In this 10 part series, we review the key components that are needed to formulate and apply a consistent, regimented cloud database security program that helps ensure data is only available through authorized access. Part 1 below introduces the requisite elements of database security in the public cloud.
Perhaps you’ve inherited an existing cloud infrastructure that doesn’t have a formal security program in place. Maybe you’ve cobbled together a security plan using a myriad of tools because you’ve just recently moved to the public cloud. Or worse yet, you’re doing everything - from making sure encryption is turned on and IAM policies are in place to checking for public access points - manually on your own.
No matter the scenario, every enterprise using the public cloud will benefit from a database security program that is intentionally crafted to address cloud dynamics and that factors in processes, tools and people.
Nothing underscores this more than the 2019 data breach and subsequent $80 million civil penalty levied against American bank holding company Capital One. In 2019, more than 100 million credit card applications containing sensitive data were leaked. A little over a year later, the Office of the Comptroller of the Currency (OCC), an independent bureau of the U.S. Department of the Treasury, assessed the fine against Capital One, N.A., and Capital One Bank (USA), N.A. According to the OCC news release, “The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner.”
Strong risk management and internal controls are critical to securing cloud databases. Organizations cannot wait for a breach or fine to put proper protection measures in place. It is imperative to have a system to effectively protect sensitive information from the start. However, not all approaches are created equal. This series outlines the eight components that are needed to formulate and apply a consistent, regimented cloud database security program that helps ensure data is only available through authorized access.
Key Components of Database Security in the Cloud
It can be easy to assume Cloud Service Providers (CSP) provide complete security. However, that is not the case. While CSPs work to ensure the security of the infrastructure of their operating system, the organization that stores data on the provider’s infrastructure is required to secure and protect that data. Cloud service providers endorse a shared responsibility model.
In fact, Amazon’s Shared Responsibility Model makes it clear that AWS is “responsible for security ‘of’ the cloud” while AWS customers are “responsible for security ‘in’ the cloud.” Microsoft’s Azure Shared Responsibility Model states, “For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).” This means you cannot associate protecting and defending the environment with safeguarding the data in it; the organization, not the CSP, is always accountable for data protection.
Storing data in the public cloud opens organizations up to risks unique to cloud computing. Poor visibility into databases and their backups, misconfigured APIs, and instances accidentally left open to the internet are just a few of the many cloud database security risks an organization might experience.
To minimize risk and protect public cloud databases, a comprehensive approach comprising several key elements must be in place. At a minimum, an effective cloud database security program is built around the following eight components:
- People, Policies and Plans
- Asset Discovery
- Vulnerability Assessments
- Activity Monitoring
Read part 2 of this series where we explore how people, policies and plans are essential to successfully protecting data.