The Oracle Zero Data Loss Recovery Appliance is engineered for database ransomware protection. It has four key technology pillars:

• Database Protection includes real-time transaction protection and end-to-end ransomware protection and immutability.

• Recovery Assurance includes continuous backup validation, database protection monitoring, as well as high-speed, fast database restore capabilities through a dedicated network.

• Resilient Architecture built on a compute and storage servers foundation, which stems from Oracle Exadata engineered systems design methodology. The user model has a separation of duties; the roles for databases, the Recovery Appliance, and for any related appliances are segregated from each other. No one user can access other systems which they are not privileged to do so.

  Immutable Backups prevents the backups themselves on a compromised system to be purged or deleted by internal processes or external users.

The Recovery Appliance has Resiliency and Recoverability from Cyber-Attacks

The Oracle Zero Data Loss Recovery Appliance is designed to be fault-isolated from the production database. If a cyber-attack hits the production database, the Recovery Appliance is not compromised. This solution stems from the following key architectural features:

• End-to-End Data Validation

  The Recovery Appliance validates all incoming, on-disk, and replicated backups for Oracle block correctness and recoverability. Any backup data maligned by malware or ransomware attack is detected, recorded, and alerted to the administrator. Action can then be taken in conjunction with the DBAs to disconnect the database from the network and investigate further.

  Replicated backups cannot be deleted or modified by the primary appliance or its administrators. They are independently validated and managed by the replication Recovery Appliance. They are shielded from any effects of attacks done on the primary Recovery Appliance.

• Air-Gapped Vault Backups

  With Recovery Appliance database-aware incremental-forever replication, the vault appliance is configured behind a firewall which has a window open only during certain times of the day. Recovery Appliance replication proceeds during those times to synchronize the vault appliance. When the firewall is closed, replication pauses. Upon the next open sync window, replication resumes. With incremental forever-based replication, only the minimum amount of data is required to maintain full recoverability from the vault. Unlike with general purpose storage appliances, no full backups are transmitted, which thus limits the sync window and possibility of malicious access to the vault.

• Separation of Duty

  Access to the system is controlled via strict separation of duty between DBA and Recovery Appliance administrator roles. DBAs are only given Virtual Private Catalog (VPC) user roles to backup and recover their privileged databases. They cannot access, modify, or delete backups on the Recovery Appliance.

  Recovery Appliance administrators only have access to manage and monitor the system, but cannot backup, recover, or modify protected databases. The Recovery Appliance does not expose or allow creation of local users, databases, or other services.

• Limited Network Access

  With regards to network protocols, VPC users can only connect to the appliance through SQL*Net. HTTPS is used for RMAN backup and restore traffic through the Recovery Appliance Backup Module. No other protocols are employed.

  The Recovery Appliance enforces network segregation with the support of VLAN tagged networks, allowing backup and restore traffic to be fully isolated and non-routable between protected databases’ specific network zones. In this way, any possibly affected backups would not be exposed to the rest of the enterprise.

• Superior Resiliency

  As an Oracle Engineered System built on Exadata hardware and storage, the Recovery Appliance inherits a resilient architecture for reducing surface of attack on compute and storage servers. This includes:

  • hardened password policies

  • OS and DB user auditing

  • firewall support

  • Oracle ILOM (Integrated Lights Out Management)

  Recovery With No Data Loss

  In the event that a database server is attacked and its backups must be recovered to a different server, the Recovery Appliance's real-time redo transport allows recovery to the very last transaction prior to the attack occurrence.