Database Security Issues in the Cloud: Part 1
The benefits of cloud computing, including reduced IT ownership and operating costs and improved resource utilization, are just too good for many organizations to pass up. More and more businesses of all sizes are moving a wide range of applications to cloud environments.
But database security concerns remain a significant barrier to cloud adoption. When your applications are running on a cloud provider’s infrastructure, the provider is responsible for ensuring that its operations, facilities, network, hosts and other components are secure. But responsibility for securing your data ultimately rests with you, as do the consequences of failure.
Will a public cloud be more or less secure than your on-premise environment? What new and different security issues do cloud environments present?
Cloud database security concerns fall into three basic categories:
- Data access control
- Regulatory compliance
- Physical/network control
In this post I’ll talk about access controls, and will touch on the other issues in subsequent posts.
Access control issues in the public cloud
Loss of access control is a primary threat to data security. External threats are certainly a concern, but more and more studies show that the majority of access control threats (some say up to 80%) are internal. In a public cloud environment, internal threats can potentially come not only from your employees who have (or had) valid access to your DBMS, but also employees of the cloud provider.
You can address some access control concerns as you’re evaluating cloud providers. Find out how the DBA services that providers offer are structured, not only in terms of services provided but also around Segregation of Duties. Do the provider’s DBAs (and operating system administrators) have full DBA privileges giving them easy access to your data? How well vetted are the people working with your data? Is there full transparency around how many are involved, who they are, and where they’re located?
The bottom line is how much control do you have over the level of access administrators have to your data, if the cloud provider will be performing database administration. It may be more secure to maintain your own trusted database administration services.
Database auditing can help!
How can you really know who is accessing your cloud-based data? Robust database auditing is vitally important. You need full visibility into database activity regardless of where your data resides.
What is database auditing? Basically, it’s the ability to consistently (and securely) record and report on all the actions of database users. Audited databases produce audit trails that can specify what objects were accessed or changed, how they were changed, and when and by whom.
Auditing is especially crucial when you need to pinpoint an unauthorized access from an authorized user. But it’s also helpful for compliance with regulations and corporate governance policy.
Of course, a weakness of database auditing is that it tracks what’s already happened. Ideally, your cloud-based database security solutions will include intrusion detection capabilities such as Pivot Point Security’s Oscar to identify suspicious activity before it results in any data loss or theft.
Another concern around database auditing is performance degradation. Auditing needs to be structured appropriately so that useful details aren’t lost in a sea of data whose acquisition bogs down performance and/or storage.
Auditing by a trusted third party
In addition to auditing databases with software, a trusted third party should conduct an audit to find vulnerabilities in your databases and environment, including a cloud environment. Third-party auditors use specialized tools like AppDetectivePro to identify and address security concerns like the following (and many others):
- Whether the database software is patched and configured in the most secure manner.
- Whether default passwords have been changed.
- Whether the users that have access to the data are the ones who actually should have access, according to the business security policy.
- Whether all machines in an environment (development, QA and production) have the same configuration and the same level of protection against vulnerabilities
Contact Buda Consulting to learn more about how to secure your data whether it is housed in house or in the cloud.