Last Updated on February 23, 2023
Will the last on-premises workload please turn off the lights? Like everything else, databases are moving to the cloud in droves and throngs.
How does maintaining databases in cloud environments impact their security? What new risks does it create and how severe are they? In what ways does moving databases to the cloud help strengthen security? What needs to be done differently to keep cloud databases secure?
Database expert Robert Buda, President at Buda Consulting, discussed cloud database security on a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security’s CISO and Managing Partner, hosts the show as usual.
Focus on controlling access
Bob points out that some risks to data held in databases decrease in the cloud, while others increase.
“The infrastructure risk, things like not securing backups properly, diminishes when you get into the cloud,” Bob explains. “But that’s kind of compensated for by [increasing] database sprawl, so there are shifting risks there. … The business or user-related risks are the same; doesn’t matter.”
The bottom line with database security in the context of overall security is to strongly control and minimize which user accounts can pull data out of a database in the first place. This includes extract-transform-load (ETL) scripts and other tools and systems.
“But controlling the access that those products or processes have, we gain a greater level of security,” notes Bob. “That doesn’t change whether you’re in the cloud or on-premises.”
Concerns with emerging technology
Bob also expresses concern about the cloud overall as well as some of the new ways of manipulating data in the cloud. There is increased risk from not knowing where your sensitive data is located.
Further, with today’s schema-less databases like NoSQL, database schemas can change much more frequently. Does a database still contain sensitive data, or not? With unstructured data, the proven shortcuts like looking at schema, table and/or column names to judge whether data is sensitive or not are now less helpful.
So, not only might you not know where your database is, but also you might not know what types of data are in it right now.
“That’s where our risk, I think, increases a bit—maybe quite a bit,” Bob offers.
Shared responsibility for security
One security factor that is universal in the cloud is the concept of shared responsibility for security. The cloud service provider (CSP) is responsible for some controls and the client for others. Which is which depends on the service being consumed.
“I think there’s a risk that when we have more services in the cloud, the impression that the host is managing all that for us and us not having to care increases,” advises Bob. “And I think that’s risky because, for example, things like having [database] logging configured… that’s not generally configured by default. Auditing is not generally turned on by default. So, if we take the approach that, ‘I’m moving to the cloud; I don’t have to worry about a lot of security stuff,’ I think that can actually make us more vulnerable.”
In other words, if you’re not clear on what security you’re responsible for, ask your CSP and get ready to plug some gaps.
Ready to listen to the whole episode with database expert Bob Buda? click here.
Ready for “attack surface management 101”? Here’s the quick intro: What is Attack Surface Management and Why Should We (as an Org with Vulnerabilities) Care?