On January 17, 2025 the Digital Operational Resilience Act (DORA)[1] will apply and the key question is: Are we ready for this?
The DORA, similar to NIS2[2], aims to harmonize Cybersecurity and Cyber resiliency across the European Union by ensuring that organizations can effectively withstand and recover from major IT incidents and cyber events. This for a large part due to the ever increasing threat of Ransomware attacks[3].
The enforcement of this regulation also comes with sanctions for incompliancy, based on proportionality, impact and company size, aside from the cost of reputational, revenue and customer loyalty losses. Though the financial fines for incompliancy can be established by local Competent Authorities, the DORA itself states the following:
Since you have landed on this blog entry, you are probably asking yourself: How can I ensure minimum business and services interruption, against minimum downtime and the least possible data loss for my data residing in the Oracle Database? Well, you are at the right place.
While there are different regulations for different (geographical) markets, regions & industries (GDPR, NIS2, DORA, CRA, …) there are critical aspects that recur in all of them:
To translate these into IT tools that are available to all of us, and that can help ensure availability, confidentiality and integrity of your critical data, there are 4 key focus areas:
And within the DORA the following articles specifically describe the requirements for these areas:
As some of our customers[4] have pointed out, Oracle Zero Data Loss Recovery Appliance (ZDLRA)[5] is a unique-in-industry solution to protect the Oracle Database and is a must-have for them in their DORA compliance journey since it helps them meeting and even exceeding requirements. They have also stated that the Oracle-only benefits of running a dedicated platform for backup & recovery for the Oracle Database, far outweigh the cost of running and maintaining such a dedicated environment. Indeed, no one can protect Oracle Database data like we do. Here are some of the benefits they achieved with ZDLRA:
Specifically the combination of Exadata and ZDLRA is considered by our customers to provide the best performance, security and resilience for the customer’s most valuable data assets, particularly when it comes to Ransomware defense.
Let’s look at some customer statements:
“ZDLRA protects us from ransomware by capturing every transaction in real-time, ensuring minimal data loss and continuous business operations. Combined with Exadata’s high-performance capabilities, this system enhances our security, operational efficiency, and customer satisfaction. Together, they enable us to handle large transaction volumes efficiently while ensuring our data is secure and always available.” - Vojko Božiček, Director IT Execution, OTP banka
"We discovered that the immutability and ransomware protection feature stood out as the main selling point for our customers. With the rising threat of ransomware attacks and their severe consequences, having this level of protection is invaluable for any business or government entity." – Sturla Thor Björnsson, Divisional Manager of Oracle Hosting, Advania Island.
“Safaricom's commitment to providing seamless and reliable telecommunication and financial services is powered by the unmatched performance and data protection capabilities of Oracle Exadata and Oracle ZDLRA. With these industry-leading solutions, we are able to deliver exceptional customer experiences and ensure the utmost security and integrity of our valuable data assets.” – Mark Oyier, Head of Dept. IT Infrastructure & Enterprise Applications, Safaricom PLC.
So how could the Zero Data Loss Recovery Appliance help meet and exceed some of the DORA requirements? In the following tables you will find some features/functionality mapped to some of the DORA articles, but please note that this is not a complete product mapping and ZDLRA might provide additional features/functionality that helps meeting some of the requirements of other articles (eg internal audit & report capabilities).
ARTICLE |
REQUIREMENT |
(THAT MAY HELP MEETING or exceeding REQUIREMENTs) |
Article 12 – Backup policies and procedures, restoration and recovery procedures and methods |
ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss |
Sub-second RPO, Database Aware Continuous Data Anomaly Checking, Immutability, lowest RTO through database optimized virtual full recovery. |
“use ICT systems that are physically and logically segregated from the source ICT system” |
Cyber Vault (Airgap) and Clean Room / Isolated Recovery Environment |
|
“securely protected from any unauthorised access or ICT corruption” |
Separation of Duties, Admin Voting, Role Based Access Management, Immutability, Access granted on per session basis |
|
“maintain redundant ICT capacities” |
ZDLRA is built upon “High Availability by design” principle where components are redundant |
|
“recovery time and recovery point objectives […] shall ensure that […] service levels are met” |
Sub-second RPO, Lowest RTO for Databases |
|
“ensure the highest level of data integrity” “ensure that all data is consistent between systems” |
Database Aware Continuous Data Anomaly Checking, Space-Efficient Encrypted Backups |
|
Article 9 – Protection & Prevention |
“design, procure and implement ICT security policies, procedures, protocols and tools […] to ensure the resilience, continuity and availability of ICT systems” |
Maximum Availability Architecture And all products that are included in the blueprints *Oracle Engineered Systems are designed following the principle of Chaos Engineering to ensure highest availability within the system. |
“[…] maintain high standards of availability, authenticity, integrity and confidentiality of data […] at rest, in use or in transit” |
And all products that are included in the blueprint, incl Zero Data Loss Recovery Appliance *Oracle Engineered Systems are built following a defense-in-depth, principle of least-privileges, zero-trust approach |
|
Those ICT solutions and processes shall: |
|
|
“ensure the security of transfer of data” |
(Space Efficient) Encrypted Backups, VLAN segregation, Access granted on per session basis |
|
“minimise the risk of corruption or loss of data, unauthorised access and technical flaws” “prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data” “ensure that data is protected from risks arising from data management, including poor administration, processing related risks and human error” |
Separation of Duties, Admin Voting, Role Based Access Management, (Space-Efficient) Encrypted backups, Immutability controls (Legal/Compliance Hold), RMAN natively integrated backup & restore (no NFS or SMB mounts) |
|
“implement policies that limit the physical or logical access to information assets and ICT assets”
|
Admin Voting, Separation of Duties, Role Based Access Management |
|
“implement policies and protocols for strong authentication mechanisms […] whereby data is encrypted” |
(Space-Efficient) Encrypted backups
|
|
“have appropriate and comprehensive documented policies for patches and updates” |
Article |
Requirement |
How may Oracle help meeting or exceeding requirements? |
Article 7 – ICT Systems, Protocols and Tools |
“use and maintain updated ICT systems, protocols and tools
|
It is Oracle best practice recommendation to always run on the latest (possible) Hardware and Software versions as well as on the latest firmware and patch levels. Our Engineered Systems and Storage solutions are extremely scalable within a rack and even across multiple racks. With Oracle Cloud Infrastructure organizations can easily scale up and down to meet baseline and peak utilization.
|
Article 8 - Identification |
“at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems […] in any case before and after connecting technologies, applications, or systems” |
Data Protection Assessment, Database Security Assessment Tool (DBSat), Real Application Testing (RAT)
|
Article 11 – Response & Recovery |
“shall put in place […] ICT business continuity policy […] an integral part of the overall business continuity policy
|
Even though Oracle cannot deliver a pre-built business continuity plan, our Products, Solutions and Architectures are designed to help our customers develop, implement, test and maintain their ICT Business Continuity and Disaster Recovery Plan(s). Oracle Consulting and Customer Success Services can help in creation of policies and procedures, as well as (partially) managing the Oracle elements of the ICT infrastructure.
|
Conclusion
With the EU Digital Operational Resilience Act (DORA) becoming enforceable on January 17 2025, many organizations are re-evaluating their current IT infrastructure after finding themselves at risk of incompliancy following preliminary IT audits/stress tests. Hence, more and more customers implement the Oracle Zero Data Loss Recovery Appliance (ZDLRA) to meet and exceed organizational and regulatory requirements when it comes to their most valuable data assets residing in the Oracle Database.
To learn more about how to leverage ZDLRA for your cyber and regulatory requirements, please reach out to your Account Representative.
*views are my own and I am not a lawyer*
As Business Development Manager for Data Protection and Storage for EMEA, Tom works closely with the ZDLRA and ZFS product management teams to align the unique value propositions of our solution with cybersecurity, cyber resilience and regulatory requirements. Apart from this, Tom is responsible for translating the enterprise product go-to-market strategy based on EMEA region specific trends and requirements, in order to help sales teams to successfully position our backup and recovery solutions.