In this 10 part series, we review the key components that are needed to formulate and apply a consistent, regimented cloud database security program that helps ensure data is only available through authorized access. Part 5 unpacked vulnerability assessments including the step-by-step process and critical areas to check. Part 6 below discusses remediation, including how to proactively reduce risk.
According to the National Cyber Security Centre, the UK's independent authority on cyber security, “Having an approach to identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. You should develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities, usually via patching. Failure to do so is likely to result in increased risk of compromise of systems and information.”
News story after news story put misconfigurations at the center of why data was exposed and customers sued companies or companies were fined. Misconfigurations are the major risk factor for public cloud databases and vulnerability assessments help bring them to the surface so they can be fixed. Promptly and effectively adjusting the controls currently in place is key to shrinking your attack surface and staying ahead of data breaches.
Accordingly, after identifying potential vulnerabilities, putting a remediation process in place is a must. Requisite steps to take include the following.
- Determining steps to fix each item
- Taking corrective action
- Testing the fix to ensure it doesn’t have negative ripple effects
- Examining the fix for compliance
- Recording the outcome and logging exceptions
- Comparing results to prior scans to verify that vulnerabilities have been addressed
- Reporting on results and exceptions to management
The steps to fix each item will depend on the vulnerability but could include:
- Modifying configurations
- Deactivating the vulnerable process or functionality
- Removing at risk components
Proactively Reduce Risk
Users should proactively reduce their exposure to vulnerabilities rather than waiting for the vulnerabilities to be identified during an assessment (or by auditors). Downsizing the amount of privileged users, roles, and accounts, requiring two-way authentication, and isolating sensitive assets are a few examples of tactics that can be taken. Masking data and redaction are other ways in which sensitive data can be protected.
As well, purging and truncating data could be considered one of the best ways to secure it because data cannot be compromised if it does not exist. Only keeping data for as long as it’s needed also speaks to compliance with regulatory requirements. For example, the GDPR stipulates that an organization can’t store data for longer than it is needed and that the data should be deleted after its predefined purpose has been served. This can pose a challenge in the cloud, as the original data can be stored in one location and backups in another, making it difficult to know if these data deletion steps have been properly followed. Users should create a strict data retention policy that includes setting expiration dates for data and adequately destroying it on the designated date. Cross reference inventory and log activity to ensure the data has been eradicated.
Pro tip: Downsize your attack surface by setting up separate accounts with distinct credentials on individual networks; in doing so, you isolate each environment (e.g., development, staging and production) and create multiple hurdles an attacker would have to cross before compromising an entire system. Moreover, you hedge against a misconfiguration in one account affecting another account. A bonus of establishing separate accounts is that you’re able to attribute cost by environment.
Again, whenever possible, automate the remediation process; automation brings efficiency to the remediation process.
Read part 7 of this series where we delve into public cloud database activity monitoring.
Hack-Proof AWS Databases in the Public Cloud
✔ Stop attacks in their tracks with real-time Database Activity Monitoring
✔ Control vulnerabilities with the Security Violations Assessment
✔ Demonstrate on-going progress with dynamic Risk Assessment Scoring
Receive a gift card worth $25 USD when you set up and scan your environment using SecureCloudDB.