December 19, 2018 By Shay Harel 3 min read

With the current data explosion and rise of artificial intelligence (AI), machine learning and deep learning, organizations must make sense of the vast amounts of data they collect to better themselves and gain an edge over the competition. Processing and storing all this data is much easier when someone else is doing it for you, which is why many organizations now look to move their data to the cloud.

Cloud Storage Does Not Mean Cloud Security

The cloud is, in theory, that magical place where everything is easy, where you can pay someone to make all your IT problems go away; no more patching, cooling, power backup, data backup and other headaches associated with maintaining a data center. Cloud vendors will ensure that your data is stored 24/7 and, as long as you are in the right pricing tier, you’ll enjoy great performance, elasticity and a guarantee that your data will never be lost. So far, so good — but what about cloud security?

While cloud vendors are held to high standards to ensure that they will not mess with or lose your data, they are not in charge of security and access management for the applications and databases you run in the cloud, even if you consume your database as a service. Just because you’re operating in the cloud doesn’t mean you’re no longer responsible for protecting your critical data.

Not only are you in charge of protecting your data, but all the regulations of the real world also apply to the magical world of the cloud. If threat actors steal your data in the cloud, you are just as liable as you would be if they stole on-premises data — and the compliance penalties, legal fees and reputational damage associated with a breach can be crippling.

Inherent Problems With Database-as-a-Service Solutions

If you run your IT shop in the cloud as infrastructure-as-a-service (IaaS), you can simply apply the same security measures and use the same security tools and applications that you have on-premises, because you still own everything. The problems start when you choose to relieve yourself of the burden of employing database administrators and use a cloud vendor’s database-as-a-service (DBaaS) offering, such as Amazon Relational Database Service (Amazon RDS) or Microsoft Azure SQL Database. While this option transfers database management to the cloud vendor, they will not assume any responsibility for the security or compliance of those databases — a critical detail.

At this point, you might recall that you already own database protection tools and ask the cloud vendor to install them on the DBaaS. But, to your surprise, the vendor informs you that running third-party software on its database would void the warranty. Now what?

One obvious solution is to turn on native logging, which enables you to feed database logs into your existing security solutions. Sometimes, this is the “good enough” option. However, there are a few inherent problems with this approach. Any insights or security alerts will not be in real time, and intruders can copy your native logs. They are also stored in clear text, so any encryption scheme employed on your database or traffic is rendered useless.

Another issue to consider before turning on native logging is performance. When native logging is on, a database must spend more time writing data to files, and you might see a hit on performance as a result. Finally, native logging does not offer separation of duties, so the employees who can turn the capability on or off are the same people who can access your sensitive data.

How to Monitor a Cloud Database for Security and Compliance

So what should a prudent, security-minded organization do in this case? How can a company monitor a DBaaS solution for both compliance and security? The answer is to adopt a creative approach to circumvent restrictions on installing security software on cloud providers’ databases. Look for a cloud security solution that sits in front of the database and can still send traffic to your existing security tools without having to install any software on the database.

Such monitoring tools work in real time and are more secure than native logs because they do not require storing any unencrypted data and can handle encrypted traffic, which is the most prevalent way of sending data in a cloud data center. By approaching cloud database management and protection in this manner, organizations can gain greater control over the security and compliance of cloud-enabled infrastructures as they leverage the broader benefits of the cloud.

Register for the Webinar: Best Practices for Securing Data in Hybrid Multi-Cloud Environments

More from Cloud Security

AI-driven compliance: The key to cloud security

3 min read - The growth of cloud computing continues unabated, but it has also created security challenges. The acceleration of cloud adoption has created greater complexity, with limited cloud technical expertise available in the market, an explosion in connected and Internet of Things (IoT) devices and a growing need for multi-cloud environments. When organizations migrate to the cloud, there is a likelihood of data security problems given that many applications are not secure by design. When these applications migrate to cloud-native systems, mistakes in configuration…

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today