The EU DORA and Oracle Zero Data Loss Recovery Appliance

December 5, 2024 | 11 minute read
Text Size 100%:

On January 17, 2025 the Digital Operational Resilience Act (DORA)[1] will apply and the key question is: Are we ready for this?

The DORA, similar to NIS2[2], aims to harmonize Cybersecurity and Cyber resiliency across the European Union by ensuring that organizations can effectively withstand and recover from major IT incidents and cyber events. This for a large part due to the ever increasing threat of Ransomware attacks[3].

The enforcement of this regulation also comes with sanctions for incompliancy, based on proportionality, impact and company size, aside from the cost of reputational, revenue and customer loyalty losses.  Though the financial fines for incompliancy can be established by local Competent Authorities, the DORA itself states the following:

  • Organizations can be fined up to 1% of the average daily worldwide turnover over the previous year, applied daily for a maximum of 6 months or until incompliancy is remediated.
  • Potential administrative/financial sanctions, both for the organization as for individuals that are held personally liable for incompliancy (eg members of the Management Board)
  • Potential criminal sanctions for individuals that are held personally liable for incompliancy

Since you have landed on this blog entry, you are probably asking yourself: How can I ensure minimum business and services interruption, against minimum downtime and the least possible data loss for my data residing in the Oracle Database?  Well, you are at the right place.

While there are different regulations for different (geographical) markets, regions & industries (GDPR, NIS2, DORA, CRA, …) there are critical aspects that recur in all of them:

  • Maintain a secure configuration
  • Monitor and control access to sensitive data
  • Encrypt critical data and manage keys effectively
  • Ensure rapid recovery after disruptions
  • Minimize disruptions and data loss

To translate these into IT tools that are available to all of us, and that can help ensure availability, confidentiality and integrity of your critical data, there are 4 key focus areas:

  1. Encryption
  2. Key Management
  3. Backup & Recovery
  4. Airgap / Cyber Vault / Clean Room (Isolated Recovery Environment)

And within the DORA the following articles specifically describe  the requirements for these areas:

  • Article 12 – Backup policies and procedures, restoration and recovery procedures and methods
  • Article 9 – Protection & Prevention
  • Article 7 – ICT Systems, Protocols & Tools
  • Article 8 – Identification
  • Article 11 – Response & Recovery

As  some of our customers[4] have pointed out, Oracle Zero Data Loss Recovery Appliance (ZDLRA)[5] is a unique-in-industry solution to protect the Oracle Database and is a must-have for them in their DORA compliance journey since it helps them meeting and even exceeding requirements.  They have also stated that the Oracle-only benefits of running a dedicated platform for backup & recovery for the Oracle Database, far outweigh the cost of running and maintaining such a dedicated environment.  Indeed, no one can protect Oracle Database data like we do.  Here are some of the benefits they achieved with ZDLRA:

  • Sub-second RPO (transaction level point-in-time protection and recovery for zero data loss)
  • Lowest RTO (Days/hours to hours/minutes) through database optimized virtual full recovery
  • Recovery reliability through continuous data anomaly checking
  • Validated and transactionally consistent backups, throughout the data protection lifecycle
  • Space-Efficient, Encrypted, Tamper-Proof Backups with database-level block compression, Transparent Data Encryption (TDE) and immutable retention controls
  • Secure, Low RPO/RTO, Airgapped Cyber Vault while minimizing vault access window for backup synchronization operations with fast, incremental forever replication.

Specifically the combination of Exadata and ZDLRA is considered by our customers to provide the best performance, security and resilience for the customer’s most valuable data assets, particularly when it comes to Ransomware defense.

Let’s look at some customer statements:

“ZDLRA protects us from ransomware by capturing every transaction in real-time, ensuring minimal data loss and continuous business operations. Combined with Exadata’s high-performance capabilities, this system enhances our security, operational efficiency, and customer satisfaction. Together, they enable us to handle large transaction volumes efficiently while ensuring our data is secure and always available.- Vojko Božiček, Director IT Execution, OTP banka

"We discovered that the immutability and ransomware protection feature stood out as the main selling point for our customers. With the rising threat of ransomware attacks and their severe consequences, having this level of protection is invaluable for any business or government entity." – Sturla Thor Björnsson, Divisional Manager of Oracle Hosting, Advania Island.

“Safaricom's commitment to providing seamless and reliable telecommunication and financial services is powered by the unmatched performance and data protection capabilities of Oracle Exadata and Oracle ZDLRA. With these industry-leading solutions, we are able to deliver exceptional customer experiences and ensure the utmost security and integrity of our valuable data assets.” – Mark Oyier, Head of Dept. IT Infrastructure & Enterprise Applications, Safaricom PLC.

So how could the Zero Data Loss Recovery Appliance help meet and exceed some of the DORA requirements? In the following tables you will find some features/functionality mapped to some of the DORA articles, but please note that this is not a complete product mapping and ZDLRA might provide additional features/functionality that helps meeting some of the requirements of other articles (eg internal audit & report capabilities).

ARTICLE

REQUIREMENT

ZDLRA ORACLE-ONLY advantages  

(THAT MAY HELP MEETING or exceeding REQUIREMENTs)

Article 12 – Backup policies and procedures, restoration and recovery procedures and methods

ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss

Sub-second RPO, Database Aware Continuous Data Anomaly Checking, Immutability, lowest RTO through database optimized virtual full recovery.

“use ICT systems that are physically and logically segregated from the source ICT system”

Cyber Vault (Airgap) and Clean Room / Isolated Recovery Environment

“securely protected from any unauthorised access or ICT corruption”

Separation of Duties, Admin Voting, Role Based Access Management, Immutability, Access granted on per session basis

“maintain redundant ICT capacities”

ZDLRA is built upon “High Availability by design” principle where components are redundant

“recovery time and recovery point objectives […]  shall ensure that […]  service levels are met”

Sub-second RPO, Lowest RTO for Databases

“ensure the highest level of data integrity”

“ensure that all data is consistent between systems”

Database Aware Continuous Data Anomaly Checking, Space-Efficient Encrypted Backups

Article 9 – Protection & Prevention

“design, procure and implement ICT security policies, procedures, protocols and tools […]  to ensure the resilience, continuity and availability of ICT systems”

Maximum Availability Architecture

And all products that are included in the blueprints

*Oracle Engineered Systems are designed following the principle of Chaos Engineering to ensure highest availability within the system.

“[…] maintain high standards of availability, authenticity, integrity and confidentiality of data […]  at rest, in use or in transit”

Maximum Security Architecture

And all products that are included in the blueprint, incl Zero Data Loss Recovery Appliance

*Oracle Engineered Systems are built following a defense-in-depth, principle of least-privileges, zero-trust approach

Those ICT solutions and processes shall:

 

“ensure the security of transfer of data”

(Space Efficient) Encrypted Backups, VLAN segregation, Access granted on per session basis

“minimise the risk of corruption or loss of data, unauthorised access and technical flaws”

“prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data”

“ensure that data is protected from risks arising from data management, including poor administration, processing related risks and human error”

Separation of Duties, Admin Voting, Role Based Access Management, (Space-Efficient) Encrypted backups, Immutability controls (Legal/Compliance Hold), RMAN natively integrated backup & restore (no NFS or SMB mounts)

“implement policies that limit the physical or logical access to information assets and ICT assets”

 

Admin Voting, Separation of Duties, Role Based Access Management

“implement policies and protocols for strong authentication mechanisms […] whereby data is encrypted”

(Space-Efficient) Encrypted backups

 

“have appropriate and comprehensive documented policies for patches and updates”

https://www.oracle.com/security-alerts/

https://www.oracle.com/corporate/security-practices/

 

Article

Requirement

How may Oracle help meeting or exceeding requirements?

Article 7 –

ICT Systems, Protocols and Tools

“use and maintain updated ICT systems, protocols and tools

  • appropriate to the magnitude of operations
  • reliable
  • equipped with sufficient capacity
  • technologically resilient”

It is Oracle best practice recommendation to always run on the latest (possible) Hardware and Software versions as well as on the latest firmware and patch levels.

Our Engineered Systems and Storage solutions are extremely scalable within a rack and even across multiple racks. With Oracle Cloud Infrastructure organizations can easily scale up and down to meet baseline and peak utilization.

 

Article 8 - Identification

“at least yearly, conduct a specific ICT risk assessment on all legacy ICT systems […]  in any case before and after connecting technologies, applications, or systems”

Data Protection Assessment, Database Security Assessment Tool (DBSat), Real Application Testing (RAT)

 

Article 11 – Response & Recovery

“shall put in place […]  ICT business continuity policy […]  an integral part of the overall business continuity policy

  • ensure the continuity of critical or important functions
  • limits damage and prioritises the resumption of activities
  • response and recovery procedures established in accordance with Article 12
  • estimate preliminary impacts, damages and losses”

Even though Oracle cannot deliver a pre-built business continuity plan, our Products, Solutions and Architectures are designed to help our customers develop, implement, test and maintain their ICT Business Continuity and Disaster Recovery Plan(s).

Oracle Consulting and Customer Success Services can help in creation of policies and procedures, as well as (partially) managing the Oracle elements of the ICT infrastructure.

 

 

 

 

Conclusion

With the EU Digital Operational Resilience Act (DORA) becoming enforceable on January 17 2025, many organizations are re-evaluating their current IT infrastructure after finding themselves at risk of incompliancy following preliminary IT audits/stress tests. Hence, more and more customers implement the Oracle Zero Data Loss Recovery Appliance (ZDLRA) to meet and exceed organizational and regulatory requirements when it comes to their most valuable data assets residing in the Oracle Database.

  • ZDLRA is uniquely positioned to provide the industry lowest RPO and RTO for Oracle Database and with scalable restore performance helps organizations restoring data with the least possible downtime, data loss and business/services interruption.
  • Thanks to its unique Oracle Database aware continuous data anomaly checking, the ZDLRA provides consistency, integrity and recoverability reliability of your backups and when real-time redo transfer is enabled it can recover up to the latest transaction written to the appliance.
  • When running software release 23.1, the ZDLRA further enables customers to compress TDE encrypted data at the source, being the only solution in the industry that can help maintaining your critical data encrypted throughout its lifecycle whilst reducing storage requirements and optimizing backup and restore performance (up to 60TB/hr).
  • To further increase your organization’s resiliency posture, the Recovery Appliance provides granular role based access management with clear separation of duties to ensure that only those users authorized to access the data can effectively do so.  Further protection can be established by enabling admin voting to require a quorum approval for ROOT and SYSADMIN operations and by implementing different protection policies per (group of) database(s) including specific immutability controls like compliance/legal hold and individual or group-level retention windows.
  • Lastly, the ZDLRA is extremely suitable for Cyber Vault deployments and indispensable for Isolated Recovery Environments to ensure you can effectively recover against the lowest RPO/RTO/data loss and fastest replication and recovery in case of a major IT incident where forensics is required and to consequently return back to Production.

To learn more about how to leverage ZDLRA for your cyber and regulatory requirements, please reach out to your Account Representative.

*views are my own and I am not a lawyer*


Tom Heuves

As Business Development Manager for Data Protection and Storage for EMEA, Tom works closely with the ZDLRA and ZFS product management teams to align the unique value propositions of our solution with cybersecurity, cyber resilience and regulatory requirements. Apart from this, Tom is responsible for translating the enterprise product go-to-market strategy based on EMEA region specific trends and requirements, in order to help sales teams to successfully position our backup and recovery solutions.

 

Show more