With the current data explosion and rise of artificial intelligence (AI), machine learning and deep learning, organizations must make sense of the vast amounts of data they collect to better themselves and gain an edge over the competition. Processing and storing all this data is much easier when someone else is doing it for you, which is why many organizations now look to move their data to the cloud.

Cloud Storage Does Not Mean Cloud Security

The cloud is, in theory, that magical place where everything is easy, where you can pay someone to make all your IT problems go away; no more patching, cooling, power backup, data backup and other headaches associated with maintaining a data center. Cloud vendors will ensure that your data is stored 24/7 and, as long as you are in the right pricing tier, you’ll enjoy great performance, elasticity and a guarantee that your data will never be lost. So far, so good — but what about cloud security?

While cloud vendors are held to high standards to ensure that they will not mess with or lose your data, they are not in charge of security and access management for the applications and databases you run in the cloud, even if you consume your database as a service. Just because you’re operating in the cloud doesn’t mean you’re no longer responsible for protecting your critical data.

Not only are you in charge of protecting your data, but all the regulations of the real world also apply to the magical world of the cloud. If threat actors steal your data in the cloud, you are just as liable as you would be if they stole on-premises data — and the compliance penalties, legal fees and reputational damage associated with a breach can be crippling.

Inherent Problems With Database-as-a-Service Solutions

If you run your IT shop in the cloud as infrastructure-as-a-service (IaaS), you can simply apply the same security measures and use the same security tools and applications that you have on-premises, because you still own everything. The problems start when you choose to relieve yourself of the burden of employing database administrators and use a cloud vendor’s database-as-a-service (DBaaS) offering, such as Amazon Relational Database Service (Amazon RDS) or Microsoft Azure SQL Database. While this option transfers database management to the cloud vendor, they will not assume any responsibility for the security or compliance of those databases — a critical detail.

At this point, you might recall that you already own database protection tools and ask the cloud vendor to install them on the DBaaS. But, to your surprise, the vendor informs you that running third-party software on its database would void the warranty. Now what?

One obvious solution is to turn on native logging, which enables you to feed database logs into your existing security solutions. Sometimes, this is the “good enough” option. However, there are a few inherent problems with this approach. Any insights or security alerts will not be in real time, and intruders can copy your native logs. They are also stored in clear text, so any encryption scheme employed on your database or traffic is rendered useless.

Another issue to consider before turning on native logging is performance. When native logging is on, a database must spend more time writing data to files, and you might see a hit on performance as a result. Finally, native logging does not offer separation of duties, so the employees who can turn the capability on or off are the same people who can access your sensitive data.

How to Monitor a Cloud Database for Security and Compliance

So what should a prudent, security-minded organization do in this case? How can a company monitor a DBaaS solution for both compliance and security? The answer is to adopt a creative approach to circumvent restrictions on installing security software on cloud providers’ databases. Look for a cloud security solution that sits in front of the database and can still send traffic to your existing security tools without having to install any software on the database.

Such monitoring tools work in real time and are more secure than native logs because they do not require storing any unencrypted data and can handle encrypted traffic, which is the most prevalent way of sending data in a cloud data center. By approaching cloud database management and protection in this manner, organizations can gain greater control over the security and compliance of cloud-enabled infrastructures as they leverage the broader benefits of the cloud.

Register for the Webinar: Best Practices for Securing Data in Hybrid Multi-Cloud Environments

More from Cloud Security

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…

How to Implement Cloud Identity and Access Governance

Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult. In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows. As we continue our CIAG…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…