In this 10 part series, we review the key components that are needed to formulate and apply a consistent, regimented cloud database security program that helps ensure data is only available through authorized access. Part 6 discussed remediation, including how to proactively reduce risk. Part 7 below delves into public cloud database activity monitoring.
Oftentimes, an organization is notified they’ve been the target of a data breach - they don’t always find it themselves. Whether it’s by way of vigilantes or good knights combing the internet and the dark web to uncover breaches, notify the organizations, and protect the people, there is usually a time lag between when a leak takes place, when it is discovered and when it is disclosed.
This is why Database Activity Monitoring (DAM) is a critical component of any security program. Unlike log analysis or audits, which provide perspectives in the past tense, DAM is real-time activity monitoring that empowers organizations to stop malicious activity before real damage is done. It helps narrow the time between when an incident occurs and when action is taken in response. In fact, monitoring is often a stipulation in regulatory standards and DAM helps organizations achieve compliance.
Pro tip: DAM helps rapidly identify and mitigate the damage of data breaches and hacks by tracking user activity logs.
Database visibility is key to being able to detect anomalies in activity. Beware of tools designed for on-premises data centers; while ingesting audit logs, proxying network traffic, and even reading memory logs to find SQL statements work for data centers, they are inadequate in the public cloud environment. Databases systems such as Amazon Aurora and Amazon Redshift require new methods to access logs files. DAM in the public cloud must shift and adjust as nodes in a cluster shift and adjust. Systems like Amazon DynamoDB require monitoring the AWS APIs. DAM needs to be capable of handling Amazon RDS Multi-AZ deployments. Attempting to monitor network traffic in a public cloud is very messy and simply won’t scale properly.
Employ a cloud-native tool that synthesizes activity from across all databases and services to comprehensively answer the who, what, where, when and how of an action. The tool should be integrated with your inventory tracking to ensure that new databases are properly monitored. Consider how activity is tracked and where the results are stored. Make it a priority to use a tool that securely stores activity in servers outside of the database. Once enabled, DAM should run continuously.
Read part 8 of this series where we address the other side of monitoring—alerting.