1. Owner's Guide
  2. Introduction to the Recovery Appliance
  3. About the Recovery Appliance
  4. Ransomware and Cybersecurity

Ransomware and Cybersecurity

The Oracle Zero Data Loss Recovery Appliance is engineered for database ransomware protection. It has four key technology pillars:

  • Database Protection includes real-time transaction protection and end-to-end ransomware protection and immutability.

  • Recovery Assurance includes continuous backup validation, database protection monitoring, as well as high-speed, fast database restore capabilities through a dedicated network.

  • Resilient Architecture built on a compute and storage servers foundation, which stems from Oracle Exadata engineered systems design methodology. The user model has a separation of duties; the roles for databases, the Recovery Appliance, and for any related appliances are segregated from each other. No one user can access other systems which they are not privileged to do so.

    Immutable Backups prevents the backups themselves on a compromised system to be purged or deleted by internal processes or external users.

Ransomware: Today's Most Important Data Protection Topic

Ransomware is a type of malicious software, or malware, that encrypts a victim's data to make it unusable. A malicious cyber criminal holds the victim's data hostage with possible additional threats of data destruction or a public release until the victim pays the ransom. Ransomware has become the greatest threat to business survival in modern times that traditional High Availability (HA) and disaster recovery scenarios alone can't mitigate.

Databases typically contain the most critical and sensitive information of a company's operations. A few minutes or even a few seconds of a randsomware attack might corrupt hundreds to thousands of transactions. For mission-critical databases, if such attacks cause data to be lost and system downtime, these can have far-ranging impacts throughout the business in terms of revenue, operations, reputation, and even penalties.

In a typical ransomware situation that penetrates IT systems, the attack might start very innocuously as an email, fake software upgrade alerts, or some other kind of employee infiltration. It enters through access points that are known and common to employees.

The questions initially raised for IT: what processes are in places for securing credentials and access to downstream systems and for disallowing non-authorized access through internal/employee facing interfaces? Were these processes followed?

However, once this first level is breached, ransomware tries to steal additional privileged network access credentials both locally and domain-wide, with the goal of being able to access data. After it gets into a system and finds data, it can manipulate or publish that data for extortion purposes.

Once data is compromised, the next questions for IT become: what are the backup and patch strategies? Were these processes successfully followed?

Unfortunately, ransomware attacks can be so sophisticated that they can then move into the backups themselves. Production data is compromised as well as the backup infrastructure through connected NFS file shares or any kind of access point in which backups are made. It means that the last resort for data protection is potentially compromised.

The worst-case scenario is when infiltration passes all of the access levels and compromises both production and backup data, thereby offering no guarantee of data recovery. If the company's backup and recovery strategies were not been tested, were incomplete, or were not able to be carried out, the company out of desperation to get the production data back resorts to paying the ransom. However, ransom payment does not guarantee that the data can be recovered once it has been compromised.

Best Practices to Minimize Ransomware Risks

According to the Cybersecurity & Infrastructure Security agency, the best practices to minimize ransomware risks are:

  • Backup your data, system images, and configurations. Test your backups. Keep the backups offline.
  • Utilize multi-factor authentication.
  • Update and patch systems.
  • Make sure your security solutions are up to date.
  • Review and exercise your incident response plan.

The Recovery Appliance has Resiliency and Recoverability from Cyber-Attacks

The Oracle Zero Data Loss Recovery Appliance is designed to be fault-isolated from the production database. If a cyber-attack hits the production database, the Recovery Appliance is not compromised. This solution stems from the following key architectural features:

  • End-to-End Data Validation

    Validation is key to detecting corrupt backup data throughout the backup lifecycle, but it is equally important for detecting cyber-attacked data.

    The Recovery Appliance validates all incoming, on-disk, and replicated backups for Oracle block correctness and recoverability. Any backup data maligned by malware or ransomware attack is detected, recorded, and alerted to the administrator. Action can then be taken in conjunction with the DBAs to disconnect the database from the network and investigate further.

    Furthermore, replicated backups cannot be deleted or modified by the primary appliance or its administrators. They are independently validated and managed by the replication Recovery Appliance. They are shielded from any effects of attacks done on the primary Recovery Appliance.

    As an alternative or supplementary protection strategy, backups can be archived to Oracle Cloud Storage as a secure location for secondary backup copies. This uses Oracle Key Vault as key store for backup encryption keys. All backups remain encrypted in Cloud Storage. Users require access to the Recovery Appliance and Oracle Key Vault to perform restore operations. The Recovery Appliance can also archive backups to fibre-attached tape libraries via Oracle Secure Backup. Tapes can then be shipped to and stored in an off-site, network disconnected, location that is impervious to cyber-attacks.

  • Air-Gapped Vault Backups

    With Recovery Appliance database-aware incremental-forever replication, the vault appliance is configured behind a firewall which has a window open only during certain times of the day. Recovery Appliance replication proceeds during those times to synchronize the vault appliance. When the firewall is closed, replication pauses. Upon the next open sync window, replication resumes. With incremental forever-based replication, only the minimum amount of data is required to maintain full recoverability from the vault. Unlike with general purpose storage appliances, no full backups are transmitted, which thus limits the sync window and possibility of malicious access to the vault.

    With cyber vault deployment, you have a physically network-separated copy of the backups, which can be restored at any time, even if production systems are compromised. Recovery Appliance in the vault are independently managed, both in their access and policies for retention and other backup attributes. It has full reporting available on the Recovery Appliance that is crucial for audit compliance purposes.

  • Separation of Duty

    Access to the system is controlled via strict separation of duty between DBA and Recovery Appliance administrator roles. DBAs are only given Virtual Private Catalog (VPC) user roles to backup and recover their privileged databases. They cannot access, modify, or delete backups on the Recovery Appliance.

    Recovery Appliance administrators only have access to manage and monitor the system, but cannot backup, recover, or modify protected databases. The Recovery Appliance does not expose or allow creation of local users, databases, or other services.

  • Limited Network Access

    With regards to network protocols, VPC users can only connect to the appliance through SQL*Net. HTTPS is used for RMAN backup and restore traffic through the Recovery Appliance Backup Module. No other protocols are employed.

    The Recovery Appliance enforces network segregation with the support of VLAN tagged networks, allowing backup and restore traffic to be fully isolated and non-routable between protected databases’ specific network zones. In this way, any possibly affected backups would not be exposed to the rest of the enterprise.

  • Superior Resiliency

    The Recovery Appliance itself offers superior resiliency capabilities against cyber-attacks, when compared with traditional backup devices. As an Oracle Engineered System built on Exadata hardware and storage, the Recovery Appliance inherits a resilient architecture for reducing surface of attack on compute and storage servers. This includes:

    • hardened password policies

    • OS and DB user auditing

    • firewall support

    • Oracle ILOM (Integrated Lights Out Management)

    Real-Time Monitoring & Audit Reporting Enterprise Manager provides 360 degree view of database recoverabilty and system metrics. This includes audit report of all system access and activities, such as changing retention policies or deleting database backups, which could be evidence of malicious user.

    Recovery With No Data Loss

    In the event that a database server is attacked and its backups must be recovered to a different server, the Recovery Appliance's real-time redo transport allows recovery to the very last transaction prior to the attack occurrence. This is especially important for cyber-attacks, such as ransomware, where paying the perpetrators does not always mean your data comes back in pristine condition. With the Recovery Appliance, you recover the database to a separate, safe location with no data loss and don't have to pay the ransom.