Using THE CLOUD(TM) For Off-Site Backup Media Storage

Recently, a client of mine asked me an excellent question about whether they could use AWS as an off-site storage location for their backup media files.

As I may have previously suggested, I have quite a long list of reasons why I think that running important databases from the cloud is a terrible idea, though if a client does really want to pursue this route, I will naturally oblige and make it work as best as I can.

This particular client’s suggestion, however – which, surprisingly, isn’t something that I’d heard made before – was to move at-rest backup media files to Amazon’s S3 storage instead of putting them on tape and shipping them off-site.

I asked around and did some digging but I couldn’t find anyone who was using THE CLOUD(TM) in this manner. Others are migrating their live database to THE CLOUD(TM) – or, at least, attempting to and becoming very frustrated with it – while others have stood up standby databases in AWS as a “DR-of-last-resort”.

Storing RMAN media files on THE CLOUD(TM), obviously, doesn’t require the levels of performance that running a database does. There are still the costs of storage and bandwidth to consider, but these should be significantly easier for the client to predict than for a database.

The key problem is security. If a client has purchased Oracle’s Advanced Security cost option, then the RMAN media files can be encrypted at-rest and moved across to AWS with a high level of confidence that, even if they were stolen, it would be very difficult for a miscreant to unencrypt the files.

Of course, not every client has Advanced Security, meaning they either have to supply their own encryption (probably via the O/S) or, even worse, transfer the media to AWS with no encryption whatsoever.

TrueCrypt used to be the “go-to” tool for encryption via the O/S, but was discontinued a few months ago and should no longer be used. CipherShed appears to be the most promising derivative as it, too, offers on-the-fly-encryption instead of whole-disk encryption, but is currently only available as a preview release.

Has anyone out there used AWS as long-term off-site backup storage for your backup media? If so, which tool did you use to encrypt the files at rest?

Tagged , , ,

2 thoughts on “Using THE CLOUD(TM) For Off-Site Backup Media Storage

  1. Jakub Wartak says:

    If we are talking about RMAN then you might want to look at Oracle Secure Backup and it’s S3/AWS plugin for it. OSB has built-in – as it transfers – internal software encryption (you can configure per selector, host, etc), no idea how it works in reality/production with S3 plugin, especially that is that OSB manages everything as “tape”/”library” it might (or might not – no idea) waste some space. It works fine with VTLs/libs… the RMAN integration is pretty neat. Of course you could always do some hack with backup to some local disk location (via RMAN) and then somehow encrypt with gpg and push with s3/rsync tools to THE CLOUD (TM) 😉 But seriously what RTO, bandwidth and data sizes we are talking here? 🙂

    Liked by 1 person

    • Mark Smith says:

      All are vaguely, if at all, defined :). It’s VERY small at the moment.

      OSB is not a bad suggestion, actually. Far cheaper than Advanced Security, yet still takes the potential problem seriously enough in choosing a proprietary solution.

      I suspect, however, the solution will involve taking the RMAN backup to disk, encrypt using O/S tools and then pushing to THE CLOUD(TM). Not ideal, obviously, but like with everything to do with THE CLOUD(TM), the devil’s in the details…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: