What SnapLock is
SnapLock is a high-performance compliance solution for organizations that use WORM storage to retain files in unmodified form for regulatory and governance purposes. A single license entitles you to use SnapLock in strict Compliance mode, to satisfy external mandates like SEC Rule 17a-4, and a looser Enterprise mode, to meet internally mandated regulations for the protection of digital assets.
Differences between Compliance and Enterprise modes
SnapLock Compliance and Enterprise modes differ mainly in the level at which each mode protects WORM files:
Compliance-mode WORM files are protected at the disk level.
You cannot reinitialize a disk that contains Compliance-mode aggregates.
Enterprise-mode WORM files are protected at the file level.
A related difference involves how strictly each mode manages file deletes:
Compliance-mode WORM files cannot be deleted during the retention period.
Enterprise-mode WORM files can be deleted during the retention period by the compliance administrator, using an audited privileged delete procedure.
After the retention period has elapsed, you are responsible for deleting any files you no longer need. Once a file has been committed to WORM, whether under Compliance or Enterprise mode, it cannot be modified, even after the retention period has expired.
You cannot move a WORM file during or after the retention period. You can copy a WORM file, but the copy will not retain its WORM characteristics.
The following table shows the differences between SnapLock Compliance and Enterprise modes:
Capability | SnapLock Compliance | SnapLock Enterprise |
|---|---|---|
| Privileged delete | No | Yes |
| Reinitialize disk | No | Yes |
| Destroy SnapLock aggregate and volume during retention period | No | Yes |
| Rename an aggregate or volume | No | Yes |
Non-Lenovo disks | No | Yes (with FlexArray Virtualization) |
| Use SnapLock volume for audit logging | Yes | Yes, starting with ONTAP 9.5 |
| Single-file SnapRestore | No | Yes |
| SnapRestore | No | Yes |
| FlexClone | You can clone SnapLock volumes, but you cannot clone files on a SnapLock volume. | You can clone SnapLock volumes, but you cannot clone files on a SnapLock volume. |
| LUNs | No | No |
| MetroCluster configurations | SnapLock Compliance or Enterprise aggregates are supported to host SnapLock audit log volumes on MetroCluster configurations, with the following limitation:
All MetroCluster configurations support mirrored aggregates. | No |
| Support FabricPools on SnapLock aggregates | No | Yes, starting with ONTAP 9.8 |
MetroCluster configurations and compliance clocks
MetroCluster configurations use two compliance clock mechanisms, the Volume Compliance Clock (VCC) and the System Compliance Clock (SCC). The VCC and SCC are available to all SnapLock configurations. When you create a new volume on a node, its VCC is initialized with the current value of the SCC on that node. After the volume is created, the volume and file retention time is always tracked with the VCC.
When a volume is replicated to another site, its VCC is also replicated. When a volume switchover occurs, from Site A to Site B, for example, the VCC continues to be updated on Site B while the SCC on Site A halts when Site A goes offline.
When Site A is brought back online and the volume switchback is performed, the Site A SCC clock restarts while the VCC of the volume continues to be updated. Because the VCC is continuously updated, regardless of switchover and switchback operations, the file retention times do not depend on SCC clocks and do not stretch.
Committing files to WORM
You can use an application to commit files to WORM over NFS or CIFS, or use the SnapLock autocommit feature to commit files to WORM automatically. You can use a WORM appendable file to retain data that is written incrementally, like log information.
Data protection
SnapLock supports data protection methods that should satisfy most compliance requirements:
You can use SnapLock for SnapVault to WORM-protect Snapshot copies on secondary storage.
You can use SnapMirror to replicate WORM files to another geographic location for disaster recovery.
Storage efficiency
Starting with ONTAP 9.9.1, SnapLock supports storage efficiency features, such as data compaction, cross-volume-deduplication, and adaptive compresssion for SnapLock volumes and aggregates.
Encryption
Lenovo Data ONTAP offers both software and hardware-based encryption technologies for ensuring that data at rest cannot be read if the storage medium is repurposed, returned, misplaced, or stolen.
Disclaimer: Lenovo cannot guarantee that SnapLock-protected WORM files on self-encrypting drives or volumes will be retrievable if the authentication key is lost or if the number of failed authentication attempts exceeds the specified limit and results in the drive being permanently locked. You are responsible for ensuring against authentication failures.