Delphix Data Vault
Data Backup and Recovery Solutions / Delphix Data Vault

Overview

The Delphix Engine has a base feature set that is compelling as a data protection solution. An enhancement is being introduced that can further prevent snapshot and database loss in the event of a ransomware attack. 

Delphix Data Vault for ransomware protection allows organizations to recover their application data access much faster than traditional backup solutions, in case of malicious attacks. It relies on the new Data Vault Replication feature, which replicates critical business DB data stored on Delphix engines to a new target engine called Data Vault. Once securely stored on the Data Vault, the replicated DB data can be used to recover business applications with very low RTO and RPO.

This feature is available via CLI or via the Data Vault UI section added to the Replication page in versions 6.0.9.0 and above. The UI provides function for creating Data Vault profiles from scratch and convert existing specifications to be locked.

Requires Technical Services Consult

Delphix requires a Technical Services assessment prior to deployment and configuration of Data Vault. The process of configuring a Delphix Data Vault replication profile is simple; the assessment is required because each application has specific data protection and recovery requirements and we must ensure that Delphix can respond to them appropriately. To schedule an assessment, please contact your Customer Success Manager.

Advantages

The Delphix Data Vault solution provides built-in protection against ransomware attacks by frequently refreshing production application data to a virtual database (dSource), from which you can recover applications almost instantly to any valid point in time prior to the encryption attack by leveraging Delphix VDB provisioning capabilities. The refresh interval between the production application and the Delphix dSource can be configured to be up to seconds, for business-critical applications (not applicable to all DB technologies).

  • Creates a separation of responsibilities between the two Delphix Engines
    • One engine is used for regular Virtualization cases (ingestion, VDBs, SDD)
    • Another engine is used for ransomware protection.
  • Creates a physical separation by allowing the admin to isolate and secure the locked Delphix Engine. 
    • Only the DSP port has to be open for replication. 
    • No ports are needed for JDBC, NFS, or SSH until VDBs need to be created to export data. This also prevents attack vectors related to any of those protocols.
  • Can assist with making deployments and security reviews easier to pass since the locked Delphix Engine is isolated and has a single purpose to reduce potential attack vectors.

In the event of a ransomware attack on a primary engine source being compromised or corrupted, you can provision a VDB on the replica in the locked namespace of the replication target – similar to the normal replication namespace. This process can be further outlined in the Provisioning From Replicated Data Sources or VDBs article. If a complete recovery of the primary engine is needed, please contact Delphix Support. 

Implementation

This feature adds a property to the replication namespace and specifications called “locked”. Additional dSources, VDBs, groups, and domains can be added to locked replication specs, but data sources cannot be removed after doing so. Failover on the target Delphix Engine is not allowed if the namespace is part of the locked replication spec. The retention policy duration on a locked namespace can be modified as long as the duration is either being increased, or it is being decreased to a minimum of 100 days.

The time configuration on Delphix engines with Data Vault enabled cannot be changed. This is to prevent attempts at bypassing retention policies in order to try and delete snapshots on the target data vault. 

A fault is now generated on the Data Vault target for a locked namespace that has not received a successful replication update in 3 days.

CLI Functions

Create a locked replication profile.

[user.hostname]> replication spec
[user.hostname] replication spec> create
[user.hostname] replication spec create *> set name=locked-spec-1
[user.hostname] replication spec create *> set objectSpecification.objects=Untitled/dbname
[user.hostname] replication spec create *> set targetHost=example.delphix.com
[user.hostname] replication spec create *> set targetPrincipal=admin
[user.hostname] replication spec create *> set targetCredential.password=delphix
[user.hostname] replication spec create *> set lockedProfile=true
[user.hostname] replication spec create *> commit
    `REPLICATION_SPEC-3
[user.hostname] replication spec> select locked-spec-1
[user.hostname] replication spec 'locked-spec-1'> get
    type: ReplicationSpec
    name: locked-spec-1
    automaticReplication: false
    bandwidthLimit: 0
    description: (unset)
    encrypted: false
    lockedProfile: true <------------------------------ LOCKED
    numberOfConnections: 1
    objectSpecification:
        type: ReplicationList
        name: (unset)
        objects: Untitled/dbname
    reference: REPLICATION_SPEC-3
    runtime:
        type: ReplicationSpecRuntime
    schedule: (unset)
    tag: 5570be25-dbcf-48c3-b2d2-dd2c65eb98b7
    targetCredential:
        type: PasswordCredential
        password: ********
    targetHost: example.delphix.com
    targetPort: 8415
    targetPrincipal: admin
    useSystemSocksSetting: false
[user.hostname] replication spec 'locked-spec-1'> cd ..
[user.hostname] replication spec>


Lock an unlocked replication profile.

[user.hostname]> replication spec create
[user.hostname] replication spec create *> set name=locked-spec-2
[user.hostname] replication spec create *> set objectSpecification.objects=Untitled/dbname
[user.hostname] replication spec create *> set targetHost=example.delphix.com
[user.hostname] replication spec create *> set targetPrincipal=admin
[user.hostname] replication spec create *> set targetCredential.password=delphix
[user.hostname] replication spec create *> commit
    `REPLICATION_SPEC-4
[user.hostname]> replication spec select locked-spec-2
[user.hostname] replication spec 'locked-spec-2'> get
    type: ReplicationSpec
    name: locked-spec-2
    automaticReplication: false
    bandwidthLimit: 0
    description: (unset)
    encrypted: false
    lockedProfile: false
    numberOfConnections: 1
    objectSpecification:
        type: ReplicationList
        name: (unset)
        objects: Untitled/dbname
    reference: REPLICATION_SPEC-4
    runtime:
        type: ReplicationSpecRuntime
    schedule: (unset)
    tag: e8608d05-0693-440d-8a2b-8c6cbfe06a62
    targetCredential:
        type: PasswordCredential
        password: ********
    targetHost: example.delphix.com
    targetPort: 8415
    targetPrincipal: admin
    useSystemSocksSetting: false
[user.hostname] replication spec 'locked-spec-2'> update 
[user.hostname] replication spec 'locked-spec-2' update *> set lockedProfile=true
[user.hostname] replication spec 'locked-spec-2' update *> commit
[user.hostname] replication spec 'locked-spec-2'> get lockedProfile
    true
[user.hostname] replication spec 'locked-spec-2'>


Verify the locked status of a namespace.

[user.hostname]> namespace 
[user.hostname] namespace> list
NAME            
[user.hostname]-1
[user.hostname]-3
[user.hostname] namespace> select [user.hostname]-3
[user.hostname] namespace '[user.hostname]-3'> get 
    type: Namespace
    name: [user.hostname]-3
    description: (unset)
    failedOver: false
    locked: true   <------------------------------ LOCKED
    namespaceType: REPLICATION
    reference: NAMESPACE-4
    secureNamespace: false
    tag: 5570be25-dbcf-48c3-b2d2-dd2c65eb98b7
[user.hostname] namespace '[user.hostname]-3'>


Verify that the namespace cannot be deleted or failed over.

[user.hostname] namespace '[user.hostname]-1'> delete
[user.hostname] namespace '[user.hostname]-1' delete *> commit
   Error: Namespace "[user.hostname]-1" is locked and cannot be deleted.
  Action: Cannot delete a locked namespace.
[user.hostname] namespace '[user.hostname]-1' delete *> discard 
[user.hostname] namespace '[user.hostname]-1'> failover 
[user.hostname] namespace '[user.hostname]-1' failover *> commit
   Error: Namespace "[user.hostname]-1" is locked and cannot be failed over.
  Action: Cannot failover a locked namespace.
[user.hostname] namespace '[user.hostname]-1' failover *> discard


Verify that the replication profile cannot be deleted or modified. Objects can still be added to the replication profile.

[user.hostname]> replication spec 
[user.hostname] replication spec> select locked-spec-1
[user.hostname] replication spec 'locked-spec-1'> delete 
[user.hostname] replication spec 'locked-spec-1' delete *> commit
   Error: The replication profile is locked and cannot be deleted.
  Action: Select an unlocked profile to delete.
[user.hostname] replication spec 'locked-spec-1' delete *> discard
[user.hostname] replication spec 'locked-spec-1'> update
[user.hostname] replication spec 'locked-spec-1' update *> set automaticReplication=true
[user.hostname] replication spec 'locked-spec-1' update *> commit
   Error: The replication profile is locked and cannot be updated.
  Action: Select an unlocked profile to update.
[user.hostname] replication spec 'locked-spec-1' update *> discard
[user.hostname] replication spec 'locked-spec-1'> update
[user.hostname] replication spec 'locked-spec-1' update *> set objectSpecification.objects=Untitled/dbname,Group:/Untitled
[user.hostname] replication spec 'locked-spec-1' update *> commit
[user.hostname] replication spec 'locked-spec-1'> update
[user.hostname] replication spec 'locked-spec-1' update *> set objectSpecification.objects=Untitled/dbname
[user.hostname] replication spec 'locked-spec-1' update *> commit
   Error: Objects cannot be removed from a locked replication profile.
  Action: Select an unlocked profile to update.
[user.hostname] replication spec 'locked-spec-1' update *> discard
[user.hostname] replication spec 'locked-spec-1'>


Create a replica retention policy and apply it to the locked namespace.

[user.hostname]> policy 
[user.hostname] policy> createAndApply 
[user.hostname] policy createAndApply *> set policy.type=ReplicaRetentionPolicy 
[user.hostname] policy createAndApply *> set policy.duration=6
[user.hostname] policy createAndApply *> set policy.durationUnit=YEAR 
[user.hostname] policy createAndApply *> set target=Namespace:/[user.hostname]-1 
[user.hostname] policy createAndApply *> set policy.name="Six Years"
[user.hostname] policy createAndApply *> get
    type: PolicyCreateAndApplyParameters
    policy:
        type: ReplicaRetentionPolicy (*)
        name: Six Years (*)
        customized: false
        duration: 6 (*)
        durationUnit: YEAR (*)
    target: Namespace:/[user.hostname]-1 (*)
[user.hostname] policy createAndApply *> commit
    `POLICY_REPLICA_RETENTION-30
[user.hostname] policy>


Verify that the replica retention policy cannot be deleted or modified.

[user.hostname] policy> select POLICY_REPLICA_RETENTION-30
[user.hostname] policy 'Six Years'> delete 
[user.hostname] policy 'Six Years' delete *> commit
   Error: The replica retention policy "Six Years" could not be removed because the target namespace "[user.hostname]-1" is locked.
[user.hostname] policy 'Six Years' delete *> discard
[user.hostname] policy 'Six Years'> update 
[user.hostname] policy 'Six Years' update *> set duration=4
[user.hostname] policy 'Six Years' update *> commit
   Error: The replica retention policy "Six Years" could not be modified because the target namespace "[user.hostname]-1" is locked.
[user.hostname] policy 'Six Years' update *> discard
[user.hostname] policy 'Six Years'> unapply 
[user.hostname] policy 'Six Years' unapply *> set target=Namespace:/[user.hostname]-1
[user.hostname] policy 'Six Years' unapply *> commit
   Error: The replica retention policy "Six Years" could not be removed because the target namespace "[user.hostname]-1" is locked.
[user.hostname] policy 'Six Years' unapply *> discard
[user.hostname] policy 'Six Years'>