More data than ever before is being put into cloud-based storage repositories. Leading cloud providers offer an array of storage options, yet databases remain the most common choice in today’s enterprises. Because databases are updated so frequently, it’s important to review their security controls regularly.
When it comes to cloud databases, organizations have two options: run their own in the cloud or use a cloud provider’s managed database services.
For organizations running their own database servers in the cloud, all standard security recommendations apply: patch, limit database permissions, restrict database access, use limited privilege service accounts and enable database-specific and OS security controls to protect data.
For those companies that do not want to run their own cloud database, there are a number of cloud provider database services to choose from. Many of these services have strong security capabilities and controls built in by default. They may also include limited consumer security responsibilities, compliance and audit attestation, and service-level agreements for uptime and performance that could exceed a company’s own.
Let’s take a look at some of the leading cloud database services and their security controls, as well as cloud database security best practices to follow regardless of service chosen.
DynamoDB is a managed NoSQL service within AWS. It offers a number of security features, including the following:
- Automatic backups. These are possible using a specific template in AWS Data Pipeline — another data management service. Full and incremental backups can then be used for disaster recovery and continuity.
- Automated 256-bit AES encryption. DynamoDB is the first AWS service to automatically encrypt data.
- AWS identity and access management (IAM) permissions. Such permissions control who can use the DynamoDB services and API. These can be permissions to items (rows) and attributes (columns), which enables fine-grained access control.
- Cryptographically signed requests. Requests in the DynamoDB service must include a valid HMAC-SHA-256 signature to access stored data, otherwise the request is rejected.
- SSL-encrypted endpoints. DynamoDB is accessible via SSL-encrypted endpoints.
The AWS Relational Database Service (RDS) is a more traditional database service. It includes MySQL, Oracle, SQL Server, Amazon Aurora, MariaDB or PostgreSQL. Its security features include the following:
- DB security groups. Similar to AWS security groups, DB security groups are network ingress controls that can be enabled by authorizing IP ranges or existing security groups. They only allow access to necessary database port(s) and do not require a restart of running database instances.
- IAM permissions. These are used to control which RDS operations users can call.
- Encryption. RDS supports Transparent Data Encryption for SQL Server and Oracle. MySQL encryption requires it be enabled by cloud clients within their application.
- SSL connections. SSL can be enabled between RDS instances and applications running elsewhere in AWS.
- Automated backups and patching. AWS RDS automatically backups data and patches vulnerabilities by default.
Other options from AWS, Azure and Google Cloud Platform
AWS Redshift, a petabyte-scale SQL warehouse, offers logging, automatic patching, encryption with strong multitiered key management and encrypted network connectivity.
Azure has a variety of database services as well. Azure Tables — essentially a NoSQL data store — is now part of the Cosmos DB service in Azure. They also support automated Storage Service Encryption by default and strong role-based access.
Azure also offers SQL Server PaaS capabilities, which offers numerous data protection options. Column and cell encryption can be enabled with Transact-SQL, which supports built-in functions to encrypt data with symmetric or asymmetric keys, the public key of a certificate or a passphrase using 3DES. Azure SQL also offers “Always Encrypted” mode, in which entire columns of data can be automatically encrypted in applications before they are stored in the databases at all.
Google Cloud Platform (GCP) offers Cloud SQL — a managed SQL database service for PostgreSQL, MySQL and SQL Server — that has automated encryption and secure connectivity. GCP’s Cloud Spanner is a fully managed SQL database offering customer-managed encryption keys, logging, identity permissions and data-layer encryption. GCP Cloud Bigtable is a NoSQL database that has customer-managed encryption, logging and strong access controls.
Cloud database security best practices
Regardless of which cloud database service is employed, be sure to follow these best practices:
- Change any default logins or credentials to the cloud databases and services.
- Employ customer-managed keys versus cloud provider keys where possible.
- Use cloud identity and access management to the utmost for privilege minimization.
- Enable full logging capabilities for all databases.
- Enable encrypted database access wherever possible.