Cloud database security: Key vendor controls, best practices
If your company is using a cloud database, it's critical to stay on top of security. Review the security features offered by top cloud providers, plus some best practices.
More data than ever before is being put into cloud-based storage repositories. Leading cloud providers offer an array of storage options, yet databases remain the most common choice in today's enterprises. Because databases are updated so frequently, it's important to review their security controls regularly.
When it comes to cloud databases, organizations have two options: run their own in the cloud or use a cloud provider's managed database services.
For organizations running their own database servers in the cloud, all standard security recommendations apply: patch, limit database permissions, restrict database access, use limited privilege service accounts, and enable database-specific and OS security controls to protect data.
For those companies that do not want to run their own cloud database, there are numerous cloud database services to choose from, offered both by cloud platform providers and other database vendors that run their software on a provider's infrastructure. Many of these database as a service (DBaaS) offerings have strong security capabilities and controls built in by default. They may also include limited user security responsibilities, compliance and audit attestation features, and service-level agreements for uptime and performance that could exceed a company's own.
Let's take a look at some of the leading cloud database services and their security controls, as well as cloud database security best practices to follow, regardless of the DBaaS platform that's chosen.
DynamoDB is a managed NoSQL database service within the AWS cloud. It offers a number of security features, including the following:
- Automatic backups. These are possible using a specific template in AWS Data Pipeline -- another data management service for moving data between different AWS cloud services. Full and incremental backups can then be used for disaster recovery and continuity.
- Automated 256-bit AES encryption. DynamoDB is the first AWS service to automatically encrypt data.
- AWS identity and access management (IAM) permissions. Such permissions control who can use the DynamoDB services and API. These can be permissions to items (rows) and attributes (columns), which enables fine-grained access control.
- Cryptographically signed requests. Requests in the DynamoDB service must include a valid HMAC-SHA-256 signature to access stored data; otherwise, the request is rejected.
- SSL/TLS-encrypted endpoints. DynamoDB is accessible via SSL/TLS-encrypted endpoints.
Amazon Relational Database Service (RDS) is a more traditional service that offers a choice of different relational database engines. It includes MySQL, Oracle, SQL Server, Amazon Aurora, MariaDB or PostgreSQL as options. Its security features include the following:
- DB security groups. Similar to AWS security groups, DB security groups are network ingress controls that can be enabled by authorizing IP ranges or existing security groups. They only allow access to necessary database port(s) and do not require a restart of running database instances.
- IAM permissions. These are used to control which RDS operations users can call.
- Encryption. RDS supports Transparent Data Encryption for SQL Server and Oracle. MySQL encryption requires that it be enabled by cloud clients within their application.
- SSL/TLS connections. SSL/TLS can be enabled between RDS instances and applications running elsewhere in AWS.
- Automated backups and patching. Amazon RDS automatically backs up data and patches vulnerabilities by default.
Other options from AWS, Azure and Google Cloud Platform
Amazon Redshift, a petabyte-scale SQL cloud data warehouse, offers logging, automatic patching, encryption with strong multi-tiered key management and encrypted network connectivity.
Microsoft's Azure cloud has a variety of database services as well. That includes Azure Table storage -- essentially, a NoSQL data store that is also now part of the Azure Cosmos DB database service via a Table API. They both support automated Storage Service Encryption by default and strong role-based access.
Microsoft also offers SQL Server PaaS capabilities as part of its Azure SQL Database service, which offers numerous data protection options. Column and cell encryption can be enabled with Transact-SQL, which supports built-in functions to encrypt data with symmetric or asymmetric keys, the public key of a certificate or a passphrase using 3DES. Azure SQL Database also offers Always Encrypted mode, in which entire columns of data can be automatically encrypted in applications before they are stored in the databases at all.
Google Cloud Platform (GCP) offers several databases, too, including Cloud SQL -- a managed SQL database service for PostgreSQL, MySQL and SQL Server that has automated encryption and secure connectivity. GCP's Cloud Spanner is a fully managed SQL database offering customer-managed encryption keys, logging, identity permissions and data-layer encryption. GCP Cloud Bigtable is a NoSQL database that has customer-managed encryption, logging and strong access controls.
Common threats to cloud databases
Cloud databases are targets for attackers if they aren't properly secured. For example, in May 2021, security analytics software vendor Cognyte exposed 5 billion data records -- ironically, containing information on previous data breaches at other organizations -- due to a cloud database with weak authentication controls that a security researcher discovered. That same month, 150 million records from the Iranian messaging application Raychat were leaked on the internet following a database exposure in late 2020 and early 2021.
There are numerous threats to cloud databases, with the most common types including the following:
- Data exposure. If cloud databases are poorly secured, it's likely that the data in them could be exposed to the internet or other cloud resources. Attackers actively looking for exposed databases can take advantage of this and exfiltrate data for financial gain or other purposes.
- Exposed APIs. Many cloud databases offer a wide variety of APIs for administration, integration and synchronization with other data stores. If these APIs are exposed publicly, or poorly secured and left unmonitored, attackers may be able to access and manipulate database content and configurations.
- Cloud workload hijacking. Cloud database workloads may run in containers or virtual servers. As a result, databases that aren't properly secured could be exploited by attackers who then compromise the underlying container or OS runtime. This could lead to lateral movement by the attackers and other cloud services also being disrupted, exposed or compromised.
- Application exploits. Cloud databases are potentially susceptible to common attacks, such as SQL injection, which can lead to application compromises, escalation of access privileges for user and service accounts, exposure of database details and more. In that way, attackers may be able to expand compromises of cloud environments through traditional application-centric attacks.
Cloud database security best practices
Regardless of which cloud database service is employed, be sure to follow these best practices:
- Change any default logins or credentials to the cloud databases. This prevents common brute-force attacks that use these default credentials to expose databases. Such attacks are simple to execute, even by unskilled adversaries.
- Employ customer-managed keys versus cloud provider keys where possible. By generating your own keys, you have more complete control over the cryptographic strength of the keys, as well as permissions and the key management lifecycle. Removing cloud providers from involvement in key management and use is a good way to reduce risk related to third-party access to cloud database resources.
- Use cloud IAM to the utmost for privilege minimization. Cloud IAM is highly capable today, and granular least-privilege policies can be created and applied in all areas of cloud deployments. By prioritizing strong IAM, the threat surface of cloud databases can be significantly reduced.
- Enable full logging capabilities for all databases. Logs can be sent to a central security event management system for monitoring and incident response related to suspicious or malicious access attempts.
- Enable encrypted database access wherever possible. Encryption can help to protect sensitive data and other cloud data assets from accidental exposure and illicit access by attackers who don't have the needed decryption keys.
How to build a cloud security observability strategy
A breakdown of core AWS identity services
A better way to query DynamoDB data with SQL
When to use Amazon RDS vs. Redshift