•  Use  multi-factor  authentication  and  enhanced,  granular  access  control  that  seeks  constant
                   validation of entities seeking data. Limit accounts to the data they need to access. That is, enforce
                   least privilege access to sensitive data and implement alerts on suspicious activities and policy
                   violations. As humans, sometimes we want to be flexible with teams, but even with implicit trust,
                   people make honest mistakes. Resist the urge to be lax with least privilege access rules. Keep
                   good separation of roles and functions. Also control DBA access to the database activity stream.

               •  Monitor database activity rigorously. Monitoring the real-time data stream of database activity for
                   unusual  or  non-compliant  behaviors  helps  protect  against  insider  risks.  Use  policy-based
                   monitoring  and  enforcement.  Ensure  detection  of  database  misconfiguration  that  exposes
                   vulnerabilities.

               •  Implement key data protection measures including encryption of data in transit and backups at
                   rest, and automate the patching of vulnerabilities.

               •  Make sure offsite logs and backups are immutable. Logs and backups should be protected from
                   everyone, including your administrative account. If attackers compromise DBA credentials, they
                   will not be able to go in and delete backups. Backups must be set in stone.

               •  In a system leveraging cloud microservices architecture, for “east-west” communications inside a
                   network, use microsegmentation, which isolates workloads in order to neutralize malicious lateral
                   movement. With this approach, certain kinds of service mesh proxy filters can produce metadata
                   to stop writes into a database, so that a packet will never reach the database, thus containing
                   data breaches.

               •  Have  a  clear,  detailed  plan  ready  to  deal  with  major  events  like  cloud  outages,  ransomware
                   attacks and data breaches. Talk to your cloud vendor about this and coordinate plans. The major
                   cloud providers all go down on a regular basis. It's just limited to different data centers, so often
                   unnoticed. A plan should explain exactly how the team is expected to respond to a disaster and
                   who does what. It should specify who to contact at your cloud vendor to help with an investigation
                   of a data breach. The vendor should have a plan to work with customers who experience data
                   breaches. Backups that attackers can't touch should be ready, with the plan specifying how to roll
                   out a restored backup.



            Businesses across verticals and at all resource levels are increasingly relying on data to function and to
            deliver new value. These security measures for cloud databases are the last line of defense in keeping
            data protected. Security decision-makers at companies small and large should talk with vendors directly
            and make sure that their first focus is on security that’s built to complement performance, rather than
            compete with it. Study reviews and articles on trusted sites. Go to webinars, talk to trusted colleagues
            and reach out to industry peers in reputable organizations. And feel free to reach out to me! Risking a
            data breach because it seems like your hands are tied is no longer an option for businesses in a world of
            exponential data growth, evolving technology and deep uncertainty.









                                                                                                            179