Deep Dive into Amazon RDS Rolling Backup with Clumio

Hacking or ransomware attacks are a concern of every enterprise today. As per ransomware reports of 2019, ransomware attacks have almost quadrupled year over year. As organizations have started adopting cloud for their mission-critical systems, data protection becomes even more paramount. At Clumio, we build solutions that protect customers from the ransomware which is a colossal menace, and our Rolling Backup Protection for Amazon RDS is no exception. With Rolling Backup, there is a time-lagged standby copy of your RDS database securely stored in Clumio. The rolling backup is an essential add-on feature that will enable you to do a full restore from the time-lagged standby copy from a ransomware attack on your database or an account compromise. This feature is an essential element of Clumio’s backup as a service and the last part of a three-part deep dive blog series.

The links to the previous blog posts are here:
Amazon RDS Operational Recovery Deep Dive with Clumio
Amazon RDS Extended Retention and Granular Record Retrieval Deep Dive with Clumio

In this final installment of this three-part series, we will detail the top data protection requirements that all enterprises should consider when running RDS.

Requirement 1: RDS Backups Need to be Secure and Air-Gapped
Any backup solution needs to be outside the production environment to ensure a bad actor does not get access to both the production data and the backup. With Clumio, all our backups are protected outside of the customer’s VPC. So when bad actors take over your account, they have no access to your backup. All data inside of the Clumio service is encrypted at rest and in-flight during both backup and restores. As soon as a snapshot lands into Clumio, it gets encrypted with the Clumio key (we will support Bring Your Own Key in the future), which is not present in the customer account. This way, it is ensured that it is exceptionally secure, and even if the original customer account gets hacked, the snapshot remains protected. As we encrypt several times, using different keys makes this feature extremely secure.

Requirement 2: RDS Restores Need to Be Fast
When the need arises to restore a backup, the last thing you want is for it to take forever, and this is especially the case for RDS. Getting access to your backup is essential and with Clumio, customers can rapidly restore to a time-lagged database to an uncompromised account, either the original or a new AWS account. The RPO is 24 hours and RTO is less than 1 hour.

Requirement 3: RDS Backups Need to Be Simple and Easy
In any enterprise, there are enough complexities, and the last thing you need is to manage around the limitation of RDS snapshots. Clumio’s rolling backup feature is effortless to set up and use, just like the other features discussed in the two previous blogs in this series. After the database is tagged, a unified policy must be created and enabled for rolling backup (see Figure 1). That’s it! Simple and easy!

Figure 1: Unified policy

So you are probably thinking, Clumio sounds pretty magical, but how does it work? Let us take a quick deep dive into how the service works.

Figure 2: Rolling backup/restore workflow

• Once the rolling backup feature is enabled, Clumio will take the manual snapshot (Step1 in Figure 2) of the Amazon RDS in the customer account.
• Clumio will encrypt the snapshots using multiple keys. Then it will be transmitted securely to Clumio (Step 2 in Figure 2).
• Once the snapshot arrives at Clumio, it is immediately re-encrypted with the Clumio key (Step 3 in Figure 2). A time-lagged snapshot is available for the restoration, encrypted by the Clumio key that is not present in the original AWS account. This process repeats every 24 hours.
• If the original AWS account does get hacked or compromised, then restore begins by encrypting snapshots with multiple keys. However, as it is written back to the new account, it is encrypted back to the new production key (Step 4 in Figure 2).

About the Demo:

What is better than slides or a blog post? Well, another demo to go with it! In the demo below, I am using the Aurora PostgreSQL RDS database version 5.6. This database is populated with 500 GB of data using load generator pgbench.

To demonstrate a compromised database situation, we used a reference table to display data before and after the database got hacked. This reference table shows as to what point in time the database would be recovered after it got hacked (see below). After the database restore, one would only see records up to row 10, since row 11 onwards were inserted in the table after the manual snapshot.
Figure 3: Reference table in Aurora PostgreSQL database

Summary:

Clumio’s rolling backup is the most advanced, yet easy and straightforward, way to recover from ransomware attacks and hacking. As seen in the demo, this solution is both easy to set up and use. We highly recommend exploring Clumio’s backup as a service and see how effectively mission-critical databases can be protected from the menace of ransomware and hacking. Clumio backup as a service for Amazon RDS covers all aspects, from operational recovery to rolling backups for a possible data breach or hacking to extended retention to meet regulatory requirements, thus making Amazon RDS enterprise-ready. Take your Amazon RDS databases to the next level with Clumio’s backup as a service.