Categories
Database Backup

** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.

Esikhathini samanje lapho izinsongo zikhona, i-ransomware isiguquke kusukela ekubeni ukuhlasela okungahleliwe kwaba imikhankaso eqondiswe ngqo ngezinhloso eziningi zokukhwabanisa. Izinsongo Ezithuthukile Eziqhubekayo (APTs) kanye namaqembu e-ransomware manje azingela ngenkuthalo ingqalasizinda yezipele (backup) kanye nezinqolobane zedatha ngesikhathi esisafihle. Uma umhlaseli ethola ukufinyelela kudatha yakho eyinhloko futhi ngesikhathi esisodwa esusa noma ebhala ngemfihlo (encrypt) izindawo zakho zokugcina izipele, inhlangano yakho ibhekana nokulahleka kwedatha okuyinhlekelele.

Kubaphathi be-Database (DBAs) kanye nonjiniyela be-DevOps, isu lendabuko le-3-2-1 lokwenza izipele alisanele. Ukuze kuqinisekiswe ukuthi idatha iyasinda, amaqembu engqalasizinda kumele amukele umthetho we-3-2-1-1, lapho u-“1” wokugcina umele isitoreji esingenakushintshwa (immutable storage).

Lesi sihloko sinikeza ukuhlaziya okujulile, okubanzi, nokobuchwepheshe mayelana nokuklama, ukusebenzisa, nokuphatha isitoreji esingenakushintshwa sezinqolobane zedatha ukuze kuqinisekiswe ukuvikeleka okuphelele ku-ransomware.

Indlela Esebenza Ngayo Isitoreji Esingenakushintshwa

Isitoreji esingenakushintshwa sithembele ekwakhiweni kwe-Write-Once-Read-Many (WORM). Uma idatha isibhalwe endaweni engenakushintshwa, ayikwazi ukuguqulwa, ukubhalwa ngemfihlo, noma ukususwa yinoma yimuphi umsebenzisi—kuhlanganise nabaphathi abanamalungelo aphezulu (root privileges) noma ama-akhawunti esevisi atholiwe—kuze kuphele isikhathi esibekiwe sokukhiya.

Imodi Yokuthobela (Compliance Mode) vs. Imodi Yokulawula (Governance Mode)

Uma usebenzisa ukungashintshi, ikakhulukazi kwisitoreji samafu (cloud object storage) njenge-AWS S3, Azure Blob, noma ama-SANs ahambisana ne-S3, kumele uqonde umehluko phakathi kwezindlela zokugcina:

  • Imodi Yokulawula (Governance Mode): Ivimbela abasebenzisi abajwayelekile ekususeni noma ekushintsheni izinto. Nokho, abasebenzisi abanamalungelo athile e-IAM (isib. s3:BypassGovernanceRetention) bangakwazi ukudlula lokho kukhiya. Lokhu kuwusizo ekuhloleni kodwa akwanele ekuvikeleni ku-ransomware, njengoba abahlaseli bevame ukukhuphula amalungelo abo abe ngabaphathi besizinda (domain admin) noma i-root.
  • Imodi Yokuthobela (Compliance Mode): Leli yizinga eliphezulu lokuvikela ku-ransomware. Uma into ikhiyiwe kwi-Compliance Mode, isikhathi sayo sokugcinwa asikwazi ukufushaniswa, futhi into ayikwazi ukususwa yinoma ubani, kuhlanganise ne-akhawunti ye-AWS root. Ukukhiya kuphoqelelwa ezingeni le-storage cluster.

Ukuklama Umzila Wezipele Ongashintshi

Ukwakhiwa okuqinile kwezinqolobane zedatha kuhlukanisa imisebenzi yedatha esebenzayo kuleyo yezinqolobane ezingashintshi. Awukwazi ukusebenzisa ukungashintshi kumafayela edatha asebenzayo (njenge-.mdf/.ldf ku-SQL Server noma isiqondisi se-pg_data ku-PostgreSQL) ngoba ama-database adinga ukufinyelela njalo kokufunda nokubhala.

Esikhundleni salokho, ukungashintshi kusetshenziswa ku:
1. Amafayela Wezipele Aphelele Nalawo Ahlukile (Full and Differential Backup Files): Izithombe eziyisisekelo ze-database.
2. Amafayela We-Transaction Logs / WAL: Ukusakazwa okuqhubekayo kwezinguquko ze-database ezidingekayo ukuze kubuyiselwe idatha esikhathini esithile (Point-in-Time Recovery – PITR).

Izindawo Zokugcina Zokungashintshi

Ungasebenzisa isitoreji esingenakushintshwa emazingeni ahlukene engqalasizinda:
* Cloud Object Storage: AWS S3 Object Lock, Azure Blob Immutable Storage, Google Cloud Storage Retention Policies.
* On-Premises Object Storage: MinIO, Cloudian, noma i-Pure Storage FlashBlade esekela ama-API e-S3 Object Lock.
* Block/File Storage: ZFS enezithombe (snapshots) ezifundeka kuphela (read-only) kanye nokuphathwa okwabiwe, noma izici zefayela ze-Linux.

Ukusebenzisa Isitoreji Esingenakushintshwa: Izinyathelo Zobuchwepheshe

1. Cloud Object Storage: AWS S3 Object Lock

Ukuze uvikele ama-dumps edatha kanye nama-transaction logs ku-AWS, kumele uvule i-Object Lock ngesikhathi sokudalwa kwebhakede (bucket).

Okokuqala, dala ibhakede elinikwe amandla i-Object Lock:

aws s3api create-bucket 
    --bucket prod-db-archive-immutable 
    --region us-east-1 
    --object-lock-enabled-for-bucket

Okulandelayo, lungiselela inqubomgomo yokugcina ezenzakalelayo. Ezinqolobaneni zedatha, ukukhiya kokuthobela kwezinsuku ezingama-30 kuyisisekelo esijwayelekile, okuqinisekisa ukuthi unezipele zenyanga yonke ezingenakushintshwa.

aws s3api put-object-lock-configuration 
    --bucket prod-db-archive-immutable 
    --object-lock-configuration '{
        "ObjectLockEnabled": "Enabled",
        "Rule": {
            "DefaultRetention": {
                "Mode": "COMPLIANCE",
                "Days": 30
            }
        }
    }'

Uma iskripthi sakho sezipele ze-database noma i-ejenti ithumela ifayela kuleli bhakede, i-S3 ibala ngokuzenzakalelayo i-Retain Until Date ngokusekelwe esikhathini sokudalwa kwefayela kanye nezinsuku ezingama-30.

2. On-Premises Immutability: ZFS kanye nezici ze-Linux

Uma ugcina izipele zedatha kuseva yezipele ye-Linux esendaweni yakho, ungathola ukungashintshi okungelona iqiniso ngokusebenzisa umyalo we-chattr, noma ukungashintshi kwangempela usebenzisa izithombe ze-ZFS.

Ukusebenzisa i-Linux chattr:
Ifulegi le-+i (immutable) livimbela ukushintshwa kwefayela, ukususwa, noma ukuqanjwa kabusha.

# Dump the database
pg_dump -U postgres -Fc mydb > /backups/mydb_$(date +%F).dump

# Make the backup immutable
sudo chattr +i /backups/mydb_$(date +%F).dump

# Verify the attribute
lsattr /backups/mydb_$(date +%F).dump
# Output: ----i---------e------- /backups/mydb_2023-10-27.dump

Qaphela: Nakuba i-chattr imisa izikripthi ze-ransomware ezilula, umhlaseli onolwazi onamalungelo e-root angavele asebenzise i-chattr -i. Ngakho-ke, lokhu kumele kuhambisane ne-RBAC eqinile kanye namanethiwekhi wezipele ahlukanisiwe.

Ukusebenzisa ZFS Snapshots:
I-ZFS inikeza ukuvikela okuqinile kakhulu. Ngokuthatha isithombe (snapshot) nokubeka “ukubamba” (hold) kuso, uvimbela isithombe ukuba singabhujiswa.

# Take a snapshot of the backup dataset
zfs snapshot tank/db_backups@archive_$(date +%F)

# Place a hold on the snapshot to prevent deletion
zfs hold keep_30_days tank/db_backups@archive_$(date +%F)

# Even root cannot destroy this snapshot without releasing the hold
zfs destroy tank/db_backups@archive_$(date +%F)
# Output: cannot destroy 'tank/db_backups@archive_...': dataset is busy

Amasu Okugcina Adingwa Ama-Database

Ukuze ufeze i-Point-in-Time Recovery (PITR), kumele uqhubeke nokugcina ama-transaction logs esitoreji sakho esingenakushintshwa.

PostgreSQL WAL Archiving nge-pgBackRest

I-pgBackRest iyithuluzi lezipele elithembekile kakhulu le-PostgreSQL elisekela ngokwemvelo isitoreji esihambisana ne-S3. Ukuze uvikele ama-Write-Ahead Logs (WAL) akho, lungiselela i-pgBackRest ukuthi ithumele ngqo kubhakede lakho le-S3 elingenakushintshwa.

Ku-pgbackrest.conf yakho:

[global]
repo1-type=s3
repo1-s3-bucket=prod-db-archive-immutable
repo1-s3-region=us-east-1
repo1-s3-endpoint=s3.amazonaws.com
repo1-s3-key=AKIAIOSFODNN7EXAMPLE
repo1-s3-key-secret=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

# Ensure retention aligns with your S3 Object Lock configuration
repo1-retention-full=2
repo1-retention-archive=2

[prod_cluster]
pg1-path=/var/lib/postgresql/14/main

Ukucabangela Okubalulekile: Uma ibhakede lakho le-S3 liphoqelela ukukhiya kokuthobela kwezinsuku ezingama-30, kodwa i-pgBackRest izama ukuphelelwa yisikhathi futhi isuse amafayela e-WAL ngemva kwezinsuku eziyi-14 ngokusekelwe ku-repo1-retention-archive, izingcingo ze-API zokususa zizohluleka. Kumele uqinisekise ukuthi inqubomgomo yokugcina yesofthiwe yakho yezipele inkulu noma ilingana nokukhiya okungenakushintshwa kwezinga lesitoreji.

Microsoft SQL Server: Backup to URL

I-SQL Server isekela izipele zomdabu ngqo kwisitoreji sezinto (object storage) esihambisana ne-S3. Ungalungiselela umsebenzi we-SQL Server Agent ukuthi ubhale amafayela e-.bak kanye ne-.trn ngqo kubhakede elingenakushintshwa.

CREATE CREDENTIAL [s3://prod-db-archive-immutable.s3.us-east-1.amazonaws.com]
WITH IDENTITY = 'S3 Access Key',
SECRET = 'AccessKeyID:SecretAccessKey';
GO

BACKUP DATABASE [ProductionDB]
TO URL = 's3://prod-db-archive-immutable.s3.us-east-1.amazonaws.com/ProductionDB_Full.bak'
WITH FORMAT, COMPRESSION, STATS = 10;
GO

Ukuzenzakalela Nokuhlela nge-CloudSave

Ukuphatha amafulegi okugcina angenakushintshwa, ukushintshanisa okhiye bokufinyelela, nokuqinisekisa ukuvumelanisa phakathi kwezinqubomgomo zokugcina ze-database kanye nokukhiya kwesitoreji ngeziskripthi zangokwezifiso kuyimbangela yamaphutha amaningi. Ukucushwa okukodwa okungalungile ku-cron job noma i-API call kungashiya izinqolobane zakho ziveziwe noma kubangele izindleko zesitoreji samafu ezikhuphuka kakhulu ngenxa yezinto ezikhiyiwe ezingasasetshenziswa.

Amapulatifomu ezipele ebhizinisi afana ne-CloudSave enza lolu hlelo lube lula. I-CloudSave ihlanganisa ngokwemvelo ne-AWS S3 Object Lock, Azure Blob Immutable Storage, kanye nama-API ahambisana ne-S3 asendaweni yakho.

Lapho ulungiselela uhlelo lwezipele ze-database ku-CloudSave:
1. Ipulatifomu iphatha ngokuzenzakalelayo i-VSS (Volume Shadow Copy Service) quiescence ye-SQL Server noma i-pg_start_backup() API ye-PostgreSQL.
2. Isakaza idatha yezipele ehlungiwe (deduplicated) nebhaliwe ngemfihlo ngqo endaweni yesitoreji.
3. I-CloudSave isebenzisa ama-API calls e-WORM (isib. PutObjectRetention) ngendlela ehlukanisiwe, ivumelanisa ngokuphelele ubude besikhathi sokukhiya kwesitoreji nohlelo lokugcina oluchazwe yinqubomgomo.
4. Uma umhlaseli ethola ukufinyelela kukhonsoli yokuphatha ye-CloudSave, akakwazi ukususa izipele, njengoba ukukhiya kokuthobela kuphoqelelwa yingqalasizinda yesitoreji engaphansi, hhayi isofthiwe yezipele.

Izindlela Ezihamba Phambili Zezinqolobane Zedatha Ezingashintshi

Ukuze uqinisekise ukuthi ukwakheka kwakho okungenakushintshwa kuqinile ngempela, landela lezi zindlela ezihamba phambili zobunjiniyela bezinhlelo:

1. Ukuvumelanisa Okunembile kwe-NTP

Izikhiye ezingashintshi ziboshwe ngokwezibalo ezikhathini. Uma isevisi ye-NTP (Network Time Protocol) kusitoreji sakho noma kuseva yezipele itholiwe noma yashintsha, ingabangela ukuthi izikhiye ziphelelwe yisikhathi ngaphambi kwesikhathi noma zingapheli nhlobo. Qinisekisa ukuthi ingqalasizinda yakho yesitoreji isebenzisa imithombo ye-NTP eqinisekisiwe neyengeziwe.

2. Hlukanisa Ama-IAM Roles kanye Nezimpawu Zokufinyelela

Izimpawu zokufinyelela ezisetshenziselwa ukubhala kubhakede elingenakushintshwa kumele zibe namalungelo e-s3:PutObject kanye ne-s3:PutObjectRetention kuphela. Akumele neze zibe namalungelo e-s3:DeleteObject noma e-s3:PutBucketObjectLockConfiguration.

Isibonelo senqubomgomo ye-IAM enelungelo elincane le-ejenti yezipele ze-database:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetBucketObjectLockConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::prod-db-archive-immutable",
                "arn:aws:s3:::prod-db-archive-immutable/*"
            ]
        }
    ]
}

3. Ukulinganisa Isikhathi Sokugcina

Ungabeki izikhiye zokuthobela izikhathi ezinde ngokweqile (isib. iminyaka engu-7 yokuthobela) kwisigaba sakho esiyinhloko sokubuyisela ngokushesha. Ama-database akhiqiza inani elikhulu ledatha ye-WAL/transaction log. Ukukhiya le datha iminyaka eminingi kuzoholela ekukhuleni kwezindleko zesitoreji.
Esikhundleni salokho, sebenzisa indlela ehlukanisiwe:
* Isigaba Sokubuyisela Okusebenzayo: Izinsuku eziyi-14 kuya kwezingama-30 zokugcina okungenakushintshwa kwama-Fulls kanye nama-Logs.
* Isigaba Sezinqolobane Zesikhathi Eside: Izipele eziphelele zanyanga zonke ezithuthelwe ku-Glacier/Deep Archive nge-Vault Lock iminyaka engu-1-7.

4. Ukuhlola Ukubuyisela Okujwayelekile kuma-VPC ahlukanisiwe (Air-Gapped)

Ukungashintshi kuqinisekisa ukuthi idatha ayikwazi ukususwa, kodwa akuqinisekisi ukuthi idatha ayinazo izinkinga ezinengqondo (logical corruption). Kumele uzenzakalelise ukubuyiselwa kwezinqolobane zakho zedatha ezingashintshi ku-VPC noma i-VLAN ehlukanisiwe. Sebenzisa i-DBCC CHECKDB (SQL Server) noma i-pg_amcheck (PostgreSQL) kudatha ebuyisiwe ukuze uqinisekise ubuqotho besakhiwo.

Isiphetho

Ukuvikela i-ransomware kuwumsebenzi wokucabanga ukuthi kukhona ukwephulwa komthetho. Ngesikhathi isexwayiso sikhala ku-SIEM yakho, abahlaseli kungenzeka ukuthi sebevele bazamile ukuthola ukufinyelela kwingqalasizinda yakho yezipele. Ngokuklama izinqolobane zakho zedatha usebenzisa isitoreji esingenakushintshwa kwi-Compliance Mode, ususa abahlaseli amandla abo ayinhloko. Kungakhathaliseki ukuthi usebenzisa ama-API amafu, izikhiye ze-ZFS, noma ipulatifomu yokuphatha yebhizinisi efana ne-CloudSave, ukusebenzisa isitoreji se-WORM akuseyona inketho—kuyinsika ephoqelekile yokuphathwa kwedatha yesimanje kanye nokubuyisela ezinhlekeleleni.

Categories