We have moved away from tape recently and have started to rely on altavault with a copy on AWS S3. Recent crypto locker events and other account breaches in the media have highlighted that reliance on a single S3 bucket that could be maliciously deleted, an altavault that could spew corrupted data up to our S3 bucket or any other unlikely event is a single point of failure that we would like mitigate against.
One feature that has come up in our research is Glacier Vault Lock which would enbable us to move to using Glacier with our Altavault and then setting a WORM policy on the data. Does anyone use that and would it work with the altavault as I'm not sure how it ages data out or if it needs to update meta data etc from time to time.
Another option is to have a second stream of data from our comvault unit which would go into a different account AWS directly giving us the potential of a duplicate copy in a second AWS region from a different source.
What are others doing in this space and is there something I'm missing?
I will acknowledge that this doesn't necessarily answer the question about Altavault.. there are also data escrow options available for AWS from third parties, but they don't necessarily integrate with Altavault data shards.
But more generally, for primary data access, FAS NAS snapshots are essentially WORM from a client point of view - you can't modify them from client systems, but as you recognise, you can delete them from the cluster's admin interface.
For managing secondary copies on FAS, we have Snaplock functionality available on FAS as well - this technical report outlines the options available - this prevents even compromised admin accounts from damaging snapshot copies. We also have functionality in the new ONTAP 9.3 to support two factor authentication (2FA) providing for non-repudiation of admin actions, and even deleted volumes, if noticed quickly, can be recovered in some circumstances.