The benefits of the cloud are clear – better application flexibility and control at a lower cost. But you can’t think about moving to the cloud without addressing the inherent security concerns. In part-one of this series we discussed how to understand the scope of your database landscape to more effectively move your databases to the cloud. In part-two we will tackle how to build and implement an effective security strategy based on that clearly defined landscape.
Build your Security Strategy
Once the mapping phase is done, you have a clearer picture of the required security policies and how to achieve them. The next step is to plan the security controls while addressing key challenges.
The shared responsibility challenge
You first need to understand who is responsible for what. In IaaS, the borders are clear, but in PaaS they are more blurred. As a rule of thumb, your provider is responsible for protecting the infrastructure components, but all instance and application security is up to you. If using a managed database environment, your provider is responsible for the availability of the database, but not protection against confidentiality and integrity threats – that is up to you. Here is a summary of areas the organization is still responsible for:
a) Protecting the data as it moves to the cloud – Data-in-motion encryption, such as SSL or VPN, should be used to protect the data as it moves in and out of the cloud.
b) Hardening instances – With IaaS, the customer is responsible for securing the operating system. This includes hardening processes, patches, security software installation and following the database vendor’s security guidelines.
c) Protect management console access –The use of best practices such as MFA, role-based access to dashboard functions and a data recovery plan to an external location are mandatory for addressing this attack vector.
d) Account for application security –Make sure to include cloud-specific threats in your threat modeling.
e) Prepare plans for availability, backups, Disaster Recovery (DR) and Business Continuity (BC) – Most IaaS vendors will provide you with the tools for creating an adequate backup and DR strategy within the boundaries of the provider. However, the customer is responsible for deploying the tools required by these requirements.
Compliance challenges
Compliance in the cloud can be challenging for a variety of reasons. For example: The cloud adds more complexity because the scope of regulatory compliance now includes infrastructure under the responsibility of a third party. Different jurisdictions have different laws and regulations, which may all have to be met. Cloud technology sometimes limits the visibility into internal systems and mechanisms.
In order to reduce compliance efforts, it is very important to select a provider that holds compliance certification for the environments you will be using. Once the provider infrastructure is compliant in terms of its own responsibilities, it is up to the customer to ensure that their application environment can also achieve compliance certification. In general, when talking about compliance in relation to databases, the following controls should be considered:
a) Understanding where the data is: Regulated data should be mapped to exact locations.
b) Separation of duties: It is necessary to implement mechanisms (1) between production and test environment data, (2) between non-regulated and regulated applications, and (3) between the different roles involved with handling the data.
c) Access controls should be in place: All access to sensitive data should be governed, monitored and approved.
d) Identity Management: A cornerstone for building effective access control is implementing an adequate identity management solution.
e) Encryption and encryption alternatives: The higher up the application stack, the more challenging encryption gets. Sometimes, encryption alternatives such as tokenization or data masking are more effective and efficient.
f) Detecting, preventing and mitigating attacks: You may be required to demonstrate the means to detect and prevent attacks on the database (e.g., SQL injection attacks). This requires the development of adequate controls and audit infrastructure.
g) Operational security: Procedures should be developed to govern asset management, change management, production access, periodic vulnerability scanning, adequate remediation procedures, user access audit, management operation, and event response procedures.
Despite the numerous security challenges facing organizations looking to migrate databases to the cloud, they can be overcome by understanding the specific scope of needs associated with the databases being moved and aligning those needs with the required security policies and controls. Through simple planning and forethought, organizations can ensure their databases not only meet compliance requirements, but will remain secure – allowing them to take full advantage of the cost savings and scalability benefits provided by the cloud.
