“Immutable” isn’t just a buzzword anymore. Regulators still expect certain records to be non‑erasable for a set period, and attackers increasingly try to destroy backups before they launch extortion. That combination makes WORM (write‑once, read‑many) controls and reliable audit trails the foundation of a defensible archive.
On AWS, S3 Object Lock enforces WORM by preventing changes or deletion to protected object versions for a defined retention period. You can also place a legal hold to freeze an item indefinitely. In strict compliance mode, even a root user can’t delete a locked version early. In governance mode, only users with explicit bypass rights can shorten or remove protection. Pair that with a DMS that handles retention rules, approvals and audit logs, and you have something both compliant and practical.
What WORM actually does
WORM is simple in spirit: write a record, then keep it exactly as written until you’re allowed to dispose of it. In S3, Object Lock works on versioned buckets and protects specific object versions, not a whole key. Two practical notes:
- Object Lock must be enabled when the bucket is created (with versioning).
- Once enabled, you can’t turn it off or suspend versioning later. Plan naming, lifecycle and costs before you flip the switch.
The SEC’s audit‑trail alternative (why some firms don’t need WORM everywhere)
The U.S. SEC modernised Rule 17a‑4 so broker‑dealers can comply either with traditional WORM or with an audit‑trail alternative. If you choose the latter, your system has to let you recreate the original record after any modification or deletion and produce the full, time‑stamped audit trail in a format the regulator can actually use. In other words, immutability or reconstructability—both are valid, but the second only works if your audit logging is robust and exportable.
A pragmatic architecture that passes audits
1) Policy and retention live in the DMS.
Build record series (finance, HR, contracts, operational logs) and apply rules that archive, recycle or delete on schedule. Keep holds for investigations or litigation. Your DMS is also where you capture approvals and acknowledgements so you can show who signed off on what and when.
2) Immutability at the storage layer, where it matters.
For regulated series or high‑risk content, store the files under Object Lock. Use compliance mode when nothing must override the clock; use governance mode when you need a gradual rollout and tightly controlled bypass.
3) End‑to‑end auditability.
Audits turn on evidence. Make sure every access, edit and retention event is logged and easy to export alongside the document. If you’re relying on the SEC’s audit‑trail route, test a full “record + audit trail” export before you ever need it.
4) Separation of duties and access hygiene.
Keep retention/hold administration separate from content owners. Enforce least‑privilege through SSO (Entra/Okta/Google) and run periodic access reviews. It’s boring—and it’s exactly what auditors look for.
Why this matters for ransomware
Modern ransomware playbooks include destroying snapshots and backups to force payment. Immutable copies short‑circuit that tactic. If an attacker can’t alter or delete protected versions, your recovery is faster and the negotiation pressure drops. None of this replaces good patching and monitoring, but it dramatically improves your odds on a bad day.
Buyer checklist
- Retention schedule per record series, enforced in the DMS
- Legal hold process with visible start/stop evidence
- Immutable storage (S3 Object Lock) for required or high‑risk series
- Audit‑trail exports that pair with the record and actually open on a regulator’s desktop
- SSO with least‑privilege groups and scheduled access reviews
- Documented restore tests (with dates, RTO/RPO notes and outcomes)
Common pitfalls
- Treating backups as archives. Backups are for operational recovery; archives are for compliance. You still need retention rules, metadata and holds at the DMS layer.
- Turning on Object Lock without a lifecycle plan. Buckets can’t be “un‑locked” later. Decide on naming, retention lengths and cost controls first.
- Relying on governance mode with loose IAM. If someone has bypass rights, you don’t really have immutability. Tighten permissions or use compliance mode.
- Choosing the audit‑trail route without real audit logs. If you can’t reconstruct the original or export a usable audit trail, you’re not compliant.
Putting this into action in Folderit
- Create record series and attach retention rules at folder or file level; use legal holds for investigations.
- Switch on approvals for policy changes and send acknowledgements for critical procedures to capture read receipts.
- Connect SSO (Microsoft Entra, Okta or Google) so access reviews are straightforward.
- Demonstrate a complete audit‑trail export and version history for a sample record—this is your show‑me moment in an audit.
Start a free Folderit trial and ask for the Immutable Archive blueprint: series‑based retention with legal holds, audit‑trail exports, SSO, and guidance on when to pair your DMS with S3 Object Lock (compliance vs governance) for regulated or high‑risk content.
Suggested internal reading
Crypto Ransomware Protection for Businesses
Document Archiving: What Is It and How To Do It
14 Essential Tips to Build a Comprehensive Document Retention Policy
Note: This article is general information, not legal advice. Always follow your regulator’s specific recordkeeping and retention rules.
