Software WORM: Immutability by Policy #

Software means that an operating system, file system, or object store flags data as read-only for a retention period. Typical implementations:

  • Object lock in object storage (compliance and governance modes)
  • Retention flags at the file system level
  • Application-level locks in archive or DMS software

The protection is real as long as the software stack and its configuration are intact. The weaknesses are structural:

  1. Privileged override: In governance-mode configurations, accounts with the right permissions can shorten retention or remove locks. An attacker who compromises those credentials inherits that power.
  2. The layer below: Even where the lock itself is strict, the storage underneath is ordinary. Whoever controls the infrastructure can destroy volumes, reformat disks, or delete the bucket and its account.
  3. Log dependence: Misuse is detectable only through audit logs, and an attacker with sufficient privileges deletes the logs along with the data.

The chain is: change the policy, delete the data, delete the logs. Every link is a software operation, and software operations obey whoever holds the credentials.

Hardware WORM: Immutability by Design #

Hardware enforces immutability in the storage system itself, below every operating system, hypervisor, and application:

  • Once written, data physically cannot be overwritten or deleted before the retention period expires
  • No administrator account, no root shell, and no stolen credential changes that
  • Integrity is verifiable at any time, without trusting the software stack above

Silent Cubes from FAST LTA implement this model for : hardware with redundant storage and erasure coding, designed for retention periods of 10 to 30 years and more. The German manufacturer (around 120 employees) has specialized in exactly this discipline: storage that holds up when an auditor or a regulator asks for proof.

What This Means in an Audit #

Regulators and auditors ask one core question: how do you guarantee that this record is unchanged since archiving?

  • Software answer: Our policies were configured correctly and no privileged account misused its rights.” That is an assertion about people and processes over the entire retention period.
  • Hardware answer: The storage system technically prevents modification, independent of credentials. Here is the verification.” That is a property of the system.

For records under statutory retention ( Art. 5(1)(f) integrity, MiFID II record-keeping, national bookkeeping rules such as the German ), the technical guarantee is the stronger evidence. Software can satisfy auditors in low-risk settings with rigorous organizational controls, but the burden of proof stays with your processes.

What This Means in a Ransomware Incident #

Modern ransomware operators specifically target archives and backups before encryption. With admin credentials they disable software locks where configurations allow it, or destroy the storage beneath them. Hardware removes the target: there is no software path to the data’s integrity. Combined with air-gapped backups (Silent Brick System: galvanic separation with Max Air, physically removable bricks with Pro), the archive and the recovery copies are both out of the attacker’s reach.

Practical Guidance #

  • Use hardware (Silent Cubes) for everything subject to statutory retention: financial records, invoices, contracts, patient data
  • Use software as an additional layer where convenient, never as the sole protection for compliance data
  • Keep backups on a separate, air-gapped system; an archive is not a backup, and a backup is not an archive

Further Resources #

Guide (/en/blog/revisionssicherheit-leitfaden/) → Storage Fundamentals (/en/blog/worm-speicher-grundlagen/) → Technologies Compared (/en/blog/worm-technologien-vergleich/) → Silent Cubes: Hardware Archive Storage (/en/produkte/silent-cubes/)

Disclaimer

This article was written by our editorial team and edited using AI. It provides a general overview and does not constitute legal advice – we recommend seeking professional advice for your specific situation.