DbaaS in The Cloud
Moving applications to the Cloud has many advantages. It provides flexible access to resources on-demand and allows hybrid deployments that spread IT services across on-premise, the Public Cloud, and Private Cloud data centres.
Most applications use a database to store the data that they need to operate. Either for user data, or other data such as that gathered by sensors and other IoT devices. Databases in the Cloud are often provisioned on shared DbaaS (Database as a Service) instances that are managed by a Cloud services provider.
An issue with using DbaaS for databases is that it passes responsibility for security over to the Cloud Service provider. However, data integrity and liability for any data breaches remain with the organisation collecting and storing the data. In the era of GDPR, we all know how vital it is to protect user data.
So how can businesses reap the benefits of flexible DbaaS provision in the Cloud, while at the same time ensuring that the data they are storing is secured? Trustwave DbProtect is the answer to this conundrum. DbProtect provides a comprehensive seven-step database protection model that delivers an enterprise database security strategy that covers all your databases, including those in the Cloud. Check out the DbProtect page for details. Contact Renaissance if you want to learn more or read on for a high-level summary of what DbProtect delivers.
Security Risks with DbaaS
The benefits that come with using Cloud resources are now well known so we won’t rehash them here. When applications and other services are moved to the Cloud and provisioned using a DbaaS model, the management and control of the database is the responsibility of the Cloud service provider. Most providers are conscientious and good at what they do. However, the fact that security responsibility remains with the organisation that collects and stores the data means trust is being placed in an organisation outside of their control.
The risks that will be present when using DbaaS are primarily the same as would be present with any other database deployment model. Namely:
- Unsecured APIs and other interfaces to the database
- Unauthorised access by IT staff
- Incorrect configuration of security infrastructure such as firewalls
- Slow patching of newly discovered vulnerabilities
An additional risk when using DbaaS is also the potential for other tenants sharing the database instance in the Cloud getting unauthorised access to the data.
These are all well-known risks that internal IT teams would address when using on-premise database servers that they fully control. There is a need to extend security out to take in DbaaS instances as well, and DbProtect delivers this.
How DbProtect boosts security
DbProtect delivers an enterprise-grade database security solution that covers all the databases that are in use within an organisation. Irrespective of whether the database is deployed on-premise or in the Cloud on AWS, RDS, Microsoft Azure, Google Cloud, GovCloud, FedCloud, and more, it’s security can be assessed and protected in real-time by DbProtect.
The following diagram gives a schematic overview of how DbProtect works.
The seven steps are as follows:
- Inventory - DbProtect discovers and inventories every database on the network and in the Cloud. Across Production, Test, Development, and others. Databases in the latter group are likely to be unknown to IT and typically have poor security.
- Test - Test all databases against the regulatory frameworks that the business has to implement. Compile the results of vulnerabilities.
- Eliminate Vulnerabilities - Eliminate the vulnerabilities identified. DbProtect Vulnerability Management provides unparalleled database vulnerability knowledge that is driven by the SpiderLabs Knowledgebase, one of the most comprehensive and up-to-date vulnerabilities and threat resources available.
- Enforce Least Privileges - Over time, database users accumulate more privileges than they need to do their job. This can lead to Segregation of Duties (SoD) violations that enable insiders to make fraudulent changes or steal sensitive data. DbProtect Rights Management identifies these and allows the appropriate access rights to be maintained.
- Monitor for Anomalies - DbProtect’s Database Activity Monitoring (DAM) tracks and monitors access to sensitive data and regularly tests database security procedures. It focuses on suspicious activity that may compromise data. The granularity of this checking and alerting can be fully controlled.
- Protect - Deploy policy-based Activity Monitoring to create an easily managed set of actionable security and compliance alerts.
- Respond to Incidents - DbProtect Active Response provides an additional layer of protection around sensitive data in the Cloud. It can be configured to take action when unauthorised and suspicious database activity is detected. Active Response can be customised to a granular level for specific events, performed by a particular user, accessing specific data, in specific databases. Responses to suspicious activity can be alerts, automated malware scans, logging events to a security information and event management (SIEM) system, or the locking of the account performing the activity.
The Cloud brings enormous benefits. However, security for databases deployed in the Cloud to take advantage of these benefits needs to be secured. Incorporating Trustwave DpProtect will allow Cloud-based, and all other, databases to be monitored and protected in real-time. Contact Renaissance if you want to learn more.