The popularity of cloud continues to grow. Even during the COVID-19 pandemic there has been an increase in public cloud sales with numbers expected to grow by 13.2% while IT infrastructure sales are expected to drop by up to 16.4%. The vast majority of enterprises now run a mix of on-premises and cloud-based environments known as Hybrid IT, but it is expected that 83% of enterprise workloads will be in the cloud by 2020.
This shift from on-premises infrastructure to cloud-based environments requires organizations to reevaluate the database security tools they use. 84% of organizations say traditional security solutions don’t work in cloud environments and 92% believe they have a cloud readiness security gap. Why might your database security tool have trouble in the cloud? Let's examine some of the differences between traditional on-prem databases and public cloud databases, which can illustrate why your data center security tool won’t be ready for public cloud.
Static vs Dynamic Ephemeral Resources
In a data center, databases are static, being deployed in-house and within an organization’s IT infrastructure. This means the organization has an IT security team responsible for maintaining the security of the hardware, software, and all other related processes. The organization retains all of their data and is fully in control of what happens to it, for better or worse.
In a public cloud environment, databases are dynamic. This means organizations are able to start, stop, or modify databases on-demand using as many resources as they want at any given time, giving more responsibility to DevOps teams to secure the data on those resources. The ephemeral nature of cloud means IP addresses, physical location, and the time databases run are constantly changing. Your traditional data center security tool is intended to scan static resources running for a long period of time where the IP address doesn’t change. You will need a tool that can automatically handle changes in a dynamic environment where location and IP address can change at a moments notice.
Thinking Beyond Firewalls; Introducing Zero Trust Security
In a data center, your databases sit behind layers of security such as your firewall or VPN being monitored by your IT security team. This in-house security team is responsible for patching, provisioning, and performing penetration tests on the physical resources ensuring all traffic going in and out of the network is safe.
In a cloud environment, resources are accessed anytime, anywhere, from any device. Organizations have to assume they can no longer trust any activity inside or outside the network and focus on securing the data itself through encryption. Identity and Access Management (IAM) are role-based security controls to manage digital identities and their access to various databases, applications, and systems. Your security tool needs to be able to monitor and manage user access controls as they will be the target of users with malicious intent. Monitoring and identifying which users have elevated privileges and enforcing the principle of least privilege will help tighten security of databases. Your security tool needs to be able to assess IAM controls, user permissions, and whether elevated privileges have been assigned.
Database Types and Cloud Services
In the traditional data center, databases were typically large monolithic relational database management systems with the leading systems being Oracle, Sybase, IBM DB2, and Microsoft SQL Server. A database is a physical device manually installed, provisioned, and tested within the IT security team's controlled environment. In order to secure every layer of the infrastructure, database, and network there is a deep knowledge required of your specific databases' hardware and software.
Public cloud enables high availability of a wide variety of digital, cloud-specific database services such as AWS RDS, ElastiCache, DynamoDB, and Aurora.
Relational Database Engines
Non-Relational Database Engines
87% percent are implementing a hybrid cloud strategy, using private as well as public clouds. 93% percent of organizations have embraced a multi-cloud strategy, meaning multiple cloud providers like AWS, GCP, and Azure are being used. Your database security tool will need to be able to accommodate the availability of the various cloud providers, their database services, the database engines, and ensuring the database backups have been encrypted.
DevOps vs IT Security Teams Approach to Security
In the data center, in-house IT security teams are responsible for complete end-to-end security meaning every layer of security must be reviewed and verified before a new resource can be brought on the network. The IT security team is responsible for leveraging tools to monitor the security and assurance with any compliance frameworks. This process requires significant investment into resources and time in order to bring a new resource online.
In the public cloud, DevOps teams are now responsible for starting/stopping resources at any time and they often have little to no security experience. DevOps naturally depends on sharing highly sensitive intellectual property and confidential information such as API keys, SSH keys, and privileged account status, but because of its relative immaturity, the security of the data is often an afterthought. Traditional data center tools often don’t connect with each other so complete visibility into what’s happening in other parts of the network is lost. This creates a larger surface area for attackers to exploit. Security tools need to be integrated into the DevOps teams and the tools should automatically respond to changes in the environment. This means your database security tool will need to be built specifically for cloud databases, speaking the same cloud language that your DevOps team is familiar with in order for your resources to remain secure.
Maintain Your Security Footprint
99% of cloud security failures will be the customers fault. Not surprisingly, The IDC predicted that security-led development will be a primary focus for 90% of organizations by 2020. In order to maintain your security footprint in the cloud you must inventory, assess security, remediate problems, and monitor user activity on an ongoing basis. Reviewing your current security tools will be essential to accomplishing these goals.
New cloud technologies need software solutions that can handle new architectures such as monitoring Amazon DynamoDB APIs, adjusting to monitoring clusters such as Amazon Redshift, and even accommodating the changes that come with Amazon RDS and new database types. Tools like SecureCloudDB are designed from the ground up to handle database security in the public cloud.
Interested in learning more about cloud database security? Check out our free whitepaper, Database Security: Moving to the Public Cloud.