Five Key Steps for Database Security in the Cloud Age

As business has become more digital, data has become the most valuable asset of many organizations. But protecting that data has also become much more compli­cated as organizations increasingly migrate it to a mix of public and private cloud infra­structures, such as Microsoft Azure, Amazon Web Services, and Google Cloud. With most businesses today operating in a multi-cloud environment, it’s no longer possible to sim­ply lock up precious data in the proverbial vault and guard the perimeter.

Mitigating Security Risks in Complex Cloud Environments

To protect their valuable assets amid this new reality, organizations must take a data-centric approach that focuses on protecting data no matter where it resides. Here are five key approaches to make that happen:

  1. Define standards, security, and compli­ance policies. Cloud database vendors rarely enforce more than the most obvi­ous weaknesses in the out-of-the-box installations of their platforms. When vendors do patch vulnerabilities or ship new versions of software, an organiza­tion needs to review policies to ensure they account for new and updated con­figurations and settings. Organizations should ask themselves: How often are policies updated and what should trig­ger a policy change? How will excep­tions be handled? What teams need to be involved in the review process of suggested policy changes and how will the process be communicated?
  2. Run vulnerability assessments. Since databases are often an organization’s larg­est repository of sensitive information, they should be evaluated to not only search for potential vulnerabilities but also to ensure they fulfill any relevant regulatory compliance requirements. To demonstrate effective controls surrounding sensitive data, organizations should run a baseline assessment and establish a practice of continuous assessment to ensure issues are remediated in a timely manner. The U.S. Department of Homeland Security’s Continuous Diagnostics and Mitigation standards for database security are a great model to follow for this process.
  3. Understand user privilege and access. As people change roles or leave an orga­nization, user privileges are often not kept up-to-date, and, as a result, organi­zations lack a full understanding of who has access to sensitive data. Fortunately, many database-scanning technologies today can not only identify vulnera­bilities and misconfigurations but also users, roles, and privileges. The only way to establish meaningful controls that track how users interact with the data, or to capture an audit trail for use in a breach investigation, is to know who has access to what data and why they’ve been granted that access.
  4. Use data analytics to mitigate risks. Remediating high-risk vulnerabilities and misconfigurations within your databases not only reduces your risk of compromise, but it also narrows the scope of any required compensating controls you might need, such as exploit monitoring. Using data analytics to associate risk scores with the findings from your vulnerability assessment can help identify your most exposed systems or groups so you can focus your efforts where you can make the most impact (i.e., reduce the most risk).
  5. Respond to policy violations in real time. For vulnerabilities that cannot be remediated or patched in a timely man­ner, real-time database activity mon­itoring (DAM) can be an appropriate compensating control. DAM solutions can alert operations center personnel when a security violation is identified so they can take corrective action. Many organizations also feed these alerts into a security information and event man­agement or network management tool if suspicious activity is detected for fur­ther investigation and remediation.

Changing the Way We Think About Security

Data is an organization’s most precious asset but, with more of it residing in public and private clouds, we can no longer think of a database as something on-premise that we can protect with perimeter and network security measures. By establishing the right policies, scanning for vulnerabilities, con­trolling user privilege, and implementing risk mitigation and real-time monitoring, organi­zation can create a data-centric security prac­tice that protects its valuable data no matter where it is.