More and more organizations are moving applications and data to IaaS/PaaS environments in order to enjoy the benefits of cloud computing while still preserving application flexibility and control.
However, many enterprise IT departments have serious concerns about moving their more sensitive servers and data to the cloud. They have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day:
• The Cloud Security Alliance states that data breaches are the top cloud computing security threat.
• The IBM Security Services 2014 Cyber Security Intelligence Index reports 1.5 million monitored cyber-attacks in the US alone in 2013, a figure that is accelerating due to the growing use of cloud infrastructure, among other factors.
• The Ponemon Institute’s recent study, “Data Breach: The Cloud Multiplier Effect,” clearly indicates that IT and security professionals believe that migrating to cloud services dramatically increases the likelihood and economic impact of data breaches by several magnitudes, due to a lack of confidence in the security of data in the cloud.
These reports are reinforced by a consistent stream of news stories about hacked company data.
While migrating application components to the cloud is challenging, migrating database servers can prove to be far more difficult, especially in terms of security. Application and Web servers usually require protection from integrity and availability threats, areas for which sufficient mitigating controls are available in cloud technologies. But databases usually require protection against confidentiality threats as well, not to mention adherence to data-related laws and regulations.
This two-part article outlines the most important aspects to consider when migrating a database to the cloud. Part-one of will focus on understanding the scope of your database landscape, and I will address how to effectively build your security strategy in part-two.
Understand the Scope
• What data are you moving?
Cloud computing adds a number of risks and attack vectors for your risk management plan to consider. Different types of data encompass different challenges. If you are moving Personally Identifiable Information (PII) or other regulated data, you will need to ensure that the migration does not affect your regulatory compliance.
Tools that provide eDiscovery options can help to identify sensitive database content, to understand the regulatory aspects and to assist in classification of the data according to risks.
• Who is accessing the database?
In order to fully understand the security aspects of a database, you need to examine who is accessing the database and for what purposes. Remember to think beyond regular user access. For example, administrative tasks should be mapped out to ensure that granular access controls will be maintained after moving to the cloud.
If the application uses external data sources, you may require new controls, such as data-in-motion encryption and data integrity validation, in order to retain data confidentiality and integrity as this data moves from those sources into the database.
Tools such as database activity monitoring (DAM) can be a huge help in mapping database access from different sources (users, administrators, third-party contractors, applications, etc.). Once the database access is mapped, you will have a better understanding of your cloud database security requirements.
• To where are you moving the data?
Understanding the environment into which you are transitioning plays a great role in securing your data. Not all IaaS/PaaS providers offer the same security capabilities. Migrating your data into a database managed by a cloud provider poses different challenges than installing your own database infrastructure. When weighing your cloud provider options, make sure that you fully understand the security aspects involved. For example:
• What physical and network security infrastructure is in place?
• Who has administration access to the database?
• Can you allow/disallow granular access to different data and database resources?
Keep in mind that different geographic locations could mean different regulations, laws and standards; factors that could affect your hosting provider choice.
Please check back for part-two of this series, when we will discuss building out your security strategy to map back to your required security policies and specific database landscape.