Page 178 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 178

So, this is the moment where those building future-proofed cloud tools and services can step in and help
            SMBs, as well as large enterprises. Keeping cloud databases secure is central to minimizing the damage
            attackers can do and reducing the strain on limited resources.



            What’s Cloud Database Security Look Like in a Zero-Trust World?

            VPNs  and  perimeter  security  are fast  becoming  anachronisms  in  a  world  of  distributed  workers  and
            systems, and of cyber attackers who have long since figured out how to breach the traditional network
            shield. Zero trust approaches to security are indeed the way forward—where no entity is trusted and only
            those privileges needed for a person, application or microservice to complete its task are granted. To use
            an office metaphor, a worker must swipe a badge to get into the building, but there are still doors that are
            bolted  and,  within  accessible  rooms,  desks  and  filing  cabinets  with  their  own  locks.  Just  because
            someone’s authorized to be in the office, doesn't mean they’re authorized to look at all the files.

            Cloud databases are a special animal when it comes to zero-trust security. They have complex properties
            but, right now, beyond access policies, zero trust is enforced at the application level and in the movement
            of data to and fro, rather than inside the database itself. It may be that row-level and field-level encryption
            can be embedded in a cloud database, but that’s not a feature in general use now.

            That said, here are the must-haves for security:



               •  Choose a cloud database with configurations that are secure by default, not open by default.
                   Misconfiguration  is  one  of  the  biggest  issues  that  results  in  data  breaches.  This  doesn’t
                   necessarily mean that dials are tuned to the absolutely most locked down settings, but a well
                   configured baseline security is a must-have. A vendor that offers 24/7 help with configuration and
                   other questions from experts intimately familiar with the nitty-gritty of the chosen database isn’t a
                   bad idea either.

               •  Use network isolation with a virtual private cloud or connection (VPC) or private link. It’s a best
                   practice to keep a cloud database completely isolated from the public internet. Ensure there's no
                   possibility that an external connection can get to your database.

               •  If not using a VPC, restrict access by IP address not just on the firewall, but at the database and
                   database proxy level. Firewalls generally can’t distinguish between an approved user and an
                   attacker.  Maintaining  thousands  of  firewall  rules  adds  complexity.  Completely  firewall  the
                   database off by default. Explicitly add IP addresses to an allow-list to grant access, so that there's
                   no external connections permitted except for what you explicitly add.

               •  Enforce unique accounts with strong passwords. Give different application servers and different
                   users all their own accounts; give them all strong passwords and rotate those passwords. Reusing
                   accounts and passwords increases the risk of exposure.








                                                                                                            178
   173   174   175   176   177   178   179   180   181   182   183