Connect with us

Hi, what are you looking for?


Cloud Security

Zen and the Art of Cloud Database Security (Part 2)

The benefits of the cloud are clear – better application flexibility and control at a lower cost. But you can’t think about moving to the cloud without addressing the inherent security concerns. In part-one of this series we discussed how to understand the scope of your database landscape to more effectively move your databases to the cloud.

The benefits of the cloud are clear – better application flexibility and control at a lower cost. But you can’t think about moving to the cloud without addressing the inherent security concerns. In part-one of this series we discussed how to understand the scope of your database landscape to more effectively move your databases to the cloud. In part-two we will tackle how to build and implement an effective security strategy based on that clearly defined landscape.

Build your Security Strategy

Once the mapping phase is done, you have a clearer picture of the required security policies and how to achieve them. The next step is to plan the security controls while addressing key challenges.

The shared responsibility challenge

Cloud Security and Compliance StrategyYou first need to understand who is responsible for what. In IaaS, the borders are clear, but in PaaS they are more blurred. As a rule of thumb, your provider is responsible for protecting the infrastructure components, but all instance and application security is up to you. If using a managed database environment, your provider is responsible for the availability of the database, but not protection against confidentiality and integrity threats – that is up to you. Here is a summary of areas the organization is still responsible for:

a) Protecting the data as it moves to the cloud – Data-in-motion encryption, such as SSL or VPN, should be used to protect the data as it moves in and out of the cloud.

b) Hardening instances – With IaaS, the customer is responsible for securing the operating system. This includes hardening processes, patches, security software installation and following the database vendor’s security guidelines.

c) Protect management console access –The use of best practices such as MFA, role-based access to dashboard functions and a data recovery plan to an external location are mandatory for addressing this attack vector.

Advertisement. Scroll to continue reading.

d) Account for application security –Make sure to include cloud-specific threats in your threat modeling.

e) Prepare plans for availability, backups, Disaster Recovery (DR) and Business Continuity (BC) – Most IaaS vendors will provide you with the tools for creating an adequate backup and DR strategy within the boundaries of the provider. However, the customer is responsible for deploying the tools required by these requirements.

Compliance challenges

Compliance in the cloud can be challenging for a variety of reasons. For example: The cloud adds more complexity because the scope of regulatory compliance now includes infrastructure under the responsibility of a third party. Different jurisdictions have different laws and regulations, which may all have to be met. Cloud technology sometimes limits the visibility into internal systems and mechanisms.

In order to reduce compliance efforts, it is very important to select a provider that holds compliance certification for the environments you will be using. Once the provider infrastructure is compliant in terms of its own responsibilities, it is up to the customer to ensure that their application environment can also achieve compliance certification. In general, when talking about compliance in relation to databases, the following controls should be considered:

a) Understanding where the data is: Regulated data should be mapped to exact locations.

b) Separation of duties: It is necessary to implement mechanisms (1) between production and test environment data, (2) between non-regulated and regulated applications, and (3) between the different roles involved with handling the data.

c) Access controls should be in place: All access to sensitive data should be governed, monitored and approved.

d) Identity Management: A cornerstone for building effective access control is implementing an adequate identity management solution.

e) Encryption and encryption alternatives: The higher up the application stack, the more challenging encryption gets. Sometimes, encryption alternatives such as tokenization or data masking are more effective and efficient.

f) Detecting, preventing and mitigating attacks: You may be required to demonstrate the means to detect and prevent attacks on the database (e.g., SQL injection attacks). This requires the development of adequate controls and audit infrastructure.

g) Operational security: Procedures should be developed to govern asset management, change management, production access, periodic vulnerability scanning, adequate remediation procedures, user access audit, management operation, and event response procedures.

Despite the numerous security challenges facing organizations looking to migrate databases to the cloud, they can be overcome by understanding the specific scope of needs associated with the databases being moved and aligning those needs with the required security policies and controls. Through simple planning and forethought, organizations can ensure their databases not only meet compliance requirements, but will remain secure – allowing them to take full advantage of the cost savings and scalability benefits provided by the cloud.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...