Keselamatan Siber

Cloud Database Security

Introduction

The adoption of cloud computing technology in the public sector is rapidly increasing, with cloud services becoming the preferred IT solution for many organizations. Numerous countries and governments have embraced a “cloud-first” policy to modernize their IT infrastructure and improve service delivery. Cloud computing offers several advantages, including lower costs, high scalability, and access to the latest technologies without requiring significant investments in physical infrastructure (Thales Group, 2023; Palo Alto Networks, 2023; Amazon Web Services, 2023). In Malaysian context, the government has published a Cloud Services Procurement Policy for providing end-to-end online services to the citizens with more efficiency, effectiveness and transparency (Ministry of Finance, 2021). However, ensuring the security and privacy of data stored in the cloud remains a significant concern (Gartner, 2024; Forrester, 2023). It is crucial for cloud services to maintain data integrity, privacy, and protection. This paper explores two types of cloud databases, discusses security controls, and recommends best practices for continuously safeguarding data in cloud databases.

Cloud Database Types

Organizations have two primary options when adopting cloud databases: managing their databases in the cloud or using a Database as a Service (DBaaS) provided and managed by a cloud provider (Datadog, 2023; Google Cloud, 2023; Amazon Web Services, 2023). Self-Managed Cloud Databases Organizations that choose to manage their own cloud databases must implement standard security practices, including installing and configuring database instances, restricting permissions and access, and enabling specific security controls for both the database and the operating system to protect the data (Thales Group, 2023; Microsoft, 2023).

Alternatively, organizations that prefer not to handle their cloud databases can select from a range of DBaaS options. Popular DBaaS offerings include Amazon RDS, Google Cloud SQL, and Azure SQL Database (Gartner, 2024; IBM, 2023). These services come with robust security features and controls by default. They may also include additional security responsibilities for users, compliance features, audit capabilities, and Service Level Agreements (SLAs) that ensure high levels of uptime and performance, often surpassing what companies could achieve on their own (Oracle, 2023; Thales Group, 2023).

Database Security Controls in the Cloud

As more databases are implemented in the cloud, addressing security controls is essential to ensure that databases meet organizational security compliances. The following diagram indicates the key security controls considerations.

Diagram 1: Cloud Database Security Controls

1. Data Residency:

Cloud databases can be located in various geographic regions. Selecting a location that complies with local or national data privacy laws is crucial to ensuring personal or sensitive data is handled according to relevant regulations (Thales Group, 2023; Microsoft, 2023).

2. Data Minimization:

Implementing data minimization strategies ensures that only necessary data is collected and stored, complying with privacy reporting requirements and regulations (Thales Group, 2023; Forrester, 2023). By implementing data minimization in cloud databases, it will also reduce and optimize cost of the data storage.

3. Data Privacy & Protection:

Privacy data should be protected through encryption, both at rest and in transit. This includes not only encrypting the data stored within the database itself but also ensuring that the disks on which the databases are stored are encrypted. Encrypting the disk adds an additional layer of security, ensuring that even if the physical disk is compromised, the data remains inaccessible. Ensuring that the cloud database supports encryption standards and offers customer-managed keys with key rotation policies is essential for maintaining data security and compliance (Gartner, 2024; Google Cloud, 2023; Microsoft, 2023).

4. Up-to-date DB version:

Using the latest versions of database engines provides access to new features, performance improvements, and crucial security patches, reducing vulnerabilities (Gartner, 2024; Forrester, 2023).

5. Backup and Recovery:

Cloud databases should offer automated backup capabilities, allowing for scheduled backups and retention for a specified duration. Options for on-demand backups and point-in-time restores are vital for data protection and recovery (Datadog, 2023; IBM, 2023; Oracle, 2023). It is recommended to ensure that backups can be restored to on-premise environments, complying with local or national data security laws and providing a contingency for cloud-related issues.

6. APIs and Integration Securing:

Securing APIs and configuring them carefully is critical to prevent unauthorized access or exploitation. APIs are often used to manage, import, export, and synchronize data in cloud databases (Palo Alto Networks, 2023; Amazon Web Services, 2023).

8. Role-Based Access:

Implementing role-based access controls ensures that users and services have the minimum necessary permissions, adhering to the principle of least privilege (Datadog, 2023; Microsoft, 2023). Change or restrict the initial superuser access provided during cloud database provisioning. This high-privilege account should be secured immediately after setup.

9. Cloud Speed:

Cloud environments are subject to rapid updates and changes. Monitoring cloud database updates and utilizing management tools helps prevent misconfigurations or disruptions in database operations (Thales Group, 2023; Forrester, 2023). By addressing these considerations, organizations can effectively evaluate and adopt cloud databases that meet security, compliance, and operational needs (Gartner, 2024; Oracle, 2023).

Best Practices for Cloud Database Security

Irrespective of the type of cloud database used, the following best practices should be adhered to for continuous enhanced security:

1.  Change Default Passwords or Credentials:

Always change default passwords or credentials. Implement strong, complex passwords and regularly update them as part of a comprehensive security policy (Datadog, 2023; Google Cloud, 2023).

2. Use Customer-Managed Keys:

Opting for customer-managed encryption keys (CMK) provides control over the encryption process, including key strength, permissions, and lifecycle management. Regular key rotation minimizes the risk of key compromise (Palo Alto Networks, 2023; Thales Group, 2023; Microsoft, 2023).

3. Optimize Cloud Identity and Access Management (IAM):

Utilizing Cloud IAM to establish least-privilege policies ensures that users and services have only the necessary permissions. Implementing multi-factor authentication (MFA) and using IAM roles for separation of duties is recommended (Gartner, 2024; Oracle, 2023).

4. Enable Comprehensive Logging for All Databases:

Configuring cloud databases to generate and send logs to a centralized security event management system enables effective monitoring and incident response (Thales Group, 2023; IBM, 2023).

5. Enable and Manage Database Encryption:

Use built-in encryption features offered by cloud providers or the database itself to secure databases, including encrypted disks and backups (Amazon Web Services, 2023; Google Cloud, 2023).

6. Enable Encrypted Database Access:

Encrypting sensitive data both at rest and in transit protects it from unauthorized access. Ensuring that encryption protocols meet industry standards and regulatory requirements is critical (Palo Alto Networks, 2023; Microsoft, 2023).

7. Implement Network Security Measures:
  • Using network security measures such as firewalls, virtual private networks (VPNs), and network segmentation protects databases from unauthorized access and potential threats (Gartner, 2024; Oracle, 2023).
8. Conduct Regular Security Audits:

Ensure database security updates through regular security audits and vulnerability assessments ensure compliance with relevant regulations and standards (Datadog, 2023; Thales Group, 2023; Forrester, 2023).

9. Develop mitigation and Incident Response Plan:

Develop a comprehensive incident response and mitigation plan is essential for addressing and mitigating security incidents swiftly. Ensuring the team is trained and prepared to handle breaches and data loss events is vital (Palo Alto Networks, 2023; Amazon Web Services, 2023).

Summary

The increasing adoption of cloud computing in the public sector necessitates a strong focus on data security and privacy. By understanding the different types of cloud databases and implementing robust security controls, organizations can effectively safeguard their data. Adhering to best practices such as changing default passwords, using customer-managed encryption keys, and conducting regular security audits ensures that cloud databases remain secure and compliant with relevant regulations. These measures collectively contribute to the reliable and secure operation of cloud databases, ultimately supporting the overall IT infrastructure of organizations (Gartner, 2024; IBM, 2023).

Refer

  1. Amazon Web Services. (2023). AWS Security Best Practices. Retrieved from https://docs.aws.amazon.com.
  2. Datadog.  (2023).  2023   State of Cloud Security Report. Retrieved from https://www.datadoghq.com.
  3. Forrester. (2023). The Forrester Wave™: Cloud Security Gateways, Q1 2023. Retrieved from https://www.forrester.com.
  4. Gartner. (2024). 2024 Market Guide for Data Security Platforms. Retrieved from https://www.gartner.com
  5. Google Cloud. (2023). Google Cloud Security Foundations Blueprint. Retrieved from https://cloud.google.com/security.
  6. IBM.   (2023).  IBM   Cloud    Security   and          Compliance    Center. Retrieved from https://www.ibm.com/cloud/security.
  7. Microsoft. (2023). Azure Security Best Practices and Patterns*. Retrieved from https://docs.microsoft.com/en-us/azure/security.
  8. Ministry of Finance (2021). PK 2.6 Perolehan Perkhidmatan Pengkomputeran Awan (Cloud) Sektor Awam. Retrieved from https://ppp.treasury.gov.my/sub-topik/fail/221/muat-turun.
  9. Oracle.    (2023).   Oracle     Cloud               Infrastructure        Security. Retrieved           from https://www.oracle.com/cloud/security.
  10. Palo Alto Networks. (2023). The State of Cloud Data Security in 2023. Retrieved from https://www.paloaltonetworks.com
  11. Thales Group. (2023). 2023 Thales Cloud Security Study – Global Edition Report. Retrieved from https://cpl.thalesgroup.com

Leave a Reply

Your email address will not be published. Required fields are marked *