Great Power Brings Great Responsibility: How to Keep Cloud Databases Secure in an Uncertain World
By Bryan Alsdorf, Director of IT and Head of Information Security, MariaDB Corporation
To paraphrase a mantra popularized by Spider-Man: With great power comes great responsibility. It may sound corny. But, with the rise of massive data informing so many aspects of our lives directly and indirectly, this well-known wisdom is especially true when it comes to building databases capable of managing that exponential data growth.
Consider that global data creation is projected to reach more than 180 zettabytes through 2025, according to Statista research. PC Magazine notes that one zettabyte is “enough storage for 30 billion 4K movies, 60 billion video games, or 7.5 trillion MP3 songs.” Amid this juggernaut surge, it’s cloud databases, in particular, that are the scalable powerhouses helping businesses organize, understand and use their own ever-expanding data to create value. The great responsibility comes in keeping all the data protected.
SaaS Vulnerabilities Mean More Data Breaches
The dramatically improved scalability and redundancy of cloud databases are a developmental benchmark in the history of technology, and those traits are transforming how businesses can interact with data. But a misconfiguration—all too easy to trigger—can expose data to the internet, bots and bad actors. Data breaches stemming from different kinds of infrastructure and application vulnerabilities are common. What’s reported in the news is the tip of the iceberg in the cyber attack landscape. Insider threats and attacks exploiting poor east-west security (i.e., inside a network) are relentless.
Earlier this year, Block (formerly known as Square) acknowledged that Cash App was breached by a former employee, leaking personally identifiable information and possibly impacting as many as eight million customers. Mailchimp’s breach of hundreds of accounts resulted from unauthorized access of a customer support and account administration tool. Lapsus$ Group’s breach of Okta in March—a company whose value lies in its B2B SAML authentication product—also happened via a third-party customer support tool. Lapsus$ hit Azure DevOps software too in March, but Microsoft was able to contain the breach before data was exfiltrated. Nevertheless, developer and cloud security experts are on high alert, especially with the pervasiveness of Log4j vulnerabilities, the reach of which may be unprecedented.
Cyber criminals, like Lapsus$, are generally motivated by profit, so they attempt ransomware, DDoS and other kinds of attacks and use extortion to make money. While these profiteering exploits are already ubiquitous, the current geopolitical struggle among superpowers and their client-states across the globe means that attacks which deliberately sow chaos and terror, as a goal in and of itself, outside of profit, will likely rise in prominence too. The U.S. government warnings for businesses to be ready have been clear.
Readiness Is Tougher for SMBs
In the next few years, many cloud security providers will do extremely well financially from all the investment that will go into them. The better vetted providers’ services are, the more likely those providers will grow and generate significant cash flow. Enterprises are pulling out their proverbial checkbooks, hoping to fortify multiple layers of security now to avoid paying more down the road.
How companies can distinguish between a security provider that’s offering excellent, multi-faceted data protection and one whose solutions might not be fully baked is a good question—and presents a sort of Catch-22. Companies must employ at least a few highly competent professionals who already have knowledge of what constitutes good security in order to evaluate tools. This can be a challenge for a lot of organizations, but especially for smaller ones. Small and medium-sized businesses (SMBs) can struggle to maintain in-house experts to secure their systems, choose the right security vendors, mitigate attacks and implement recovery. SMBs also might have an expert who knows what to do, but who doesn’t have the resources to do it. Some SMBs are simply operating on slim margins, without deep pockets to pay ransoms. They face even more uncertainty right now if they exist in an industry or segment of the supply chain that’s targeted for geopolitical reasons. Having distributed, remote workforces as the new normal furthers the challenges.
So, this is the moment where those building future-proofed cloud tools and services can step in and help SMBs, as well as large enterprises. Keeping cloud databases secure is central to minimizing the damage attackers can do and reducing the strain on limited resources.
What’s Cloud Database Security Look Like in a Zero-Trust World?
VPNs and perimeter security are fast becoming anachronisms in a world of distributed workers and systems, and of cyber attackers who have long since figured out how to breach the traditional network shield. Zero trust approaches to security are indeed the way forward—where no entity is trusted and only those privileges needed for a person, application or microservice to complete its task are granted. To use an office metaphor, a worker must swipe a badge to get into the building, but there are still doors that are bolted and, within accessible rooms, desks and filing cabinets with their own locks. Just because someone’s authorized to be in the office, doesn’t mean they’re authorized to look at all the files.
Cloud databases are a special animal when it comes to zero-trust security. They have complex properties but, right now, beyond access policies, zero trust is enforced at the application level and in the movement of data to and fro, rather than inside the database itself. It may be that row-level and field-level encryption can be embedded in a cloud database, but that’s not a feature in general use now.
That said, here are the must-haves for security:
- Choose a cloud database with configurations that are secure by default, not open by default. Misconfiguration is one of the biggest issues that results in data breaches. This doesn’t necessarily mean that dials are tuned to the absolutely most locked down settings, but a well configured baseline security is a must-have. A vendor that offers 24/7 help with configuration and other questions from experts intimately familiar with the nitty-gritty of the chosen database isn’t a bad idea either.
- Use network isolation with a virtual private cloud or connection (VPC) or private link. It’s a best practice to keep a cloud database completely isolated from the public internet. Ensure there’s no possibility that an external connection can get to your database.
- If not using a VPC, restrict access by IP address not just on the firewall, but at the database and database proxy level. Firewalls generally can’t distinguish between an approved user and an attacker. Maintaining thousands of firewall rules adds complexity. Completely firewall the database off by default. Explicitly add IP addresses to an allow-list to grant access, so that there’s no external connections permitted except for what you explicitly add.
- Enforce unique accounts with strong passwords. Give different application servers and different users all their own accounts; give them all strong passwords and rotate those passwords. Reusing accounts and passwords increases the risk of exposure.
- Use multi-factor authentication and enhanced, granular access control that seeks constant validation of entities seeking data. Limit accounts to the data they need to access. That is, enforce least privilege access to sensitive data and implement alerts on suspicious activities and policy violations. As humans, sometimes we want to be flexible with teams, but even with implicit trust, people make honest mistakes. Resist the urge to be lax with least privilege access rules. Keep good separation of roles and functions. Also control DBA access to the database activity stream.
- Monitor database activity rigorously. Monitoring the real-time data stream of database activity for unusual or non-compliant behaviors helps protect against insider risks. Use policy-based monitoring and enforcement. Ensure detection of database misconfiguration that exposes vulnerabilities.
- Implement key data protection measures including encryption of data in transit and backups at rest, and automate the patching of vulnerabilities.
- Make sure offsite logs and backups are immutable. Logs and backups should be protected from everyone, including your administrative account. If attackers compromise DBA credentials, they will not be able to go in and delete backups. Backups must be set in stone.
- In a system leveraging cloud microservices architecture, for “east-west” communications inside a network, use microsegmentation, which isolates workloads in order to neutralize malicious lateral movement. With this approach, certain kinds of service mesh proxy filters can produce metadata to stop writes into a database, so that a packet will never reach the database, thus containing data breaches.
- Have a clear, detailed plan ready to deal with major events like cloud outages, ransomware attacks and data breaches. Talk to your cloud vendor about this and coordinate plans. The major cloud providers all go down on a regular basis. It’s just limited to different data centers, so often unnoticed. A plan should explain exactly how the team is expected to respond to a disaster and who does what. It should specify who to contact at your cloud vendor to help with an investigation of a data breach. The vendor should have a plan to work with customers who experience data breaches. Backups that attackers can’t touch should be ready, with the plan specifying how to roll out a restored backup.
Businesses across verticals and at all resource levels are increasingly relying on data to function and to deliver new value. These security measures for cloud databases are the last line of defense in keeping data protected. Security decision-makers at companies small and large should talk with vendors directly and make sure that their first focus is on security that’s built to complement performance, rather than compete with it. Study reviews and articles on trusted sites. Go to webinars, talk to trusted colleagues and reach out to industry peers in reputable organizations. And feel free to reach out to me! Risking a data breach because it seems like your hands are tied is no longer an option for businesses in a world of exponential data growth, evolving technology and deep uncertainty.
About the Author
Bryan Alsdorf, Director of IT and Head of Information Security, oversees all IT and security operations at MariaDB. Bryan has more than 25 years of IT industry experience including 14 years at MariaDB and 5 years at MySQL. Bryan can be reached online at https://www.linkedin.com/in/bryanalsdorf/ and at our company website https://mariadb.com/.
FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.