Ensuring DORA Compliance with IssProtect for DevOps (Veeam Kasten)
The Digital Operational Resilience Act (DORA) introduces stringent requirements for financial entities operating within the EU. Compliance demands robust strategies for digital operational resilience testing, comprehensive data protection, and clear exit plans for vendor lock-in. Today we will explore how IssProtect for DevOps, powered by Veeam Kasten, can be a cornerstone in fulfilling these critical DORA mandates.
Digital Operational Resilience Testing
As you may already know, DORA emphasises the importance of regular and thorough digital operational resilience testing, including advanced testing of ICT tools and systems. IssProtect for DevOps provides capabilities that directly support this:
Application-Centric Backup and Restore: IssProtect for DevOps, built on Veeam Kasten, offers application-centric backup and recovery for Kubernetes environments. This allows organizations to test their resilience by performing full application restores to a clean environment, simulating disaster recovery scenarios, and verifying recovery time objectives (RTOs) and recovery point objectives (RPOs).
Automated Validation: The platform's ability to automate backup and restore processes can be integrated into resilience testing frameworks. This ensures consistent and repeatable tests, which are crucial for demonstrating ongoing compliance with DORA's testing requirements.
Policy-Driven Management: Define policies for backup frequency, retention, and replication. This ensures that critical data is protected and available for recovery testing, aligning with DORA's focus on maintaining operational resilience.
IssTech’s take on how to handle DORA in a modern infrastructure
Modern infrastructure often involves applications running in Kubernetes, with data residing either inside the cluster, outside of it, or both. This setup can pose significant challenges for teams outside the development stack, such as IT, security (CISO), and management. The issue which evolves from this setup is the lack of visibility and understanding: these stakeholders often don’t fully grasp the resources developers are using or the rationale behind developers decisions. Therefore it is important to have a reliable data protection strategy that not only protects the data, but also understands the code working behind the scenes.
What’s a data protection strategy?
A comprehensive data protection strategy is fundamental to DORA compliance. By implementing the most common strategy, you are at a good start. To be even better, here are some things to keep in mind:
Immutability for Ransomware Protection: Which means that once a backup is created, it cannot be altered or deleted. This is a vital defense against ransomware attacks and accidental data loss, ensuring data integrity as required by DORA.
Granular Recovery: Beyond full application restores, you should have the possibility to do granular recovery of individual Kubernetes resources, such as persistent volumes, configurations, and secrets. This precision in recovery minimizes data loss and ensures that services can be quickly restored to a known good state after an incident.
Data Locality and Compliance: Organisations can control where their backup data resides, facilitating compliance with data sovereignty regulations. This is particularly important for financial entities handling sensitive customer data.
Integration with Existing Infrastructure: Pick a backup tool that integrates seamlessly with various storage platforms, including object storage, making it easier to incorporate Kubernetes data protection into existing enterprise data protection strategies.
Data Protection is only first step, what is next step
Data protection is, of course, a foundational requirement for meeting DORA regulations. However, another critical aspect is having a simple yet clear exit strategy. Especially in cases where you may need to leave your preferred cloud provider, whether due to financial, political, or other reasons.
From our experience, this aligns with traditional backup strategies that used dissimilar hardware to migrate workloads from physical servers to virtual environments or the cloud. Similarly, Kubernetes backup tools can be used to transition between platforms, including from Kubernetes to serverless architectures. At IssTech, we refer to this approach as Backup-as-Code, a method where both data and infrastructure are backed up as code. This enables a more resilient and flexible DORA Exit Plan.
Exit Plan: Migrating Data from One Serverless Vendor to Another
DORA's emphasis on reducing vendor lock-in necessitates clear exit strategies. For companies leveraging serverless architectures or cloud-native services, the ability to migrate data and applications between different vendors is crucial. Make sure your backup tool plays a pivotal role in this exit plan:
Application Portability Across Kubernetes Distributions: While not directly a "serverless" migration tool in the traditional sense, With IssProtect for DevOps ensures application portability across different Kubernetes distributions and cloud providers. If your "serverless" strategy involves managed Kubernetes services (e.g., GKE, EKS, AKS), you can then let your IT Management team do:
Backup a complete application: This includes all its components – deployments, services, persistent volumes, configurations, and secrets – from one Kubernetes cluster.
Restore to another Kubernetes cluster: Regardless of whether that cluster is hosted by a different cloud provider or is an on-premises distribution. This effectively provides a migration path for your containerised applications.
Decoupling Data from Infrastructure: By capturing the entire application state and helps decouple your data and application configurations from the underlying serverless vendor's infrastructure. This provides the flexibility to move your workloads without extensive re-architecting.
Minimizing Migration Downtime: With efficient backup and restore capabilities, IssProtect for DevOps can significantly reduce the downtime associated with migrating applications between environments, ensuring that operational resilience is maintained even during transitions.
Export, Convert and Import: Another scenario is where you have data outside the kubernetes cluster in cloud database services (e.g., AWS Aurora, Google Cloud SQL, Microsoft Azure SQL), where IssProtect for DevOps can help you to have a tested and automated way to convert that data from one cloud provider to another or restore that data on-prem.
How to tackle total disaster
To recover from a total disaster, where Gitlab, CI/CD Pipelines and kubernetes are all lost, recovery using traditional backups and infrastructure-as-code alone to recover your environment could take several days. However, by following the steps from our DORA-compliant Exit Plan, you can recover your entire infrastructure and have it running on a completely different platform within minutes, not days.
While this temporary platform keeps your environment operational, you can systematically rebuild your source code management, CI/CD pipelines, and projects. One by one, with full control and oversight.
What is IssProtect for DevOps?
IssProtect for DevOps, with its robust application-centric data management capabilities, provides a powerful solution for organisations navigating DORA compliance. From ensuring effective digital operational resilience testing and implementing a strong data protection strategy — to facilitating seamless application migration as part of an exit plan. The service empowers financial entities to meet regulatory demands and enhance their overall operational resilience.
Should you have any questions or require a demonstration, please contact our team by clicking on the button “contact us”. For more information about Veeam Kasten K10 or IssProtect for DevOps, please refer to the following resources:
