Enable Data Lock for accidental or malicious deletion of recovery points
Overview
Data Lock prevents modification, deletion, or tampering of business-critical data. Immutability has gained widespread attention with rising ransomware attacks that can adversely impact enterprise data security. When it comes to preserving your data in the event of a ransomware attack, immutable backups are a critical component of your organization’s business strategy and data recovery plan.
Once enabled at the policy level, the retention for immutable backups cannot be altered allowing enterprises to protect their data from a malicious insider. This is particularly significant when backups are under threat of modification or deletion, such as attempts by a rogue admin or in the event of credentials being compromised.
For more information on the use cases and benefits of this functionality, see Data Lock for Enterprise Workloads.
Enable Data Lock
You can enable Data Lock to protect backups at the policy level. You can enable Data Lock when creating a new policy or on an existing policy.
What happens when you enable Data Lock?
Once you apply Data Lock to the backup policy, you cannot:
- Disable the Data Lock setting in the backup policy.
- Delete the recovery points, backup sets, and backup policy.
- Edit the retention period in the backup policy.
- Associate another backup policy to the Data Lock-enabled backup set.
Considerations
- You cannot change the retention period after applying Data Lock to your backup policy. But you will be able to change the other options like backup schedule in the Data Lock-enabled backup policy.
- You cannot manually delete the backup policy, backup set, and recovery points in the backup set once you apply Data Lock to the backup policy or backup set.
- For an Azure VM backup set, you can change the associated backup policy to a different backup policy type only if the original backup policy is not enabled for Data Lock.
- Once you enable Data Lock, it will apply to historical and future recovery points. However, Data Lock does not apply to historical soft-deleted backup sets.
- If an Azure virtual machine is protected by a policy with data lock enabled, the VM cannot be reconfigured.
Consider an Azure VM configured by a data-lock enabled backup policy, deleting an auto configuration rule will set the backup sets to auto-disabled state. The VMs will then need to be protected via a manual configuration only.
Enabling Data Lock while creating a new backup policy
Important: Enabling Data Lock is an irreversible action. Data Lock will apply to historical and future recovery points.
- Log in to the Management Console and select your Organization.
- Click Protect and select Azure Virtual Machines.
- On the left pane, select Backup Policies, and then select New Backup Policy.
- Enter the Name and Description of the backup policy.
- Click Next and specify the backup schedule.
- Click Next, specify the retention details, and enable the Enable Data Lock toggle.
7. In the Enable Data Lock dialog box, read the conditions and proceed accordingly.
8. Click Next and then click Finish.
The backup policy is created with Data Lock enabled.
Note: For an Azure VM backup set, you can change the associated backup policy to a different backup policy type only if the original backup policy is not enabled for data lock.
Enabling Data Lock for an existing backup policy
Important: Enabling Data Lock is an irreversible action. Data Lock will apply to historical and future recovery points.
- Log in to the Management Console and select your Organization.
- Click Protect and select Azure Virtual Machines.
- On the left pane, select Backup Policies, and then enter the backup policy name in the Policy Name column.
- On the Summary page, in the Retention section, click Edit.
- Toggle the Enable Data Lock option.
- In the Enable Data Lock dialog box, read the conditions and proceed accordingly.
The Data Lock column displays whether it is enabled or disabled for each backup policy on the Backup Policies page.
In addition, you will see that the Data Lock is enabled in the Summary tab on the Backup Policies page.
Note: The green shield icon against a policy on the listing page indicates that Data Lock is enabled on the backup policy, and will apply to all backup sets configured with the policy.
Data Lock FAQs
Which licenses offer the Data Lock feature?
Elite and Enterprise customers will have a Data Lock option by default.
Will Data Lock impact the storage consumption of my data?
Enabling Data Lock in your backup policy will not impact storage consumption.
Can I manually delete Data Lock-enabled backup sets and recovery points?
No, once you enable Data Lock for the backup set, you cannot manually delete the backup policy or backup set.
Can I update the policy retention once I enable Data Lock?
Once you enable Data Lock, the backup retention criteria specified cannot be modified.
What happens if I delete an auto configuration rule associated with a VM that is protected by a data lock-enabled policy?
Deleting the auto configuration rule associated with a particular VM will discontinue new backups; however, existing backups are retained and will be available for restore. The VMs will then need to be protected via a manual configuration only.
However, if the VM is configured by a backup policy that has data-lock enabled, deleting the auto configuration rule will set the backup sets to auto-disabled state. A VM that has been data-locked cannot be reconfigured. If you need to reconfigure VMs in auto-disabled state (owing to deletion of a rule), you will need to raise a Support request to disable the data lock on the auto-disabled.
My backup set is mapped with a Data Lock-enabled backup policy. Can I associate another Data Lock-enabled backup policy to the same backup set?
You cannot modify the Data Lock-enabled backup policy associated with the backup set to another Data Lock-enabled backup policy.