Posted under: Incite
I’ve come to the conclusion that nobody is using Database Activity Monitoring (DAM) in public Infrastructure or Platform as a Service. I never see it in any of the cloud migrations we assist with. Clients don’t ask about how to deploy it or if they need to close this gap. I do not hear stories, good or bad, about its usage. And not that DAM can’t be used in cloud, it’s just not being used.
There are certainly some reasons why firms would invest their security time and resources elsewhere. What comes to mind is as follows:
PaaS and use of Relational: There are a couple trends I think come into play. First, while user installed and managed relational databases does happen, there is a definite trend towards adopting RDBMS-as-a-Service. If customers do install their own relational platform, it’s MySQL or MariaDB — which as far as I know — of which there are few monitoring options. Second, for most new software projects, it is far less likely that a relational database will be selected to back applications; it’s a NoSQL platform like Mongo (self managed) or something like Dynamo. This reduced the total footprint of relational.
CI:CD: Automated build and security test pipelines — we see a lot more application and database security testing is going on in development and quality assurance phases, prior to production deployment. Many of the potential code vulnerabilities and common SQL injection attacks are being spotted and addressed prior to apps being deployed. And there may not be a lot of re-configuration in production if your installation is defined in software.
Network Security: Between segmentation, firewalls/security groups and port management — you can really lock down the (virtual) network so only the application can talk to the database. Difficult for anyone to end-around if properly set up.
Database Ownership: Perhaps the misconception that since the database is owned and operated by the cloud provider that they will take care of database security. Yes, the vendor handles lots of the configuration security and patching for you. Certainly much of the value a DAM platform provides, namely security assessment capabilities and detecting old versions of the database, is done.
Permissions misuse is harder. Most IaaS clouds offer dynamic, policy driven IAM. You can set very fine-grained access controls over database access, so you can block many types of ad-hoc or potentially malicious queries.
Maybe none of these reasons? Maybe all of the above? I don’t really know. Regardless, DAM has not moved to the cloud. The absence of interest does not provide me any real insights as to why, only that there is a lack of interest.
I do believe think that you still want some of DAM’s monitoring functions for your cloud migration, specifically looking for SQL injection attacks — which is still and issue and it’s you’re issue — as well as looking for credentialed mis-use, such as looking at too much data/scraping. The cloud provider will handle log generation for API access to the database installation, and there are cloud native means to do assessment. But from the monitoring side there are few other options to look at SQL queries.
*** This is a Security Bloggers Network syndicated blog from Securosis Blog authored by email@example.com (Securosis). Read the original post at: http://securosis.com/blog/dam-not-moving-to-the-cloud