Connect with us

Hi, what are you looking for?


Cloud Security

Zen and the Art of Cloud Database Security (Part 1)

More and more organizations are moving applications and data to IaaS/PaaS environments in order to enjoy the benefits of cloud computing while still preserving application flexibility and control.

More and more organizations are moving applications and data to IaaS/PaaS environments in order to enjoy the benefits of cloud computing while still preserving application flexibility and control.

However, many enterprise IT departments have serious concerns about moving their more sensitive servers and data to the cloud. They have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day:

• The Cloud Security Alliance states that data breaches are the top cloud computing security threat.

Cloud Security: Protecting databases• The IBM Security Services 2014 Cyber Security Intelligence Index reports 1.5 million monitored cyber-attacks in the US alone in 2013, a figure that is accelerating due to the growing use of cloud infrastructure, among other factors.

• The Ponemon Institute’s recent study, “Data Breach: The Cloud Multiplier Effect,” clearly indicates that IT and security professionals believe that migrating to cloud services dramatically increases the likelihood and economic impact of data breaches by several magnitudes, due to a lack of confidence in the security of data in the cloud.

These reports are reinforced by a consistent stream of news stories about hacked company data.

While migrating application components to the cloud is challenging, migrating database servers can prove to be far more difficult, especially in terms of security. Application and Web servers usually require protection from integrity and availability threats, areas for which sufficient mitigating controls are available in cloud technologies. But databases usually require protection against confidentiality threats as well, not to mention adherence to data-related laws and regulations.

This two-part article outlines the most important aspects to consider when migrating a database to the cloud. Part-one of will focus on understanding the scope of your database landscape, and I will address how to effectively build your security strategy in part-two.

Advertisement. Scroll to continue reading.

Understand the Scope

• What data are you moving?

Cloud computing adds a number of risks and attack vectors for your risk management plan to consider. Different types of data encompass different challenges. If you are moving Personally Identifiable Information (PII) or other regulated data, you will need to ensure that the migration does not affect your regulatory compliance.

Tools that provide eDiscovery options can help to identify sensitive database content, to understand the regulatory aspects and to assist in classification of the data according to risks.

• Who is accessing the database?

In order to fully understand the security aspects of a database, you need to examine who is accessing the database and for what purposes. Remember to think beyond regular user access. For example, administrative tasks should be mapped out to ensure that granular access controls will be maintained after moving to the cloud.

If the application uses external data sources, you may require new controls, such as data-in-motion encryption and data integrity validation, in order to retain data confidentiality and integrity as this data moves from those sources into the database.

Tools such as database activity monitoring (DAM) can be a huge help in mapping database access from different sources (users, administrators, third-party contractors, applications, etc.). Once the database access is mapped, you will have a better understanding of your cloud database security requirements.

• To where are you moving the data?

Understanding the environment into which you are transitioning plays a great role in securing your data. Not all IaaS/PaaS providers offer the same security capabilities. Migrating your data into a database managed by a cloud provider poses different challenges than installing your own database infrastructure. When weighing your cloud provider options, make sure that you fully understand the security aspects involved. For example:

• What physical and network security infrastructure is in place?

• Who has administration access to the database?

• Can you allow/disallow granular access to different data and database resources?

Keep in mind that different geographic locations could mean different regulations, laws and standards; factors that could affect your hosting provider choice.

Please check back for part-two of this series, when we will discuss building out your security strategy to map back to your required security policies and specific database landscape.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...