In this 10 part series, we review the key components that are needed to formulate and apply a consistent, regimented cloud database security program that helps ensure data is only available through authorized access. Part 1 introduced the 8 requisite elements of database security in the public cloud. Part 2 below explores how people, policies and plans are essential to successfully protecting data.
Create a people perimeter through security training. So many of the data breaches we hear about are attributable to human error. Mistakes range from inadvertently falling victim to phishing attacks to unintentionally misconfigured databases to a development instance that was accidentally left unsecured. Security training is oftentimes an afterthought, but with the right curriculum and regularly scheduled sessions, you can strengthen your first line of defense - the employees who are responsible for helping create a safe environment. Effective security training and education can help reduce data leaks.
Every employee should receive security training when they onboard to the company or move to a new position, and at least once per year after that. The more frequent trainings or reminders there are, the more top of mind security can be (e.g. semi-annual cybersecurity trainings and more frequent password update requirements). Recognize that security training is not a one-size-fits-all approach. It’ll be most effective if it’s tailored to the specific requirements of a position or job function (such as this Devops Security course). Testing employees is a common way to confirm the level of employees’ security understanding and whether adjustments need to be made.
Pro tip: Tracking cloud database security issues or incidents can be used to help evaluate the effectiveness of training and drive the curriculum or training requirements going forward.
Thought should also be given to how the organization portrays and stands behind security training. Oftentimes it is perceived as an annoyance, something that’s required but not deemed very important. Messaging around why it’s critical, backed up with incident data specific to your organization, could mean the difference between someone whizzing through the training with little thought versus taking it seriously.
Security policies lay the groundwork for your cloud database security program by establishing what will be scanned and assessed. A good rule of thumb is to start by creating and documenting:
- Compliance and security rules
It’s imperative that organizations amass and understand the policies the security posture of their databases are held to and judged by.
Security rules measure compliance, define audits and are the backbone of assessments; applying a base level of industry standard rules, such as the Center for Internet Security (CIS) Benchmarks, is a good start. Custom rules add layers of defense and provide additional latitude for addressing your organization’s distinct security needs. At a minimum, every policy should include a comprehensive description, the rationale behind the rule, remediation instructions and the source.
The ease with which policies can be managed and customized will affect the amount of time and effort it takes to manage the security of your cloud databases. Consider modifying and segmenting policies by function and severity as well as regulatory and compliance requirements. Consider your vulnerability assessment when establishing the baseline security measures your databases will be tested against.
Creating updated policies for new threats and adding additional policies to your arsenal is key to staying ahead of database threats. One of the benefits of using a third party tool to track and implement security policies is that rule updates can be automatically added and new rules can be automatically applied. The best vendors will allow organizations granular control in accepting the updates as well as modifying the rules.
- Vulnerability assessment policy
Vulnerability assessments identify, quantify, and prioritize the vulnerabilities in a public cloud database environment. They help prevent attackers from exploiting security gaps by pinpointing risks and providing remediation steps. At a minimum, map out a frequent and robust assessment policy. (More on vulnerability assessments later).
- Cloud app deployment and use policy
With cloud computing, departments self-provision and deploy resources. Users can relocate sensitive data into locations that aren’t ideal for storing sensitive data. In the blink of an eye, the data an organization is responsible for can be spread across different geographies and into a myriad of insecure locations. It’s advisable that organizations establish a cloud app deployment and use policy that integrates with employee training and the organization’s overall security plan.
Even the best laid plans may go awry. In the event that something breaks down along the way and a breach does indeed occur, it is prudent to have an incident response plan at the ready. Not only is it good practice to prepare for failure, it’s a core requirement of GDPR and other standards.
First and foremost, recognize that your incident response plan for the cloud will have to differ from your traditional on-prem data center plan. Considering incident response requirements as DevOps and cloud architecture teams build cloud environments may facilitate automated and coordinated responses. Additionally, user roles, controls, applications in use and what response teams will need access to will need to be considered. Users should also consider the benefits of employing greater automation as the cloud, unlike data centers, facilitate its use.
Distinguish between what your Cloud Service Provider is responsible for versus what you’re responsible for. Understanding the alerting and support your CSPs provide in the event of breach will help eliminate any coverage gaps.
A well mapped incident response plan designates response teams to ensure action can be taken quickly and with purpose. Don’t think in silos when crafting the response plan; look across the entire enterprise to determine who can best contribute. Because cloud environments are not constrained, consider geographies in addition to responsibilities. Plan for any hurdles that may disrupt a coordinated response effort. If roles have been determined and employees understand what they are required to contribute, everyone can act faster and more effectively.
Directives should include the tools, technologies, and communications needed to ensure business continuity. A pre-established checklist is useful in laying out and prioritizing the requisite actions. Amazon’s recently released AWS Security Incident Response Guide is a helpful resource that covers the fundamentals of managing security incidents related to your cloud environment.
A thorough, coordinated incident response plan can prevent costly delays, foster customer confidence, support business continuity and minimize impact. Re-evaluate the plan annually at a minimum and whenever new technology is implemented or significant organizational changes are made.
Read part 3 of this series where we discuss public cloud database configuration best practices.
Hack-Proof AWS Databases in the Public Cloud
✔ Stop attacks in their tracks with real-time Database Activity Monitoring
✔ Control vulnerabilities with the Security Violations Assessment
✔ Demonstrate on-going progress with dynamic Risk Assessment Scoring