We have moved away from tape recently and have started to rely on altavault with a copy on AWS S3. Recent crypto locker events and other account breaches in the media have highlighted that reliance on a single S3 bucket that could be maliciously deleted, an altavault that could spew corrupted data up to our S3 bucket or any other unlikely event is a single point of failure that we would like mitigate against.
One feature that has come up in our research is Glacier Vault Lock which would enbable us to move to using Glacier with our Altavault and then setting a WORM policy on the data. Does anyone use that and would it work with the altavault as I'm not sure how it ages data out or if it needs to update meta data etc from time to time.
Another option is to have a second stream of data from our comvault unit which would go into a different account AWS directly giving us the potential of a duplicate copy in a second AWS region from a different source.
What are others doing in this space and is there something I'm missing?
Cheers,