbsp;<\/code><\/li>\n\n\n\n<li><code>writeBucketRetentions<\/code><\/li>\n<\/ol>\n\n\n\n<p>Three capabilities relate to object settings for retention:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li><code>readFileRetentions&nbsp;<\/code><\/li>\n\n\n\n<li><code>writeFileRetentions&nbsp;<\/code><\/li>\n\n\n\n<li><code>bypassGovernance<\/code><\/li>\n<\/ol>\n\n\n\n<p>And, two are specific to Object Lock:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"6\">\n<li><code>readFileLegalHolds&nbsp;<\/code><\/li>\n\n\n\n<li><code>writeFileLegalHolds&nbsp;<\/code><\/li>\n<\/ol>\n\n\n\n<p>The Backblaze B2 documentation contains full details of each capability and the API calls it relates to for both the <a href=\"https:\/\/www.backblaze.com\/docs-s3-compatible-app-keys\" target=\"_blank\" rel=\"noreferrer noopener\">S3 Compatible API<\/a> and the <a href=\"https:\/\/www.backblaze.com\/docs-application-key-capabilities\" target=\"_blank\" rel=\"noreferrer noopener\">B2 Native API<\/a>.<\/p>\n\n\n\n<p>When you create an application key via the web UI, it is assigned capabilities according to whether you allow it access to all buckets or just a single bucket, and whether you assign it read-write, read-only, or write-only access.<\/p>\n\n\n\n<p>An application key created in the web UI with read-write access to all buckets will receive <em>all<\/em> of the above capabilities. A key with read-only access to all buckets will receive <code>readBucketRetentions<\/code>, <code>readFileRetentions<\/code>, and <code>readFileLegalHolds<\/code>. Finally, a key with write-only access to all buckets will receive <code>bypassGovernance<\/code>, <code>writeBucketRetentions<\/code>, <code>writeFileRetentions<\/code>, and <code>writeFileLegalHolds<\/code>.<\/p>\n\n\n\n<p>In contrast, an application key created in the web UI restricted to a single bucket is not assigned <em>any<\/em> of the above permissions. When an application using such a key uploads objects to its associated bucket, they receive the default retention mode and period for the bucket, if they have been set. The application is <em>not<\/em> able to select a different retention mode or period when uploading an object, change the retention settings on an existing object, or bypass governance when deleting an object.<\/p>\n\n\n\n<p>You may want to create application keys with more granular permissions when working with Object Lock and\/or legal hold. For example, you may need an application restricted to a single bucket to be able to toggle legal hold for objects in that bucket. You can use the <a href=\"https:\/\/www.backblaze.com\/docs-command-line-tools\" target=\"_blank\" rel=\"noreferrer noopener\">Backblaze B2 CLI<\/a> to create an application key with this, or any other set of capabilities. This command, for example, creates a key with the default set of capabilities for read-write access to a single bucket, plus the ability to read and write the legal hold setting:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-background-color has-background\"><code>% b2 create-key --bucket my-bucket-name my-key-name listBuckets,readBuckets,listFiles,readFiles,shareFiles,writeFiles,deleteFiles,readBucketEncryption,writeBucketEncryption,readBucketReplications,writeBucketReplications,readFileLegalHolds,writeFileLegalHolds<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Enabling Object Lock<\/h3>\n\n\n\n<p>You must enable Object Lock on a bucket before you can lock any objects therein; you can do this when you create the bucket, or at any time later, but you cannot disable Object Lock on a bucket once it has been enabled. Here\u2019s how you create a bucket with Object Lock enabled:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">s3_client.create_bucket(\n    Bucket='my-bucket-name',\n    ObjectLockEnabledForBucket=True\n)<\/pre>\n\n\n\n<p>Once a bucket\u2019s settings have Object Lock enabled, you can configure a default retention mode and period for objects that are created in that bucket. Only compliance mode is configurable from the web UI, but you can set governance mode as the default via an API call, like this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">s3_client.put_object_lock_configuration(\n    Bucket='my-bucket-name',\n    ObjectLockConfiguration={\n        'ObjectLockEnabled': 'Enabled',\n        'Rule': {\n            'DefaultRetention': {\n                'Mode': 'GOVERNANCE',\n                'Days': 7\n            }\n        }\n    }\n)<\/pre>\n\n\n\n<p>You cannot set legal hold as a default configuration for the bucket.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Locking Objects<\/h3>\n\n\n\n<p>Regardless of whether you set a default retention mode for the bucket, you can explicitly set a retention mode and period when you upload objects, or apply the same settings to existing objects, provided you use an application key with the appropriate <code>writeFileRetentions<\/code> or <code>writeFileLegalHolds<\/code> capability.<\/p>\n\n\n\n<p>Both the <code>S3 PutObject<\/code> operation and Backblaze B2\u2019s <code>b2_upload_file<\/code> include optional parameters for specifying retention mode and period, and\/or legal hold. For example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">s3_client.put_object(\n    Body=open('\/path\/to\/local\/file', mode='rb'),\n    Bucket='my-bucket-name',\n    Key='my-object-name',\n    ObjectLockMode='GOVERNANCE',\n    ObjectLockRetainUntilDate=datetime(\n        2023, 9, 7, hour=10, minute=30, second=0\n    )\n)<\/pre>\n\n\n\n<p>Both APIs implement additional operations to get and set retention settings and legal hold for existing objects. Here\u2019s an example of how you apply a governance mode lock:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">s3_client.put_object_retention(\n    Bucket='my-bucket-name',\n    Key='my-object-name',\n    VersionId='some-version-id',\n    Retention={\n        'Mode': 'GOVERNANCE',  # Required, even if mode is not changed\n        'RetainUntilDate': datetime(\n            2023, 9, 5, hour=10, minute=30, second=0\n        )\n    }\n)<\/pre>\n\n\n\n<p>The <code>VersionId<\/code> parameter is optional: the operation applies to the current object version if it is omitted.<\/p>\n\n\n\n<p>You can also use the web UI to view, but not change, an object\u2019s retention settings, and to toggle legal hold for an object:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"854\" src=\"\/wp-content\/uploads\/2023\/11\/Object-Lock_1_Enable-via-Web-UI.png\" alt=\"A screenshot highlighting where to enable Object Lock via the Backblaze web UI.\" class=\"wp-image-110454\" srcset=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/Object-Lock_1_Enable-via-Web-UI.png 936w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/Object-Lock_1_Enable-via-Web-UI-300x274.png 300w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/Object-Lock_1_Enable-via-Web-UI-768x701.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Deleting Objects in Governance Mode<\/h3>\n\n\n\n<p>As mentioned above, a key difference between the compliance and governance modes is that it is possible to override governance mode to delete an object, given an application key with the <code>bypassGovernance<\/code> capability. To do so, you must identify the specific object version, and pass a flag to indicate that you are bypassing the governance retention restriction:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># Get object details, including version id of current version\nobject_info = s3_client.head_object(\n    Bucket='my-bucket-name',\n    Key='my-object-name'\n)\n\n# Delete the most recent object version, bypassing governance\ns3_client.delete_object(\n    Bucket='my-bucket-name',\n    Key='my-object-name',\n    VersionId=object_info['VersionId'],\n    BypassGovernanceRetention=True\n)<\/pre>\n\n\n\n<p>There is no way to delete an object in legal hold; the legal hold must be removed before the object can be deleted.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Protect Your Data With Object Lock and Legal Hold<\/h2>\n\n\n\n<p>Object Lock is a powerful feature, and with great power\u2026 you know the rest. Here are some of the questions you should ask when deciding whether to implement Object Lock in your applications:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What would be the impact of malicious or accidental deletion of your application\u2019s data?<\/li>\n\n\n\n<li>Should you lock <em>all<\/em> data according to a central policy, or allow users to decide whether to lock their data, and for how long?<\/li>\n\n\n\n<li>If you are storing data on behalf of users, are there special circumstances where a lock must be overridden?<\/li>\n\n\n\n<li>Which users should be permitted to set and remove a legal hold? Does it make sense to build this into the application rather than have an administrator use a tool such as the Backblaze B2 CLI to manage legal holds?<\/li>\n<\/ul>\n\n\n\n<p>If you already have a Backblaze B2 account, you can start working with Object Lock today; otherwise, <a href=\"https:\/\/www.backblaze.com\/sign-up\/cloud-storage?referrer=nopref\" target=\"_blank\" rel=\"noreferrer noopener\">create an account<\/a> to get started.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Object Lock can be a powerful tool to protect your data. Let&#8217;s look more closely about how and when to use it. <\/p>\n","protected":false},"author":174,"featured_media":110465,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[7,434,475,483],"tags":[468],"class_list":["post-110451","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-storage","category-featured-1","category-ransomware","category-tech-lab","tag-b2cloud","entry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Different Levels of Object Lock Control for Ransomware Protection<\/title>\n<meta name=\"description\" content=\"Learn how Object Lock safeguards your data against ransomware and ensures compliance. Discover its features, use cases, and implementation tips.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Different Levels of Object Lock Control for Ransomware Protection\" \/>\n<meta property=\"og:description\" content=\"Learn how Object Lock safeguards your data against ransomware and ensures compliance. Discover its features, use cases, and implementation tips.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/\" \/>\n<meta property=\"og:site_name\" content=\"Backblaze Blog | Cloud Storage &amp; Cloud Backup\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/backblaze\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-28T17:11:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-08-14T18:33:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1440\" \/>\n\t<meta property=\"og:image:height\" content=\"820\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Pat Patterson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@backblaze\" \/>\n<meta name=\"twitter:site\" content=\"@backblaze\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Pat Patterson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Different Levels of Object Lock Control for Ransomware Protection","description":"Learn how Object Lock safeguards your data against ransomware and ensures compliance. Discover its features, use cases, and implementation tips.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/","og_locale":"en_US","og_type":"article","og_title":"Different Levels of Object Lock Control for Ransomware Protection","og_description":"Learn how Object Lock safeguards your data against ransomware and ensures compliance. Discover its features, use cases, and implementation tips.","og_url":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/","og_site_name":"Backblaze Blog | Cloud Storage &amp; Cloud Backup","article_publisher":"https:\/\/www.facebook.com\/backblaze","article_published_time":"2023-11-28T17:11:45+00:00","article_modified_time":"2024-08-14T18:33:04+00:00","og_image":[{"width":1440,"height":820,"url":"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1.png","type":"image\/png"}],"author":"Pat Patterson","twitter_card":"summary_large_image","twitter_creator":"@backblaze","twitter_site":"@backblaze","twitter_misc":{"Written by":"Pat Patterson","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/#article","isPartOf":{"@id":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/"},"author":{"name":"Pat Patterson","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/person\/a724a8aee97b6451107442747cd101a4"},"headline":"Digging Deeper Into Object Lock","datePublished":"2023-11-28T17:11:45+00:00","dateModified":"2024-08-14T18:33:04+00:00","mainEntityOfPage":{"@id":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/"},"wordCount":2285,"commentCount":0,"publisher":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/#primaryimage"},"thumbnailUrl":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1.png","keywords":["B2Cloud"],"articleSection":["Cloud Storage","Featured","Ransomware","Tech Lab"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/","url":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/","name":"Different Levels of Object Lock Control for Ransomware Protection","isPartOf":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/#primaryimage"},"image":{"@id":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/#primaryimage"},"thumbnailUrl":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1.png","datePublished":"2023-11-28T17:11:45+00:00","dateModified":"2024-08-14T18:33:04+00:00","description":"Learn how Object Lock safeguards your data against ransomware and ensures compliance. Discover its features, use cases, and implementation tips.","breadcrumb":{"@id":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/#primaryimage","url":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1.png","contentUrl":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1.png","width":1440,"height":820,"caption":"A decorative image showing data inside of a vault."},{"@type":"BreadcrumbList","@id":"https:\/\/www.backblaze.com\/blog\/digging-deeper-into-object-lock\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Digging Deeper Into Object Lock"}]},{"@type":"WebSite","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#website","url":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/","name":"Backblaze Cloud Solutions Blog","description":"Cloud Storage &amp; Cloud Backup","publisher":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#organization","name":"Backblaze","url":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/www.backblaze.com\/blog\/wp-content\/uploads\/2017\/12\/backblaze_icon_transparent.png?fit=512%2C512&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.backblaze.com\/blog\/wp-content\/uploads\/2017\/12\/backblaze_icon_transparent.png?fit=512%2C512&ssl=1","width":512,"height":512,"caption":"Backblaze"},"image":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/backblaze","https:\/\/x.com\/backblaze","https:\/\/www.youtube.com\/user\/Backblaze","https:\/\/en.wikipedia.org\/wiki\/Backblaze"]},{"@type":"Person","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/person\/a724a8aee97b6451107442747cd101a4","name":"Pat Patterson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2022\/01\/PatPatterson1920px-150x150.png","url":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2022\/01\/PatPatterson1920px-150x150.png","contentUrl":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2022\/01\/PatPatterson1920px-150x150.png","caption":"Pat Patterson"},"description":"Pat Patterson is the former chief technical evangelist at Backblaze. Over his three decades in the industry, Pat has built software and communities at Sun Microsystems, Salesforce, StreamSets, and Citrix. In his role at Backblaze, he creates and delivers content tailored to the needs of the hands-on technical professional, acts as the \u201cvoice of the developer\u201d on the Product team, and actively participates in the wider technical community. Outside the office, Pat runs far, having completed ultramarathons up to the 50 mile distance. Catch up with Pat via Bluesky or LinkedIn.","url":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/author\/pat\/"}]}},"jetpack_featured_media_url":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2023\/11\/bb-bh-Object-Lock-Deep-Dive_Design-C-1.png","_links":{"self":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/posts\/110451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/users\/174"}],"replies":[{"embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/comments?post=110451"}],"version-history":[{"count":0,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/posts\/110451\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/media\/110465"}],"wp:attachment":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/media?parent=110451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/categories?post=110451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/tags?post=110451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}