Page 178 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 178
So, this is the moment where those building future-proofed cloud tools and services can step in and help
SMBs, as well as large enterprises. Keeping cloud databases secure is central to minimizing the damage
attackers can do and reducing the strain on limited resources.
What’s Cloud Database Security Look Like in a Zero-Trust World?
VPNs and perimeter security are fast becoming anachronisms in a world of distributed workers and
systems, and of cyber attackers who have long since figured out how to breach the traditional network
shield. Zero trust approaches to security are indeed the way forward—where no entity is trusted and only
those privileges needed for a person, application or microservice to complete its task are granted. To use
an office metaphor, a worker must swipe a badge to get into the building, but there are still doors that are
bolted and, within accessible rooms, desks and filing cabinets with their own locks. Just because
someone’s authorized to be in the office, doesn't mean they’re authorized to look at all the files.
Cloud databases are a special animal when it comes to zero-trust security. They have complex properties
but, right now, beyond access policies, zero trust is enforced at the application level and in the movement
of data to and fro, rather than inside the database itself. It may be that row-level and field-level encryption
can be embedded in a cloud database, but that’s not a feature in general use now.
That said, here are the must-haves for security:
• Choose a cloud database with configurations that are secure by default, not open by default.
Misconfiguration is one of the biggest issues that results in data breaches. This doesn’t
necessarily mean that dials are tuned to the absolutely most locked down settings, but a well
configured baseline security is a must-have. A vendor that offers 24/7 help with configuration and
other questions from experts intimately familiar with the nitty-gritty of the chosen database isn’t a
bad idea either.
• Use network isolation with a virtual private cloud or connection (VPC) or private link. It’s a best
practice to keep a cloud database completely isolated from the public internet. Ensure there's no
possibility that an external connection can get to your database.
• If not using a VPC, restrict access by IP address not just on the firewall, but at the database and
database proxy level. Firewalls generally can’t distinguish between an approved user and an
attacker. Maintaining thousands of firewall rules adds complexity. Completely firewall the
database off by default. Explicitly add IP addresses to an allow-list to grant access, so that there's
no external connections permitted except for what you explicitly add.
• Enforce unique accounts with strong passwords. Give different application servers and different
users all their own accounts; give them all strong passwords and rotate those passwords. Reusing
accounts and passwords increases the risk of exposure.
178