V modernom prostred\u00ed hrozieb sa ransomware vyvinul z oportunistick\u00e9ho \u0161ifrovania na vysoko cielen\u00e9 kampane s viacn\u00e1sobn\u00fdm vydieran\u00edm. Pokro\u010dil\u00e9 pretrv\u00e1vaj\u00face hrozby (APT) a syndik\u00e1ty ransomwaru teraz po\u010das svojho p\u00f4sobenia v sieti akt\u00edvne vyh\u013ead\u00e1vaj\u00fa z\u00e1lohovaciu infra\u0161trukt\u00faru a arch\u00edvy datab\u00e1z. Ak \u00fato\u010dn\u00edk kompromituje va\u0161u prim\u00e1rnu datab\u00e1zu a s\u00fa\u010dasne odstr\u00e1ni alebo za\u0161ifruje va\u0161e z\u00e1lohovacie \u00falo\u017eisk\u00e1, va\u0161a organiz\u00e1cia \u010del\u00ed katastrof\u00e1lnej strate d\u00e1t.<\/p>\n
Pre spr\u00e1vcov datab\u00e1z (DBA) a DevOps in\u017einierov u\u017e tradi\u010dn\u00e1 strat\u00e9gia z\u00e1lohovania 3-2-1 nesta\u010d\u00ed. Aby t\u00edmy infra\u0161trukt\u00fary zaru\u010dili pre\u017eitie d\u00e1t, musia prija\u0165 pravidlo 3-2-1-1, kde posledn\u00e1 \u201e1\u201c predstavuje nemenn\u00e9 (imutable) \u00falo\u017eisko<\/strong>.<\/p>\n Tento \u010dl\u00e1nok poskytuje komplexn\u00fd technick\u00fd poh\u013ead na architekt\u00faru, implement\u00e1ciu a spr\u00e1vu nemenn\u00e9ho \u00falo\u017eiska pre datab\u00e1zov\u00e9 arch\u00edvy s cie\u013eom zabezpe\u010di\u0165 absol\u00fatnu odolnos\u0165 vo\u010di ransomwaru.<\/p>\n Nemenn\u00e9 \u00falo\u017eisko sa spolieha na architekt\u00faru typu Write-Once-Read-Many (WORM) \u2013 zap\u00ed\u0161 raz, \u010d\u00edtaj mnohokr\u00e1t. Akon\u00e1hle s\u00fa d\u00e1ta zap\u00edsan\u00e9 do nemenn\u00e9ho cie\u013ea, nem\u00f4\u017eu by\u0165 upraven\u00e9, za\u0161ifrovan\u00e9 ani odstr\u00e1nen\u00e9 \u017eiadnym pou\u017e\u00edvate\u013eom \u2013 vr\u00e1tane spr\u00e1vcov s opr\u00e1vneniami root alebo kompromitovan\u00fdch servisn\u00fdch \u00fa\u010dtov \u2013 a\u017e k\u00fdm nevypr\u0161\u00ed matematicky vyn\u00faten\u00fd \u010dasov\u00fd z\u00e1mok.<\/p>\n Pri implement\u00e1cii nemennosti, najm\u00e4 v cloudov\u00fdch objektov\u00fdch \u00falo\u017eisk\u00e1ch ako AWS S3, Azure Blob alebo S3-kompatibiln\u00fdch on-premises SAN, mus\u00edte rozumie\u0165 rozdielu medzi re\u017eimami uchov\u00e1vania:<\/p>\n Robustn\u00e1 architekt\u00fara archiv\u00e1cie datab\u00e1z odde\u013euje akt\u00edvne datab\u00e1zov\u00e9 oper\u00e1cie od vrstvy nemenn\u00e9ho arch\u00edvu. Nemennos\u0165 nem\u00f4\u017eete aplikova\u0165 na akt\u00edvne datab\u00e1zov\u00e9 s\u00fabory (ako Namiesto toho sa nemennos\u0165 aplikuje na: Nemenn\u00e9 \u00falo\u017eisko m\u00f4\u017eete implementova\u0165 naprie\u010d r\u00f4znymi vrstvami infra\u0161trukt\u00fary: Ak chcete chr\u00e1ni\u0165 datab\u00e1zov\u00e9 v\u00fdpisy a transak\u010dn\u00e9 logy v AWS, mus\u00edte pri vytv\u00e1ran\u00ed bucketu povoli\u0165 funkciu Object Lock.<\/p>\n Najprv vytvorte bucket s povolen\u00fdm Object Lock:<\/p>\n \u010ealej nakonfigurujte predvolen\u00fa reten\u010dn\u00fa politiku. Pre datab\u00e1zov\u00e9 arch\u00edvy je 30-d\u0148ov\u00fd z\u00e1mok v re\u017eime s\u00faladu \u0161tandardn\u00fdm z\u00e1kladom, ktor\u00fd zabezpe\u010d\u00ed, \u017ee budete ma\u0165 mesiac nemenn\u00fdch z\u00e1loh.<\/p>\n Ke\u010f v\u00e1\u0161 skript alebo agent na z\u00e1lohovanie datab\u00e1zy odo\u0161le s\u00fabor do tohto bucketu, S3 automaticky vypo\u010d\u00edta Ak archivujete datab\u00e1zy na on-premises z\u00e1lohovac\u00ed server so syst\u00e9mom Linux, m\u00f4\u017eete dosiahnu\u0165 pseudo-nemennos\u0165 pomocou pr\u00edkazu Pou\u017eitie Linux Pozn\u00e1mka: Hoci Pou\u017eitie sn\u00edmok ZFS:<\/strong> Aby ste dosiahli obnovu k ur\u010dit\u00e9mu bodu v \u010dase (PITR), mus\u00edte nepretr\u017eite archivova\u0165 transak\u010dn\u00e9 logy do svojho nemenn\u00e9ho \u00falo\u017eiska.<\/p>\n Vo va\u0161om K\u013e\u00fa\u010dov\u00e9 upozornenie:<\/em> Ak v\u00e1\u0161 S3 bucket vynucuje 30-d\u0148ov\u00fd z\u00e1mok v re\u017eime s\u00faladu, ale SQL Server podporuje nat\u00edvne z\u00e1lohovanie priamo do S3-kompatibiln\u00e9ho objektov\u00e9ho \u00falo\u017eiska. M\u00f4\u017eete nakonfigurova\u0165 \u00falohu SQL Server Agenta na z\u00e1pis s\u00faborov Spr\u00e1va nemenn\u00fdch reten\u010dn\u00fdch pr\u00edznakov, rot\u00e1cia pr\u00edstupov\u00fdch k\u013e\u00fa\u010dov a zabezpe\u010denie synchroniz\u00e1cie medzi reten\u010dn\u00fdmi politikami datab\u00e1z a z\u00e1mkami \u00falo\u017eiska pomocou vlastn\u00fdch skriptov je vysoko n\u00e1chyln\u00e1 na chyby. Jedin\u00e1 chybn\u00e1 konfigur\u00e1cia v cron \u00falohe alebo API volan\u00ed m\u00f4\u017ee necha\u0165 va\u0161e arch\u00edvy nechr\u00e1nen\u00e9 alebo vies\u0165 k prudk\u00e9mu n\u00e1rastu n\u00e1kladov na cloudov\u00e9 \u00falo\u017eisko kv\u00f4li osiroten\u00fdm, uzamknut\u00fdm objektom.<\/p>\n Podnikov\u00e9 z\u00e1lohovacie platformy ako CloudSave zjednodu\u0161uj\u00fa t\u00fato architekt\u00faru. CloudSave sa nat\u00edvne integruje s AWS S3 Object Lock, Azure Blob Immutable Storage a on-premises S3-kompatibiln\u00fdmi API.<\/p>\n Pri konfigur\u00e1cii pl\u00e1nu z\u00e1lohovania datab\u00e1zy v CloudSave: Aby ste zabezpe\u010dili, \u017ee va\u0161a nemenn\u00e1 architekt\u00fara je skuto\u010dne odoln\u00e1, dodr\u017eiavajte nasleduj\u00face osved\u010den\u00e9 postupy syst\u00e9mov\u00e9ho in\u017einierstva:<\/p>\n Nemenn\u00e9 z\u00e1mky s\u00fa matematicky viazan\u00e9 na \u010dasov\u00e9 pe\u010diatky. Ak je slu\u017eba NTP (Network Time Protocol) na va\u0161om \u00falo\u017enom poli alebo z\u00e1lohovacom serveri kompromitovan\u00e1 alebo vykazuje odch\u00fdlky, m\u00f4\u017ee to sp\u00f4sobi\u0165 pred\u010dasn\u00e9 vypr\u0161anie z\u00e1mkov alebo ich nikdy nevypr\u0161anie. Zabezpe\u010dte, aby va\u0161a infra\u0161trukt\u00fara \u00falo\u017eiska pou\u017e\u00edvala autentifikovan\u00e9, redundantn\u00e9 zdroje NTP.<\/p>\n Poverenia pou\u017eit\u00e9 na z\u00e1pis do nemenn\u00e9ho bucketu musia ma\u0165 iba opr\u00e1vnenia Pr\u00edklad politiky IAM s minim\u00e1lnymi opr\u00e1vneniami pre agenta z\u00e1lohovania datab\u00e1zy:<\/p>\n Nenastavujte z\u00e1mky s\u00faladu na pr\u00edli\u0161 dlh\u00e9 obdobia (napr. 7 rokov pre compliance) na va\u0161ej prim\u00e1rnej vrstve pre r\u00fdchlu obnovu. Datab\u00e1zy generuj\u00fa obrovsk\u00e9 mno\u017estvo d\u00e1t WAL\/transak\u010dn\u00fdch logov. Uzamknutie t\u00fdchto d\u00e1t na roky povedie k exponenci\u00e1lnemu rastu n\u00e1kladov na \u00falo\u017eisko. Nemennos\u0165 zaru\u010duje, \u017ee d\u00e1ta nemo\u017eno odstr\u00e1ni\u0165, ale nezaru\u010duje, \u017ee d\u00e1ta s\u00fa bez logick\u00e9ho po\u0161kodenia. Mus\u00edte automatizova\u0165 obnovu svojich nemenn\u00fdch datab\u00e1zov\u00fdch arch\u00edvov do izolovan\u00e9ho, air-gapped VPC alebo VLAN. Spustite Obrana proti ransomwaru je cvi\u010den\u00edm v predpoklade prieniku. V \u010dase, ke\u010f sa vo va\u0161om SIEM spust\u00ed upozornenie, sa \u00fato\u010dn\u00edci pravdepodobne u\u017e pok\u00fasili kompromitova\u0165 va\u0161u z\u00e1lohovaciu infra\u0161trukt\u00faru. Architekt\u00farou va\u0161ich datab\u00e1zov\u00fdch arch\u00edvov pomocou nemenn\u00e9ho \u00falo\u017eiska v re\u017eime s\u00faladu priprav\u00edte \u00fato\u010dn\u00edkov o ich hlavn\u00fa p\u00e1ku. \u010ci u\u017e vyu\u017e\u00edvate nat\u00edvne cloudov\u00e9 API, ZFS holdy alebo podnikov\u00fa orchestr\u00e1lnu platformu ako CloudSave, implement\u00e1cia WORM \u00falo\u017eiska u\u017e nie je volite\u013en\u00e1 \u2013 je to povinn\u00fd pilier modernej spr\u00e1vy datab\u00e1z a obnovy po hav\u00e1rii.<\/p>\n","protected":false},"excerpt":{"rendered":" ** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Immutable Database Storage to Defeat Ransomware","rank_math_description":"** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.","rank_math_focus_keyword":"immutable database storage","footnotes":""},"categories":[671],"tags":[4750,4751,4752,1353,4753,4754],"class_list":["post-6400","post","type-post","status-publish","format-standard","hentry","category-database-backup","tag-3-2-1-1-backup","tag-data-survivability","tag-database-archives","tag-enterprise-backup","tag-immutable-storage","tag-ransomware-protection"],"yoast_head":"\nMechanizmus nemenn\u00e9ho \u00falo\u017eiska<\/h2>\n
Re\u017eim s\u00faladu (Compliance Mode) vs. Re\u017eim spr\u00e1vy (Governance Mode)<\/h3>\n
\n
s3:BypassGovernanceRetention<\/code>) v\u0161ak m\u00f4\u017eu z\u00e1mok ob\u00eds\u0165. Je to u\u017eito\u010dn\u00e9 na testovanie, ale nedostato\u010dn\u00e9 na ochranu pred ransomwarem<\/strong>, preto\u017ee \u00fato\u010dn\u00edci \u010dasto eskaluj\u00fa opr\u00e1vnenia na \u00farove\u0148 spr\u00e1vcu dom\u00e9ny alebo roota.<\/li>\nArchitekt\u00fara nemenn\u00e9ho z\u00e1lohovacieho potrubia<\/h2>\n
.mdf<\/code>\/.ldf<\/code> v SQL Serveri alebo adres\u00e1r pg_data<\/code> v PostgreSQL), preto\u017ee datab\u00e1zy vy\u017eaduj\u00fa neust\u00e1ly pr\u00edstup na \u010d\u00edtanie a z\u00e1pis.<\/p>\n
\n1. \u00dapln\u00e9 a diferenci\u00e1lne z\u00e1lo\u017en\u00e9 s\u00fabory:<\/strong> Z\u00e1kladn\u00e9 sn\u00edmky datab\u00e1zy.
\n2. Transak\u010dn\u00e9 logy \/ WAL s\u00fabory:<\/strong> Kontinu\u00e1lny pr\u00fad datab\u00e1zov\u00fdch zmien potrebn\u00fd pre obnovu k ur\u010dit\u00e9mu bodu v \u010dase (Point-in-Time Recovery \u2013 PITR).<\/p>\nCiele \u00falo\u017eiska pre nemennos\u0165<\/h3>\n
\n* Cloudov\u00e9 objektov\u00e9 \u00falo\u017eisko:<\/strong> AWS S3 Object Lock, Azure Blob Immutable Storage, Google Cloud Storage Retention Policies.
\n* On-premises objektov\u00e9 \u00falo\u017eisko:<\/strong> MinIO, Cloudian alebo Pure Storage FlashBlade s podporou S3 Object Lock API.
\n* Blokov\u00e9\/s\u00faborov\u00e9 \u00falo\u017eisko:<\/strong> ZFS so sn\u00edmkami (snapshots) ur\u010den\u00fdmi len na \u010d\u00edtanie a delegovanou spr\u00e1vou, alebo atrib\u00faty s\u00faborov v syst\u00e9me Linux.<\/p>\nImplement\u00e1cia nemenn\u00e9ho \u00falo\u017eiska: Technick\u00e9 n\u00e1vody<\/h2>\n
1. Cloudov\u00e9 objektov\u00e9 \u00falo\u017eisko: AWS S3 Object Lock<\/h3>\n
aws s3api create-bucket \n --bucket prod-db-archive-immutable \n --region us-east-1 \n --object-lock-enabled-for-bucket\n<\/code><\/pre>\naws s3api put-object-lock-configuration \n --bucket prod-db-archive-immutable \n --object-lock-configuration '{\n "ObjectLockEnabled": "Enabled",\n "Rule": {\n "DefaultRetention": {\n "Mode": "COMPLIANCE",\n "Days": 30\n }\n }\n }'\n<\/code><\/pre>\nRetain Until Date<\/code> na z\u00e1klade \u010dasovej pe\u010diatky vytvorenia objektu plus 30 dn\u00ed.<\/p>\n2. On-premises nemennos\u0165: ZFS a atrib\u00faty Linuxu<\/h3>\n
chattr<\/code> alebo skuto\u010dn\u00fa nemennos\u0165 pomocou sn\u00edmok ZFS.<\/p>\nchattr<\/code>:<\/strong>
\nPr\u00edznak +i<\/code> (immutable) zabra\u0148uje \u00faprave, odstr\u00e1neniu alebo premenovaniu s\u00faboru.<\/p>\n# Vytvorenie v\u00fdpisu datab\u00e1zy\npg_dump -U postgres -Fc mydb > \/backups\/mydb_$(date +%F).dump\n\n# Nastavenie nemennosti z\u00e1lohy\nsudo chattr +i \/backups\/mydb_$(date +%F).dump\n\n# Overenie atrib\u00fatu\nlsattr \/backups\/mydb_$(date +%F).dump\n# V\u00fdstup: ----i---------e------- \/backups\/mydb_2023-10-27.dump\n<\/code><\/pre>\nchattr<\/code> zastav\u00ed z\u00e1kladn\u00e9 skripty ransomwaru, sofistikovan\u00fd \u00fato\u010dn\u00edk s pr\u00edstupom root m\u00f4\u017ee jednoducho spusti\u0165 chattr -i<\/code>. Preto sa to mus\u00ed kombinova\u0165 s pr\u00edsnym RBAC a izolovan\u00fdmi z\u00e1lohovac\u00edmi sie\u0165ami.<\/em><\/p>\n
\nZFS poskytuje ove\u013ea silnej\u0161iu obranu. Vytvoren\u00edm sn\u00edmky a jej \u201epodr\u017ean\u00edm\u201c (hold) zabr\u00e1nite jej zni\u010deniu.<\/p>\n# Vytvorenie sn\u00edmky z\u00e1lohovacieho datasetu\nzfs snapshot tank\/db_backups@archive_$(date +%F)\n\n# Podr\u017eanie sn\u00edmky, aby sa zabr\u00e1nilo jej odstr\u00e1neniu\nzfs hold keep_30_days tank\/db_backups@archive_$(date +%F)\n\n# Ani root nem\u00f4\u017ee zni\u010di\u0165 t\u00fato sn\u00edmku bez uvo\u013enenia podr\u017eania\nzfs destroy tank\/db_backups@archive_$(date +%F)\n# V\u00fdstup: cannot destroy 'tank\/db_backups@archive_...': dataset is busy\n<\/code><\/pre>\nStrat\u00e9gie archiv\u00e1cie \u0161pecifick\u00e9 pre datab\u00e1zy<\/h2>\n
Archiv\u00e1cia WAL v PostgreSQL pomocou pgBackRest<\/h3>\n
pgBackRest<\/code> je vysoko spo\u013eahliv\u00fd n\u00e1stroj na z\u00e1lohovanie pre PostgreSQL, ktor\u00fd nat\u00edvne podporuje S3-kompatibiln\u00e9 \u00falo\u017eisk\u00e1. Na ochranu svojich Write-Ahead Logs (WAL) nakonfigurujte pgBackRest<\/code> tak, aby ich odosielal priamo do v\u00e1\u0161ho nemenn\u00e9ho S3 bucketu.<\/p>\npgbackrest.conf<\/code>:<\/p>\n[global]\nrepo1-type=s3\nrepo1-s3-bucket=prod-db-archive-immutable\nrepo1-s3-region=us-east-1\nrepo1-s3-endpoint=s3.amazonaws.com\nrepo1-s3-key=AKIAIOSFODNN7EXAMPLE\nrepo1-s3-key-secret=wJalrXUtnFEMI\/K7MDENG\/bPxRfiCYEXAMPLEKEY\n\n# Uistite sa, \u017ee retencia je v s\u00falade s va\u0161ou konfigur\u00e1ciou S3 Object Lock\nrepo1-retention-full=2\nrepo1-retention-archive=2\n\n[prod_cluster]\npg1-path=\/var\/lib\/postgresql\/14\/main\n<\/code><\/pre>\npgBackRest<\/code> sa pok\u00fasi vymaza\u0165 WAL s\u00fabory po 14 d\u0148och na z\u00e1klade repo1-retention-archive<\/code>, volania API na odstr\u00e1nenie zlyhaj\u00fa. Mus\u00edte zabezpe\u010di\u0165, aby reten\u010dn\u00e1 politika v\u00e1\u0161ho z\u00e1lohovacieho softv\u00e9ru bola v\u00e4\u010d\u0161ia alebo rovn\u00e1 nemenn\u00e9mu z\u00e1mku na \u00farovni \u00falo\u017eiska.<\/p>\nMicrosoft SQL Server: Z\u00e1lohovanie na URL<\/h3>\n
.bak<\/code> a .trn<\/code> priamo do nemenn\u00e9ho bucketu.<\/p>\nCREATE CREDENTIAL [s3:\/\/prod-db-archive-immutable.s3.us-east-1.amazonaws.com]\nWITH IDENTITY = 'S3 Access Key',\nSECRET = 'AccessKeyID:SecretAccessKey';\nGO\n\nBACKUP DATABASE [ProductionDB]\nTO URL = 's3:\/\/prod-db-archive-immutable.s3.us-east-1.amazonaws.com\/ProductionDB_Full.bak'\nWITH FORMAT, COMPRESSION, STATS = 10;\nGO\n<\/code><\/pre>\nAutomatiz\u00e1cia a orchestr\u00e1cia s CloudSave<\/h2>\n
\n1. Platforma automaticky spracov\u00e1va quiescence VSS (Volume Shadow Copy Service) pre SQL Server alebo API pg_start_backup()<\/code> pre PostgreSQL.
\n2. Streamuje deduplikovan\u00e9, za\u0161ifrovan\u00e9 z\u00e1lohovacie d\u00e1ta priamo do cie\u013eov\u00e9ho \u00falo\u017eiska.
\n3. CloudSave dynamicky aplikuje WORM API volania (napr. PutObjectRetention<\/code>) na \u00farovni jednotliv\u00fdch objektov, \u010d\u00edm dokonale zos\u00fala\u010fuje trvanie z\u00e1mku \u00falo\u017eiska s reten\u010dn\u00fdm pl\u00e1nom definovan\u00fdm v politike.
\n4. Ak \u00fato\u010dn\u00edk kompromituje konzolu spr\u00e1vy CloudSave, st\u00e1le nem\u00f4\u017ee odstr\u00e1ni\u0165 z\u00e1lohy, preto\u017ee z\u00e1mok s\u00faladu je vyn\u00faten\u00fd z\u00e1kladnou infra\u0161trukt\u00farou \u00falo\u017eiska, nie z\u00e1lohovac\u00edm softv\u00e9rom.<\/p>\nOsved\u010den\u00e9 postupy pre nemenn\u00e9 datab\u00e1zov\u00e9 arch\u00edvy<\/h2>\n
1. Pr\u00edsna synchroniz\u00e1cia NTP<\/h3>\n
2. Izol\u00e1cia IAM rol\u00ed a poveren\u00ed<\/h3>\n
s3:PutObject<\/code> a s3:PutObjectRetention<\/code>. Nikdy<\/strong> by nemali ma\u0165 opr\u00e1vnenia s3:DeleteObject<\/code> alebo s3:PutBucketObjectLockConfiguration<\/code>.<\/p>\n{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Effect": "Allow",\n "Action": [\n "s3:PutObject",\n "s3:GetBucketObjectLockConfiguration"\n ],\n "Resource": [\n "arn:aws:s3:::prod-db-archive-immutable",\n "arn:aws:s3:::prod-db-archive-immutable\/*"\n ]\n }\n ]\n}\n<\/code><\/pre>\n3. Dimenzovanie reten\u010dn\u00e9ho obdobia<\/h3>\n
\nNamiesto toho pou\u017eite vrstven\u00fd pr\u00edstup:
\n* Vrstva opera\u010dnej obnovy:<\/strong> 14 a\u017e 30 dn\u00ed nemenn\u00e9ho uchov\u00e1vania pre \u00fapln\u00e9 z\u00e1lohy a logy.
\n* Vrstva dlhodobej archiv\u00e1cie:<\/strong> Mesa\u010dn\u00e9 \u00fapln\u00e9 z\u00e1lohy presunut\u00e9 do Glacier\/Deep Archive so z\u00e1mkom Vault Lock na 1 \u2013 7 rokov.<\/p>\n4. Pravideln\u00e9 testovanie obnovy v izolovan\u00fdch (air-gapped) VPC<\/h3>\n
DBCC CHECKDB<\/code> (SQL Server) alebo pg_amcheck<\/code> (PostgreSQL) na obnoven\u00fdch d\u00e1tach, aby ste overili \u0161truktur\u00e1lnu integritu.<\/p>\nZ\u00e1ver<\/h2>\n