Recently, I was working with a Fortune100 retailer. During a cadence with their Chief Technology Officer & Security Advisor, an interesting topic came up for discussion. With ever growing malware attacks - especially Ransomware, the board mandated IT to prioritize strategy to mitigate, prevent & protect their crown jewel (data) against potential Ransomware attacks.
Board concerns included;
- Protecting Brand Reputation
- Immediate need for a cost-effective business continuity plan (BCP)
- Security Compliance
Enterprises across the world - both large & small - have been impacted by Ransomware and incurred several billion dollars in losses - either through loss of business, time to recover and/or ransom costs.
Per wikipedia...
Security experts have suggested precautionary measures for dealing with ransomware. Using software or other security policies to block known payloads from launching will help to prevent infection, but will not protect against all attacks. As such, having a proper backup solution is a critical component to defending against ransomware. Note that, because many ransomware attackers will not only encrypt the victim's live machine but it will also attempt to delete any hot backups stored locally or on accessible over the network on a NAS, it's also critical to maintain "offline" backups of data stored in locations inaccessible from any potentially infected computer, such as external storage drives or devices that do not have any access to any network (including the Internet), prevents them from being accessed by the ransomware.
As hackers find new & creative ways to disrupt global businesses with malicious intent - Reveton, Fusob, WannaCry, BadRabbit, Petya (Remember NotPetya?), SamSam - all different strains of Ransomware over the years that have caused billions in losses, it might sound impossible to predict but certainly possible to prevent, protect & mitigate the impact & damage; should there ever be one.
In this blog, I would like to share my perspective and solution on how we helped the customer by leveraging Oracle's Gen2 Cloud Infrastructure services.
One of the core tenets of security to prevent against Ransomware like malware attacks is to maintain consistent, redundant, secure "offline" backups of critical data - since Ransomware can traverse network.
Our proposal encompassed 3 primary factors that are key for enterprise workloads to run uninterrupted;
1. Enterprise Grade Secure Backups & Cloud Storage
Oracle's Gen2 Cloud offers secure, redundant & enterprise grade cloud backup & storage solution aimed at not just backing up on-premise data (offline backups) but also services that manage & automate consistent on-premise data backups. Specifically the following built-in features offer an immutable, versioned, consistent, redundant & secure storage for all kinds of enterprise data.
- Two distinct storage tiers for hot & cold backup storage
- Secure & Restricted access with fine-grained IAM policies
- Object versioning to prevent accidental/malicious object overwrites/deletion (CRUD)
- Default AES-256 bit encryption with ability to auto/self managed keys
- Rich lifecycle automation policies
- Retention rules to comply with regulatory compliance and ensure data immutability
- Configurable Replication policies for data redundancy cross-region
- Self-healing to ensure data integrity
In additions,
Oracle Storage Gateway offers the ability to deploy the solution with zero disruption as it exposes cloud storage as an NFS locally &
Oracle database backup service automates the management of Oracle database backups from on-premise to cloud
2. Ensure Business Continuity - Not just offline backups for fallback
Oracle cloud Gen2 prides itself on the fact that it is purpose built for the enterprise. With fundamental building blocks at its core such as "off-box virtualization", non-oversubscribed everything (network, BW, compute & storage), defense-in-depth layered security-first cloud architecture & unique offerings such as modern AMD, Intel, Nvidia GPUs, HPC, RDMA clustered networking, NVMe & Exadata, customers can rely on Oracle Cloud and treat it just as an extension of their on-premise IT.
This provides the ability to spin up VMs, Bare Metal servers, VMWare workloads, Databases (Oracle DB VMs, Physical DBs, MySQL, Exadata, Autonomous, SQL Server) - everything potentially needed to ensure business continuity.
3. Security-First Cloud Architecture & Compliance
At its core, Oracle Cloud offers built-in;
- Edge-Security through Global PoPs, DDoS protection, DNS security & WAF
- Monitoring with 3rd party security (FW, NGFW, IPS), configuration monitoring, logging & compliance
- Virtual Network interface segmentation, Security Lists, IPSec VPN, FastConnect & Private Network
- Tenant isolation, Hardened Images, HW Entropy, Root-of-Trust Card, HSM & signed firmware
- Data (At-Rest, In-Transit & Key Vault Management)
- Identity federation, role-based policies, compartments, tagging and instance principals
In additions,
Fine-grained IAM security policies to secure & restrict resource access at the finest level,
Multi-Factor Authentication (MFA) for additional layer of user security
CASB for OCI offers visibility, threat protection, data security and compliance for OCI deployments.
Below is the reference architecture that addresses Ransomware prevention & mitigation strategy for deployments & data in the Oracle Cloud.
Feel free to reach out if you have a criticism, feedback or queries.
