In on-premises data centers, organizations are responsible for everything from making sure no one steals the server or hard drive to making sure the operating system and routers are set up properly and data protection security measures are in place.
In the cloud, security is a shared responsibility between the Cloud Provider and the cloud user. Amazon protects the hardware and infrastructure of the cloud, providing robust security around the bottom layers of an organization’s application stack. Although moving to the public cloud transfers much of an organizations’ operational burden to the Cloud Provider, organizations are still expected to protect the applications and customer data they have in the cloud.
Yet, despite best efforts, many are missing the mark. It seems a day doesn’t go by in which another data set hasn’t been breached.
When moving to the cloud or reassessing the security posture of existing cloud databases, organizations need to ensure they are addressing the following security basics. The concepts are nothing new compared to what was done in the data center, they just need to be applied a bit differently in the cloud environment.
Never allow public access
“Zero trust security...requires strict identity verification for every person and device trying to access resources...regardless of whether they are sitting within or outside of the network perimeter.”
Almost no world exists in which databases should have public access. Access should be granted through a bastion host or web application server because they are designed to withstand internet attacks. Databases are not designed to withstand public hacking attacks — their focus is to serve data extremely quickly and efficiently. They’re not as robust as web servers and bastion hosts in protecting from internet level attacks so it’s poor practice for databases to be publicly accessible — even if a strong password is in use. Also, because the cloud doesn’t have a perimeter like on-prem, it’s important to follow the zero trust model — verify who and what has (or is) requesting access.
Use strong authentication
While usernames and passwords exist in the databases themselves, which are fairly robust, it's even better to rely on strong authentication methods that cannot be brute forced, such as IAM and secret keys.
It’s easy to do, helps assure compliance, and ensures sensitive information remains protected in case there is a breach. Plus, it generally doesn’t add significant overhead to processing.
Secure and encrypt backups
Backups are another attack vector. An organization may lock down their database, but then back it up and leave the backup exposed. An exposed or unencrypted backup can be just as dangerous as a hacked database.
Ensure logging is turned on
Audit trails are not always turned on in database-as-a-service, but they should be. Organizations need to know what people are doing in their databases even if individuals are supposed to have access; many attacks come from insider threats — from people who do have authorization. Logging provides valuable information when an incident does occur and supports alert functionality when someone is attacking the database. When logging is enabled, all access can be monitored.
Practice least privilege access
If someone doesn't need database administrator privilege, they shouldn’t have it. Check user access regularly and make updates.
Don’t copy data into test or development environments
Many organizations proactively secure their production database but are more lax about their test and development environments. It is not uncommon for a copy of a production database to live in a test environment. The downside is that it may end up getting attacked or hacked and then valuable data is exposed.
Be aware: know when a change is made
Monitor security drift. Databases (and their backups) may be secure today, but will they be a week, a month, a quarter from now? SecureCloudDB can help. We automate asset discovery, configuration checks, and Database Activity Monitoring for public cloud databases making it easy for organizations to understand when changes occur. Integrations with AWS provide additional value as does support for traditional databases on EC2 instances and on-prem migrations to the cloud. See for yourself via a free trial.
Amazon RDS is a common cloud migration — many organizations just lift and shift relational databases out of the data center into the cloud. This brief video looks at how to create a database using the Amazon console for RDS that includes some of the security measures presented above. While AWS makes it easy to set up, you'll still need to regularly check for security drift.