11 Implementing Immutable Backups

Regulatory and cyber security requirements need "immutability", a feature that prevents backup deletion and modification by any user. "Immutable backups" are backups that cannot be deleted or modified. Some government regulations have specific rules for compliance retention and legal holds.

Recovery Appliance Immutable (Compliance) backups adhere to a recovery window compliance period that is set in the protection policy. The Recovery Appliance enforces the backup retention to recover to any point-in-time in the compliance period (e.g. 7 days).

In contrast, the recovery window goal spans compliance period and beyond (e.g. total of 30 days) for operational backup retention needs. The Recovery Appliance attempts to meet all of its goals using the available space, but does not strictly enforce.

This section describes the different settings available in the Recovery Appliance to indicate which backups are immutable. By using these features, backups are prevented from being prematurely deleted by automated processes, by mistake, or by malicious users. Also, administrators and automated processes are prevented from adjusting downward the KEEP UNTIL time.

An immutable backup uses space that cannot be freed until the backup's immutability period ends (KEEP UNTIL) or the compliance condition (COMPLIANCE_HOLD) is removed. This might prevent new backups from being created on the system.

Compliance retention is an ongoing retention window and protection policy level setting. Legal hold is a temporary suspension of retention and expiration rules on individual database backups.

The KEEP and KEEP UNTIL attributes are also used with Archival Backups, another option for archive to cloud or tape. An archival backup is a full backup that includes required archived logs to recover the data file backups to a specific point in time and has a defined retention period.

Note:

The Oracle Zero Data Loss Recovery Appliance only enforces backup immutability within its domain, within its storage. Recovery Appliance cannot enforce backup immutability on tape or in the cloud, where other services must take on the responsibility for enforcing immutability of backups.

The Oracle Zero Data Loss Recovery Appliance addresses immutable backups through attributes for Enterprise Manager Cloud Control, the APIs, the protection policies, and the jobs for backup to tape and cloud.

Legal Holds

A "legal hold" is a process that an organization uses to preserve all forms of potentially relevant information when litigation is pending or reasonably anticipated. When initiated, a legal hold requires that the organization suspend the normal disposition of obsolete records.

The Recovery Appliance administrator can create a legal hold on existing disk backups for specific databases. Backups on legal hold cannot be deleted by internal processes or administrator commands, until the hold is disabled.

This is configured by enabling the COMPLIANCE_HOLD attribute with UPDATE_DB for a specified database. A starting date for the hold must be within the current recovery window available for the database. All backups from this date onwards are protected from being deleted. The metadata for those backups is assigned the COMPLIANCE_HOLD attribute that prevents the backup from being deleted by automated processes or administrators. Legal hold backups are indefinitely retained until the hold is disabled. A legal hold is meant to be transitive and not permanent for a database.

COMPLIANCE_HOLD applies to the storage of the Recovery Appliance. Compliance hold backups on the Recovery Appliance that are archived to cloud or tape are treated as normal archived backups along with deletion of obsolete backups (recovery_window_sbt). Therefore, to ensure legal hold on cloud or tape, immutability settings must also be configured using the administrative interfaces for those locations. If a database is in COMPLIANCE_HOLD and the Recovery Appliance attempts to delete the backup piece on tape or cloud, tape or cloud location grants or denies the request. If tape or cloud refuses to delete a piece, the pointer to the piece inside of the Recovery Appliance is preserved. In this manner, all cloud and tape backup records are preserved in the Recovery Appliance, because the destination blocks any delete operations issued by the Recovery Appliance.

Note:

COMPLIANCE_HOLD can prevent the addition of new backups to the Recovery Appliance, when backups associated with the legal hold fill up the storage of the Recovery Appliance, because old backups aren't "expiring" and having their storage reclaimed.

Compliance Backup and Reserved Space

Reserved space is the minimum allotted space necessary for each database’s backups. This space covers backups needed to meet recovery window goal. Depending on backup activity and total available space, the actual space used can be more than reserved space.

For databases set by their protection policy for compliance backups, the reserved space becomes the maximum space under compliance. If there is high backup activity and total space needed to meet recovery window compliance exceeds reserved space, backups will fail. Reserved space must be increased so that backups continue to be received. In fact, it is a challenge to monitor and adjust the reserved space for hundreds and thousands of databases that grow and shrink over time.

Auto-Tuned Reserved Space is a feature available for all databases, and is beneficial for compliance backups. It automatically manages the reserved space for compliance backups and reduces the administrator involvement in space management. The reserved space is automatically adjusted when a backup is received that exceeds reserved space setting for that database.