The Cloud Illusion: Why Your Database Security Might Be at Risk
Data is the fuel that drives today’s business, and it must be protected. When business-critical data is stored in a data center, security professionals have more control over data access and can create a digital moat to secure data. However, with more data storage moving to the cloud, there is a greater risk of exposure since cloud-hosted databases are open to internet attacks, and you lose control of the data environment. New strategies must be applied to ensure data in the cloud remains secure.
Cloud-hosted databases and data storage require remote data access, which means access needs to be secured. The data itself must be secured, whether it’s data at rest or data in motion as it is transferred to support business applications. There are third-party data security services, but with cloud-native databases and data storage, you want a cloud-native data security solution that can scale, integrate with other cloud technologies and support automation. AWS, Azure, GCP, Oracle and other cloud platforms offer secure relational database services, but they provide little or no transparency into data transactions and limited control over data security. For example, users don’t have access to the infrastructure or transaction logs required for audits, and they have limited control over security configurations and updates.
What’s needed is a new generation of cloud-native data security tools that offer greater visibility and total control.
The Growing Risk to Cloud Data
More sensitive data is migrating to the cloud as more organizations pursue digital transformation. According to research from the Cloud Security Alliance (CSA), 89% of organizations are hosting sensitive data in the cloud. Only 38% rank their cloud provider’s security controls as highly effective, and 51% say they are somewhat effective. Those same organizations are less confident in their abilities to protect sensitive data in the cloud, with 31% saying they feel slightly confident and 44% moderately confident.
At the same time, there has been a surge in cyberattacks. There were 2,365 cyberattacks in 2023, affecting 343 million victims. This is a 72% increase in data breaches over 2021, the previous all-time high for breaches. IBM estimates that the average cost per data breach is $4.45 million.
Migrating data to the cloud creates an added need for data security. That may be why the cloud database security market is expected to reach $22 billion by 2029, growing at a CAGR of 19.2%.
Best Practice for Securing Cloud Data
You apply the same best practices when securing any database, including encrypting data at rest and data in transit, maintaining strict access controls, limiting and monitoring data access, data masking, maintaining secure backups, etc. When you consider migration to hosted database environments, there are additional considerations, such as where to host the data and whether it is in a private or public cloud infrastructure.
You also must secure access to the data. Most data breaches result from compromised data access, whether because of phishing attacks, malware, stolen credentials, or social engineering, so educating database users is crucial. But what about secondary users? For example, developers need data access to test new functions and new applications.
Many data breaches occur from secondary and tertiary users with data access, such as application developers or QA testers. Hackers often target developer environments, assuming data won’t be as secure. Security compliance often ensures that secure data must be sanitized and masked before it is used in a production environment.
Then there’s data protection. If your system is hacked and data is stolen or subject to ransomware, can you recover it? Backups and backup compliance are essential to data security.
These security principles are well understood, but they aren’t always easy to implement, especially in enterprise environments with thousands of databases. The challenge is to standardize and scale security best practices.
Enforcing Database Security Protocols
As cloud databases proliferate and scale, standardizing security and automating security processes becomes more complex. The best approach is Database-as-a-Service (DBaaS).
A DBaaS platform is made up of a control plane and a data plane. The dedicated control plane uses a microservice architecture with APIs and microservices to invoke database tasks for the data stored in the data plane. You can universally standardize and apply security best practices through the control plane. You can implement data snapshots, backups and even long-term immutable backups in an air-gapped vault if necessary to protect the data. Data masking is also handled through the control plane.
The control plane serves as an orchestration engine for security policies for all enterprise databases.
The control plane needs secure access to the data plane. Communication is highly secure, and communication is only outbound so that no inbound malware can be introduced. Data plane connections can also be made private over a secure network for highly regulated industries.
When working with DBaaS security, the control plane should give the customer total control over database management without touching the data. User access and new features and functions are added to the control plane as needed. If there is a data breach, database services can be shut down at the control plane without affecting information stored in the data plane. The system enables authorized SQL and JDBC connections to the data but blocks SSH access to the server itself. Access to the server is controlled, audited and limited.
Customizing Data Control
Most cloud database services require hosting the control plane and data plane infrastructure for customers. As a result, customers must settle for “black box” database management, relying on the service provider to manage the control plane. There is no transparency to determine who is accessing the data server, and no ability to add custom applications or third-party services.
For example, auditing and compliance can be challenging without transparency into the control plane. Third-party auditing agents are available, but to use them, the cloud database service provider must support external applications. Similarly, some database services don’t support security features such as masking or securing backups in a vault. As a result, customers assume responsibility for upper-level data management, which requires additional personnel, software and controls, resulting in multiple database silos.
A better approach is to have a transparent, customizable, extensible data management system to handle all security in one place. An extensible architecture where you can add functionality and have a single pane of glass makes it easy to manage data masking, data backup, security, auditing and governance. It also makes it easier to automate security functions.
Native cloud DBaaS represents the next phase in the evolution of database management. However, to keep the data secure, you must isolate the data plane from the control plane. You must also have an extensible control system that offers visibility into database operations and centralizes data management. With the right cloud database architecture, you gain versatility as well as optimal security.
