Supported Azure Storage Targets

This section details the types of Storage and Storage Settings supported by Luware Recording. This section assumes that you are familiar with the concepts of Azure Storage account services.

Luware Recording requires that you create your own Azure Storage Account for the storage of your recordings. Luware only supports blob containers for the secure upload and "data at rest" storage of recordings. File, Queue and Table Azure storage services is not supported.

Connecting to the Customer Storage

Azure Private Endpoints are the recommended method to be used to access the customer storage by Luware. This method of connectivity to your Azure storage makes use of a dedicated private IP Address for communication towards your Azure Storage Account. Public IP Routing is not used in this method and therefore the data does not go over the public internet.

Luware will create and operate the private endpoint connection from Luware Recording to your Azure Storage Account. You must provide the Resource ID of the created Azure Storage Account for Luware to create the private endpoint connection. After creation, you will be requested to approve the private endpoint connection. 

There is no need to configure Firewall Access Control Lists for Luware Recording IP addresses and/or VNETs against the customer Azure Storage Account. However, it is recommended to restrict access.

The private endpoint uses an IP address from the dedicated Private Endpoint Luware Recording VNet address space. Network traffic between the Luware Recording VNet and your storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

The Private Endpoint created will be approved by you to only allow access from the Luware Private IP Address space hosted in the Azure VNET.

🔍 Also see Azure Storage Private Endpoints.

Azure Storage Account Creation Guidance

The following sections provide guidance on how to create the Azure Storage Account. For any Azure Storage specific queries not covered in the following sections, we recommend your contact your Azure specialists for assistance.

Basics

This section refers to the initial input values requested by Azure Portal for the initial creation of the Azure Storage Account.

Project Details

Instance Details

 * The Luware Recording application supports Standard performance level. If Premium is selected, only Block Blobs are supported.

** Geo-Redundant storage creates a read-only copy in a paired Azure region providing additional resiliency in case of Azure region data loss.  Luware recommends compliance data is stored in a GRS enabled Azure Storage Account.

*** Luware Recording will not be able to utilize the read-only GRS region in the event of a regional outage as the private endpoint connectivity is only available in the primary region. 

Advanced

Security

Luware recommends you review security options with your internal Azure security teams.

* It's recommended to limit copy operations to storage accounts within the same Microsoft Entra tenant. This option does not impact Luware Recording.

Hierarchical Namespace

Blob Storage

The access tier selection is the choice of the customer based on how the Luware Recording platform will be utilized. For example, if data is captured but not regularly played back, exported or accessed via APIs over a period of 12 months you can reduce cost by moving to cold storage. 

• Hot: Optimized for frequently access data. Cost of storage is high but reduced cost on access, writes and modifications.
• Cool: Optimized for infrequently accessed data and backup scenarios. Costs are averaged out between storage and read, writes and modifications.
• Cold:  Optimized for rarely accessed data and backup scenario. Costs of storing data is low, however, the cost of reads, writes and modifications is high.

Luware recommends reviewing the Azure Cost Calculator to select the default access tier. In most customers use cases, the cold access tier provides the lowest Microsoft pricing. Luware recommends customers review the Azure Cost Analysis portal regularly to find potential cost savings by changing the default access tier. 

🔍 Also see Blog Storage Tiers.

Azure Files

Networking

Network Connectivity

* When disabling Public Network Access to the Azure Storage Account, you will not have access to the containers within the Azure Storage Account. If you require this access, you must enable access from Selected Virtual Networks and IP Addresses, and specify your current IP address under the Firewall options. It is highly recommended that Disable Public Access is re-enabled after the container is created.

Network Routing

Data Protection

Recovery

Luware Recording does not require any of the recovery options for accidental or erroneous deletion or modification, however, if you are not confident in setting up Role Based Access Control to prevent actions on the storage account, at a minimum the soft delete for containers should be enabled. Enabling these features does have a significant cost impact.

* Enabling soft delete for containers protects against accidental deletion or modification of the container where captured recordings will be stored. This can be set to enabled with 30 days retention in case of accidental deletion. 

Tracking

To enable Version-Level immutability support, known as file-level retention which provides Write Once Read Many (WORM) also known as Non-Erasable Non-Rewriteable (NENR) storage accounts and files it's recommended to enable Versioning for Blobs and Version-Level Immutability support. The Version-Level Immutability Support feature provides additional protection for your files by leveraging Azure's retention policies. Here’s what happens when the checkbox to enable this feature is selected:

• File Locking: When enabled, Luware Recording will lock the uploaded file versions on Azure by applying the retention period configured within the Luware Recording upload policy.
• Retention Period: During the retention period, the locked version of the file:
  • Cannot be deleted or modified, even by an Azure Admin.
  • Remains immutable until the retention period expires.
  • Retention cannot be reduced but can be increased using a Luware Recording policy.

This ensures that your files are protected against accidental or intentional deletion.

Important Note: Once a file version is locked, it is not editable, removable and cannot have it's retention reduced until the specified retention period ends. Ensure you understand the implications before enabling this feature, as even administrators cannot overwrite the immutability during the retention period.

For more detailed information on Azure's retention policies and immutability, refer to the official Microsoft documentation.

* For customers that capture records for quality purposes and need to delete captured files due to data privacy regulations such as GDPR, these options can be disabled. For compliance recording customers that need WORM/NENR storage locations these options should be enabled, the database records can still be deleted on request, but the files cannot be removed until the end of retention date has been reached. 

Encryption

* Contact your internal Azure specialists for setting up customer managed keys.

Storage Capacity Calculations

Depending on the number of recorded users, the number of recorded conversations per average working day, and the retention settings of data at rest (i.e. delete after 30 days), will directly affect the sizing considerations that needs to be made for the Azure Storage Account created for this service.

The information below is intended to aid the customer in storage sizing estimations and cost estimations of per GB consumed in Azure.

• Audio Conversations:
  • Codec: GSM-FR
  • File size: 5.5MB per hour
  • Audio Container: .wav
  • Metadata Container: .xml
  • Number of files: 4 with encryption, 2 without encryption.
• Video and Screen Share Conversations:
  • Codec: .VMF
  • File Size: Average 1.05 GB (Depends on number of captured video streams)
  • Video Container: .VMF
  • Metadata container: .xml
  • Number of files: 4 with encryption, 2 without encryption.
• File Attachments:
  • Container: Product specific containers, such as .pptx, .docx, .xlsx
  • File Size: Depends on the file size shared.

Based on the data at rest storage figures above, this can then be used to calculate the needed overall storage space requirements.

Encryption and Signing

Luware Recording natively encrypts and signs all recorded conversations files before uploading them to the customer's Azure Storage Account. This is done using a certificate and private key installed on the Luware Recording infrastructure which will be used for encryption and signing of every conversation. As the encryption of the records is done natively within Luware Recording, this ensures that the records are encrypted in transit and at rest.

Luware recommends that the customer provides their own certificate. This ensures that the customer's records are encrypted and signed using their own certificate, and can easily be decrypted outside of Luware Recording if necessary. Luware will require the certificate and private key in order to encrypt all calls. The customer's certificate and private key will be stored within Luware Recording securely. This certificate will then be used to encrypt and sign files as they are uploaded to the customers Azure Storage, as well as decrypt and verify the files during playback.

The certificate requirements are as follows:

• Certificates must have RSA keys (512, 1024, 2048, 4096)
• Supports SHA-512 and SHA-256
• Certificates used for encryption and signing must be valid, not expired or revoked
• All certificates used at any time (even if expired) must be available to provide decryption and validation for any recording
• Certificates for encryption must have a private and a public key 
• The Private Key MUST be marked as Exportable

Please note: SHA-512 is used for the digest for encryption and RSA is used for the signing of the files (please note RSA Key length is governed by the issuing certificate authority).

The playback and read of the encrypted conversations is performed via the Luware Recording Web Portal. When a user signs in and requests the playback of a record, Luware will request the download of a copy of the record from the customers storage target, the conversation will be downloaded and decrypted within Luware Recording and presented for playback to the user. Luware Recording will temporarily cache the downloaded records, but these will be deleted from Luware Recording, but remain in the customers storage target.

Should the customer not wish to use their own certificate, Luware can create a Luware signed certificate for the encryption and signing of all the records. This will mean that the customer has no access to the certificate, however, subject to additional service fees, Luware can decrypt the files stored on a customer’s storage in the event they need to be played back/read using a 3rd party tool.

Customer Azure Storage Details

In order for Luware Recording to upload the records to your storage target, the below information is required from your storage account:

• Azure Storage Account Name
• Azure Storage Blob Container Name
• Azure Storage Account Access Key #1
• Azure Storage Resource ID

These details are required so that Luware Recording can securely upload and download the records to/from your storage target. As some of the required information is sensitive, please arrange with your point of contact at Luware a method to securely transfer this information. The Storage Access Key will only be stored in encrypted format in Luware Recording and will not be stored in plain text anywhere within Luware.

Should you rotate the Storage Account Access keys, please inform Luware Support of the new key before the provide key expires.

Luware Support