The best time to build a regulatory compliant data management strategy is before regulations are imposed or required. While your industry may never be mandated to meet the strict compliance requirements like financial or utility industries, it’s a good practice to understand regulations and use as potential guideposts for your company.
Shoring up a data management strategy extends throughout its lifecycle from first creation (production) to clones for test / dev, and backups. Since backups represent a large swath of data stored for short and longer-terms, this blog focuses on regulatory compliance of backup data with Oracle’s Zero Data Loss Recovery Appliance.
Co-engineered with Oracle Database, Recovery Appliance was built from the ground up using a Maximum Availability Architecture (MAA) and specifically focused on data recovery – not just backup tasks. Recovery Appliance automatically protects data in real-time, validates all backups using database-aware processes, and provides current recovery status for every database under management.
Regulatory requirements mandate backups be retained for specific time periods depending on the type of data (e.g., 7 years for many financial records). Storing the files is obviously only part of the requirement, backups must also be restorable and recoverable to be compliant. While this may seem like a no brainer, anyone who has managed backups understand restore operations can fail due to corrupt or missing files which is why validating backups is important.
Data regulations evolve overtime to incorporate new or evolving threats. Highly regulated industries, such as the financial services sector, increasingly require that 3rd party compliance experts validate the capabilities of their data protection solution.
For Recovery Appliance, we engaged Cohasset Associates to perform a comprehensive review of product capabilities and publish their findings. Cohasset verified that Recovery Appliance would meet or exceed SEC Rule 17a-4(f)) and others as described in their Compliance Assessment. Key highlights from their report were highlighted in a recent blog.
When you get past the legalese of regulations, the main tenants make sense and are applicable to most enterprise and public sector data management plans. I’ve summarized some of the main points in Cohasset’s Compliance Assessment on Recovery Appliance:
- Backup data must be:
- Accurate and unaltered from original source data (e.g., immutable)
- Restorable and recoverable for viewing data later
- Validated upon creation and periodically while stored to ensure validity
- Stored in order of receipt with sequential indicators to serialize original and duplicates (e.g., data-time, unique identifiers etc.) thereby making specific records easier to locate and authenticating the storage
- Backup retention must be:
- Contiguous without gaps between retention start and end time periods
- Able to be extended from original retention period as needed for legal holds
- Backup storage must:
- Include an alternate source for accessing records in event the primary source is compromised (e.g., lost or damaged, think offsite storage)
- Accessible, downloadable, or made available in format and on media which can be provided to regulators or auditors
It seems the key requirement is that all backups within the required retention timeline must be valid, restorable, and recoverable so data can be viewed or used in the future. While it may be an over simplification of complex regulations, data recovery is the business / regulatory requirement and backup management are the processes to get there.
With that in mind, how confident are you that all your backups are valid and recoverable? For Oracle Database online backups, all RMAN backup pieces must be available and valid for the database to be successfully recovered. To validate these backups, RMAN “VALIDATE” command should be used. Storage checksums can validate that the files stored are as received although if a bit got flipped in transit or if there were missing files in the backup, storage checksums couldn’t detect it. Therefore, unless you’re using RMAN to validate each backup, you’re effectively assuming backups are valid.
Fortunately, there is an easier way. Recovery Appliance automatically validates all backups during ingest and periodically while at rest using RMAN technologies without overhead on the database server. In addition, you’ll have real-time recoverability status by protected database so you never need to assume backups can be restored and recovered. Cohasset’s Compliance Assessment describes this process in detail along with other capabilities enabling you to meet strict data compliance regulations.
Whenever you are reviewing your data protection strategy, always keep data recovery the top priority even if most of your time is spent on the backups.