Categories
Database Backup

** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.

Kunan pacha manchay unaykunapi, ransomware nisqaqa manañam ch’ulla ch’ulla willañiqikunata pakayllachu, aswanpas aswan hatun, achka imaymana ñak’ariy apamuq kampañakunamanmi tukun. Advanced Persistent Threats (APTs) hinaspa ransomware huñukunaqa kunanqa maskanku backup wasichaykunata hinaspa database qullqakunata. Sichus huk ataqi (attacker) qallariy database-niykita hap’in hinaspa backup-niykikunatapas p’uchqun otaq pakaykun chayqa, hatun chinkachiymi kanqa.

Database Administrators (DBAs) hinaspa DevOps kamachiqkunapaqqa, ñawpa 3-2-1 backup ruwayqa manañam allinñachu. Willañiqikuna ama chinkananpaqqa, infrastructure huñukunam 3-2-1-1 kamachiyta hap’inanku, chay qhipa “1” nisqaqa mana tikray atina (immutable) waqaychaymi.

Kay qillqasqam qawachin imaynatam immutable waqaychayta ruway, churay hinaspa kamachiy database qullqakunapaq, chaynapi ransomware-manta allin hark’asqa kanaykipaq.

Immutable Waqaychaypa Ruwaynin

Immutable waqaychayqa Write-Once-Read-Many (WORM) nisqa ruwaypi hap’ipakun. Huk willañiqi immutable target-man qillqasqa kaptinqa, manam pipas tikrayta, pakayta nitaq p’uchquyta atinqachu—nitaq root derechoyuq kamachiqkunapas nitaq pantasqa service account-kunapas—pacha tukunankama.

Compliance Mode vs. Governance Mode

Immutability-ta churashaspa, aswanta cloud object storage-pi (AWS S3, Azure Blob, otaq S3-compatible on-premises SANs), kay iskaynin kamachiykunata yachanayki:

  • Governance Mode: Sapaq runakuna willañiqikunata p’uchqunankuta hark’an. Ichaqa, sapaq IAM derechoyuq runakunaqa (ahinataq s3:BypassGovernanceRetention) hark’ayta atinkuman. Kayqa pruebakunapaq allinmi, ichaqa ransomware-manta hark’anapaqqa manam allinchu, imaraykuchus ataqikunaqa derechokunata hatunyachinku.
  • Compliance Mode: Ransomware-manta hark’anapaqqa kaymi aswan allin. Huk willañiqi Compliance Mode-pi hark’asqa kaptinqa, manam pipas p’uchquyta atinqachu, nitaq AWS root account-pas. Kay hark’ayqa storage cluster patapim ruwakun.

Immutable Backup Pipeline Ruway

Allin database archiving ruwayqa active database ruwaykunata immutable archive tier-manta t’aqan. Manam active database willañiqikunaman (ahinataq .mdf/.ldf SQL Server-pi otaq pg_data PostgreSQL-pi) immutability-ta churayta atinkichu, imaraykuchus database-kunaqa sapa kuti qillqayta hinaspa ñawiriyta munanku.

Aswanpas, immutability-taqa kaykunamanmi churana:
1. Full and Differential Backup Files: Database-pa qallariy snapshot-ninkuna.
2. Transaction Logs / WAL Files: Point-in-Time Recovery (PITR) ruwanapaq database-pa sapa kuti tikrayninkuna.

Immutability-paq Storage Targets

Immutable waqaychaytaqa imaymana infrastructure patakunapim churayta atinki:
* Cloud Object Storage: AWS S3 Object Lock, Azure Blob Immutable Storage, Google Cloud Storage Retention Policies.
* On-Premises Object Storage: MinIO, Cloudian, otaq Pure Storage FlashBlade (S3 Object Lock APIs-wan).
* Block/File Storage: ZFS (read-only snapshots-wan) otaq Linux file attributes.

Immutable Waqaychayta Churay: Technical Walkthroughs

1. Cloud Object Storage: AWS S3 Object Lock

AWS-pi database dumps hinaspa transaction logs-ta hark’anapaqqa, bucket-ta ruwashaspayki Object Lock-ta kichanayki.

Ñawpaqta, bucket-ta ruway Object Lock-wan:

aws s3api create-bucket 
    --bucket prod-db-archive-immutable 
    --region us-east-1 
    --object-lock-enabled-for-bucket

Qhipaman, default retention policy-ta churay. Database qullqakunapaqqa, 30 p’unchaw compliance lock-mi allin qallariy, chaynapi huk killa mana tikray atina backup-niyki kananpaq.

aws s3api put-object-lock-configuration 
    --bucket prod-db-archive-immutable 
    --object-lock-configuration '{
        "ObjectLockEnabled": "Enabled",
        "Rule": {
            "DefaultRetention": {
                "Mode": "COMPLIANCE",
                "Days": 30
            }
        }
    }'

Database backup script-niyki otaq agent-niyki huk willañiqita kay bucket-man apaptinqa, S3-qa kikinmantam Retain Until Date-ta yupaykun, 30 p’unchaw yapasqawan.

2. On-Premises Immutability: ZFS and Linux Attributes

Sichus database-niykikunata on-premises Linux backup server-man apashanki chayqa, chattr kamachiytam servichikuyta atinki, otaq ZFS snapshots-ta.

Linux chattr servichikuspa:
+i (immutable) flag-qa hark’anmi willañiqi tikrayta, p’uchquyta otaq sutin tikrayta.

# Dump the database
pg_dump -U postgres -Fc mydb > /backups/mydb_$(date +%F).dump

# Make the backup immutable
sudo chattr +i /backups/mydb_$(date +%F).dump

# Verify the attribute
lsattr /backups/mydb_$(date +%F).dump
# Output: ----i---------e------- /backups/mydb_2023-10-27.dump

Willakuy: chattr-qa sapaq ransomware script-kunata hark’an, ichaqa yachaysapa ataqi root derechoyuq kaptinqa chattr -i-ta ruwayta atinman. Chayraykum kaytaqa RBAC hinaspa t’aqasqa backup network-kunawan kuska churana.

ZFS Snapshots servichikuspa:
ZFS-qa aswan allin hark’aymi. Snapshot-ta hap’ispa hinaspa “hold” churaptiykiqa, manam p’uchquyta atinkuchu.

# Take a snapshot of the backup dataset
zfs snapshot tank/db_backups@archive_$(date +%F)

# Place a hold on the snapshot to prevent deletion
zfs hold keep_30_days tank/db_backups@archive_$(date +%F)

# Even root cannot destroy this snapshot without releasing the hold
zfs destroy tank/db_backups@archive_$(date +%F)
# Output: cannot destroy 'tank/db_backups@archive_...': dataset is busy

Database-Specific Archiving Strategies

Point-in-Time Recovery (PITR) ruwanapaqqa, transaction logs-ta sapa kutim immutable waqaychayniykiman apanayki.

PostgreSQL WAL Archiving with pgBackRest

pgBackRest-qa PostgreSQL-paq allin backup ruruchim, S3-compatible storage-ta allinta yanapan. Write-Ahead Logs (WAL) hark’anapaqqa, pgBackRest-ta churay immutable S3 bucket-niykiman apananpaq.

pgbackrest.conf-niykipi:

[global]
repo1-type=s3
repo1-s3-bucket=prod-db-archive-immutable
repo1-s3-region=us-east-1
repo1-s3-endpoint=s3.amazonaws.com
repo1-s3-key=AKIAIOSFODNN7EXAMPLE
repo1-s3-key-secret=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

# Ensure retention aligns with your S3 Object Lock configuration
repo1-retention-full=2
repo1-retention-archive=2

[prod_cluster]
pg1-path=/var/lib/postgresql/14/main

Ancha allin yuyay: Sichus S3 bucket-niyki 30 p’unchaw Compliance lock-ta mañan, ichaqa pgBackRest 14 p’unchawmanta WAL willañiqikunata p’uchquyta munan chayqa, deletion API-kunaqa manam ruwakunqachu. Backup software-niyki-pa retention policy-nqa storage-pa immutable lock-ninmanta aswan hatun otaq kaqlla kananmi.

Microsoft SQL Server: Backup to URL

SQL Server-qa native backup-kunata S3-compatible object storage-man apayta atin. SQL Server Agent job-ta ruwayta atinki .bak hinaspa .trn willañiqikunata immutable bucket-man apananpaq.

CREATE CREDENTIAL [s3://prod-db-archive-immutable.s3.us-east-1.amazonaws.com]
WITH IDENTITY = 'S3 Access Key',
SECRET = 'AccessKeyID:SecretAccessKey';
GO

BACKUP DATABASE [ProductionDB]
TO URL = 's3://prod-db-archive-immutable.s3.us-east-1.amazonaws.com/ProductionDB_Full.bak'
WITH FORMAT, COMPRESSION, STATS = 10;
GO

CloudSave-wan Automating hinaspa Orchestrating

Immutable retention flag-kunata kamachiy, access key-kunata tikray, hinaspa database retention policy-kunawan storage lock-kunata tupanachiyqa pantaykunata apamunman. Huk pantaylla cron job-pi otaq API call-pi kaptinqa, archives-niykikuna mana hark’asqam kanman otaq cloud storage qullqikuna hatunyaykunman.

CloudSave hina enterprise backup platform-kunaqa kay ruwayta atinmi. CloudSave-qa AWS S3 Object Lock, Azure Blob Immutable Storage, hinaspa on-premises S3-compatible API-kunawan kikinmantam tupan.

CloudSave-pi database backup plan-ta ruwashaspa:
1. Platform-qa kikinmantam VSS (Volume Shadow Copy Service) quiescence-ta SQL Server-paq otaq pg_start_backup() API-ta PostgreSQL-paq ruwan.
2. Deduplicated, encrypted backup willañiqikunata storage target-man apan.
3. CloudSave-qa WORM API-kunata (ahinataq PutObjectRetention) sapa willañiqiman churaykun, storage lock-ta retention schedule-wan tupanachispa.
4. Sichus ataqi CloudSave management console-ta hap’in chaypas, manam backup-kunata p’uchquyta atinqachu, imaraykuchus compliance lock-qa storage infrastructure-pi hark’asqam kachkan, manam backup software-pichu.

Immutable Database Archives-paq Allin Ruwaykuna

Immutable architecture-niyki allin kananta qawananpaq, kaykunata ruway:

1. Allin NTP Synchronization

Immutable lock-kunaqa pacha (timestamp) nisqawanmi tupan. Sichus NTP (Network Time Protocol) service-niyki pantasqa otaq mana allin kaptinqa, lock-kunaqa manaraq pacha chayamuptinmi p’uchqukunman. Storage infrastructure-niyki allin NTP pukyukuna servichikusqanta qaway.

2. IAM Roles hinaspa Credentials T’aqay

Immutable bucket-man qillqanapaq credentials-kunaqa s3:PutObject hinaspa s3:PutObjectRetention derechokunallatam kanan. Manam haykapipas s3:DeleteObject otaq s3:PutBucketObjectLockConfiguration derechokunataqa kanan.

Database backup agent-paq least-privilege IAM policy-pa rikch’aynin:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetBucketObjectLockConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::prod-db-archive-immutable",
                "arn:aws:s3:::prod-db-archive-immutable/*"
            ]
        }
    ]
}

3. Retention Period-ta Allin Sizing

Compliance lock-kunataqa ama unay pachapaq (ahinataq 7 wata) churaychu primary rapid-recovery tier-niykipi. Database-kunaqa WAL/transaction log willañiqikunatam achkata ruwanku. Unay pachapaq hark’ayqa qullqiyki chinkachiyta apamunman.
Aswanpas, tier-kunata servichikuy:
* Operational Recovery Tier: 14-manta 30 p’unchawkama immutable retention Fulls hinaspa Logs-paq.
* Long-Term Archival Tier: Sapa killa full backup-kuna Glacier/Deep Archive-man apasqa, Vault Lock-wan 1-7 watapaq.

4. Air-Gapped VPC-kunapi Recovery Testing

Immutability-qa willañiqi mana p’uchqukunanpaqmi, ichaqa manam willañiqi mana pantasqa kananpaqchu. Immutable database archive-niykikunata t’aqasqa, air-gapped VPC otaq VLAN-man kutichiyta (restore) automatizay. DBCC CHECKDB (SQL Server) otaq pg_amcheck (PostgreSQL) ruway kutichisqa willañiqikunapi, allin kasqanta qawanaykipaq.

Tukuy

Ransomware-manta hark’akuyqa pantay kananta yuyaymi. SIEM-niykipi willay chayamuptinqa, ataqikunaqa backup infrastructure-niykita hap’iyta munarqankuña. Database archive-niykikunata immutable storage Compliance Mode-pi ruwaspaqa, ataqikunapa kallpanta chinkachinki. Cloud API-kunata, ZFS hold-kunata, otaq CloudSave hina enterprise platform-ta servichikuspaykipas, WORM storage-ta churayqa manam akllanam, aswanpas database kamachiypa hinaspa disaster recovery-pa ancha allin kaqninmi.

Categories