4 Common Cloud Database Security Misconceptions and How to Avoid Them

Oct 8, 2020 / by SecureCloudDB

The use of cloud databases is growing exponentially among businesses. Yet, many organizations are not as familiar with the technology as they are with on-premises databases — or how to best secure the data in it. (Download this white paper—Database Security: Moving to the Public Cloud—to explore the architectural and security differences between the public cloud and on-premises databases in more depth).

Research reveals that 66% of industry influencers state data security is their biggest challenge in transitioning to the public cloud. One analysis notes that 73% of businesses admit they’re not prepared for cyberattacks while another determined 40% of data security breaches are due to employee error. A 2019 data risk study discovered that organizations still keep thousands of files unsecured and open for people within the company to access. It’s predicted that a business will fall victim to a ransomware attack every 11 seconds in 2021. 

The transition from local data centers to the cloud comes with new challenges and additional security risks that can leave organizations vulnerable, leading to huge costs associated with data breaches, not to mention reputational damage.

Graph: Global Average Total Cost of Data BreachImage Source 

In this article, we take a look at a few common risks businesses often overlook when it comes to protecting data in the cloud. We’ll also run through database security best practices and ways to mitigate risk.

 

4 Security Misconceptions to Avoid

1. Cloud Providers Offer Full Security

2. Database Audits Ensure Security

3. Cloud Permission Management Is Easy or It's Done For You

4. Cloud Users Have Crystal Clear Database Visibility

 

1. Cloud Providers Offer Full Security

It’s tempting to think you can let your cloud provider take care of everything, but cloud security also requires effort on your part. The Amazon shared responsibility model is a great example of this. 

Per Amazon, “Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities.”

For instance, customers who use DynamoDB are responsible for data management and encryption, setting up and maintaining appropriate permissioning, and asset classification. AWS manages the infrastructure, operating system, and platform. 

Best practice tip: Ensure your team has a complete understanding of each cloud provider's shared responsibility model. Implement and consistently reconfirm the necessary policies and security rules that drive proper configurations and reduce human error.

How SecureCloudDB can help: As a cloud-native tool, our software includes built-in foundational security functionality that verifies cloud configurations. For example: 

  • The Security Violations Report reveals what configurations - or lack thereof - pose a risk, providing a list of accounts in violation, remediation guidance, and more. 
  • Our Encryption Status Report summarizes an organization’s encryption posture across accounts, looking at endpoints using CMK with KMS, assessing encryption status by service, and more. 
  • A Risk Assessment Report includes a 

Data Exposure Score, which grades how likely it is that your data will be exposed to someone outside of your authorized organization. Some of the most basic critical examples are public VPN access, password complexity, and password lifetimes. 

Data Protection Score, which classifies the encryption level of your data. Ensuring encryption at rest or using SSL are just two ways in which you can improve security.

SCDB Sec Violations-Encryption-Risk Score2. Database Audits Ensure Security

Audits are intended to provide insight into vulnerabilities that can be used to compromise data. They’re also used to validate compliance with security regulations. It’s not uncommon for an organization to conclude its data is safe because it’s in the middle of an audit that hasn’t yet raised red flags or because it recently passed an audit. Don’t be lured into a false sense of security. 

As an example, the U.S. Office of Personnel Management completed an audit of health insurer Premera Blue Cross a mere three weeks before Premer was hacked.. During the six months it took for the final audit report to be released, hackers obtained the protected health information (PHI) of Premera’s members. According to the HIPAA Journal, “After the report was released, it took a further 2 months before the insurer was able to identify the HIPAA breach and shut down access, although that was too late to prevent the PHI of 11 million members from being obtained by the thieves.” 

Best practice tip: Establish an auditing strategy that focuses on sensitive data and includes an audit of the audit. Additionally, to ensure your audits are as effective as possible, walk auditors through the security processes/tools your organization uses to make sure they know how to perform the work. Lastly, stay vigilant. Be sure that existing monitoring and data security checks are not hindered by the audit so that incident response is as timely as possible. 

How SecureCloudDB can help: Information from CloudTrail logs, database system tables, database transaction logs and audit logs is fused together to check configurations and monitor activity without affecting day-to-day operations. This ensures that there is nothing you won’t be aware of. 

From a Foundational Security point of view:

  • The Audit Coverage Report provides insight into the number of databases that have been audited, accounting for both standard and extended audits. 
  • Refer to the Risk Assessment Report, which includes an Auditability Risk Score that ranks the ability of an external system to determine whether or not your system is secure. For example, it would assess whether log duration is enabled so that SQL statement durations are logged. 

From an Operational Security perspective:

SCDB DAM-Audit

3. Cloud Permission Management Is Easy or It’s Done For You

Many organizations have weak access permissions because they overlook the need to set t up, don't realize its not adequately configured, or haven't prioritize its management. This is a crucial misstep that puts the database at risk. 

Best practice tip: Practice good password and identity hygiene. Check for public instances, accounts left unlocked for internal access, old accounts that should be retired. Scan for default username. Require frequent password updates. Look for elevated permissions. Know who accesses what and when. The list goes on. With so much to keep track of on an recurring basis, automate as much of the process as possible. 

How SecureCloudDB can help: Our Foundational Security tooling provides 

  • Insight into user access and privileged user identity through a User Assessment Report that analyzes users who are able to access your account. 
  • A Security Violations Report that checks configurations against permissions security rules such as: 

Ensure No Users Have Wildcard Hostnames
Ensure No Anonymous Accounts Exist
Ensure Passwords Are Set for All MySQL Accounts
Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'
Ensure 'old_passwords' Is Not Set to '1' or 'ON' 

SCDB Psswd Violations4. Cloud Users have Crystal Clear Database Visibility 

Database visibility is an essential part of security. And, organizations may believe that they're aware of every database they have and where all their databases are located. Yet, as databases and backups spin up and down in the cloud, it’s not always obvious what you have. And if you don’t know what exists, how can you protect it? 

Moreover, true visibility goes beyond a simple count; it requires tracking activity and knowing who did what, where, when and how. 

Only with complete and clear visibility will you be able to analyze data, spot anomalies, and fend off data breaches. But these features don’t come standard with cloud use. 

Best practice tip: Get a complete, unobstructed view by compiling a comprehensive inventory and employing Database Activity Monitoring. 

How SecureCloudDB can help: To get a complete picture

  • On the Foundational Security side, run an Asset Discovery to build an inventory of all databases and their backups.
  • On the Operational Security side, SecureCloudDB offers Database Activity Monitoring, distilling key components down into a dashboard and clickable report.

SCDB Inventory-1No Matter What, Protecting Data is the Ultimate Responsibility

Clarifying what your cloud provider handles, responding to security audits, proactively managing permissions, and optimizing visibility are just a few examples of how to control risk. Working with a cloud-native database security provider who offers easy implementation and provides a comprehensive security posture analysis will empower you to do this and more. 

 

Schedule a demo now to learn how you can maximize security, or start a free 14-day trial today to begin taking data protection to the next level.  

SCDB Testimonial - Dave North

 

Tags: Permissions, Shared Responsibility, Audits

Written by SecureCloudDB