More organizations are moving applications and databases to IaaS/PaaS environments to enjoy the benefits of cloud computing while preserving application flexibility and control.
However, many IT departments have serious concerns about moving sensitive servers and data to the cloud.
Featured Download: Social media access at work. Do your employees know the rules?
They have good reason for concern: industry experts, such as Cloud Security Alliance and IBM Security Services, agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape.
Reports from these experts are reinforced by a stream of news stories about hacked data from companies including eBay, Target, LinkedIn, Subway, Sony, JPMorgan, AT&T, and more.
Before migrating a database to the cloud, it is critical to understand the scope of this action:
– What data are you moving?
Understand the content and context of the data as it moves to the cloud. Migrating PII and other regulated data may affect regulatory compliance. Tools that provide eDiscovery options can help to identify sensitive database content, understand the regulatory aspects, and assist in classification of the data.
– Who is accessing the database?
Examine who is accessing the database and for what purposes, thinking beyond regular user access. For example, map out administrative tasks to ensure granular access controls are maintained after moving to the cloud.
– Where is the data moving?
Understand the different security capabilities from IaaS/PaaS providers. When weighing cloud provider options, know the security aspects involved, including the physical and network security infrastructures, who has administration access to the database, and to what granular extent you can specify access rights.
Once you have a clear picture of the required security policies and how to achieve them, plan the security controls. One of the biggest challenges is understanding who is responsible for what – between you and your service provider. In IaaS, the borders are clear, but in PaaS they are blurred. As a rule of thumb, your provider is responsible for protecting the infrastructure components, but all instance and application security is up to you. If you are using a managed database environment, your provider will be responsible for the availability of the database. They will not be responsible for protection against confidentiality and integrity threats – that is up to you.
Areas that you must address – or make sure that your cloud provider is addressing – include:
– Data-in-motion encryption – Use SSL or a VPN to protect the data as it moves in and out of the cloud. Also, encrypt the traffic between application servers and database servers.
– Hardening instances – Secure the operating system, including hardening best practices, OS patches and security software installation. Make sure to follow your database vendor’s security guidelines.
– Protect management console access –Use best practices such as multi-factor authentication and role-based access to dashboard functions to protect IaaS management consoles.
– Account for application security – Review all components of the Security Development Lifecycle (SDLC) and include cloud-specific threats in your threat modeling.
– Prepare plans for availability, backups, Disaster Recover (DR) and Business Continuity – Most IaaS vendors provide tools for creating an adequate backup and DR strategy within the boundaries of the provider. However, you are responsible for deploying the tools.
By David Maman, Co-founder and CTO, GreenSQL
About GreenSQL
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.