Protecting database management systems in the cloud is becoming steadily more difficult. Even large systems with sophisticated defenses run by Big Tech companies have been compromised.
While hackers have breached cloud-based systems that store and retrieve data due to human errors or faulty configurations, an enterprise’s approach to security can also put a system at risk.
“For most of the security solutions I’ve seen in the cloud, it appears that companies have turned on native public cloud security, done some iterations and called it a day,†says David Linthicum, a cloud strategy expert for a large consultancy.Opens a new window Effective security must be rigorous, continuous and employ the latest security solutions.Opens a new window
Hackers can exploit several predictable approaches into a cloud database system. One is through the directory that stores user identification data. Many are poorly protected, but there is a new tool that provides an extra layer of security for directories called an Identify and Access Management systemOpens a new window or IAMs.
It regulates user access across all cloud database systems in an enterprise. Among other things, the access system can track an individual’s progress through multiple databases. It also closes a database’s “door†as the user leaves one database and opens a new one for another, denying a potential hacker path into the system through a door that’s been left open.
Automated Security Testing
Automated security testingOpens a new window , which continually tests applications for flaws and vulnerabilities, is another new approach to database security. Passive or nonexistent testing of new apps degrades security for an entire system. Active security helps companies identify vulnerabilities at the code and data levels before new software applications are installed.
Fortunately, the potential solutions available are becoming more innovative as well. One involves something called “field-level encryption.†Offered by the software company MongoDBOpens a new window , it would encrypt data before it’s sent to a cloud database system and then decrypt it once the data is retrieved by the system.
This solution theoretically means that even if a database is hacked, the contents are essentially unusable.
It’s designed to protect against the more aggressive attacks that are becoming common, such as the so-called “brute-force password guessing.â€
“We’ve built in some defenses for things like intentional manipulation or corruption of the data, like with pre-message or padding oracle attacks,†saysOpens a new window Kenneth White, the product security lead at MongoDB. “We’ve used modern algorithms that are resistant to such manipulation attempts.â€
Limitations for Encryption
Encryption, however, is impractical in some instances for storing data in the cloud because it prevents database managers from extracting some queries or otherwise using the data.
It’s also impractical to use for datasets with a lot of text because of the difficulty searching for specific words.
Of course, the most basic protection that should be in place is installing password-protection for a database system. It’s a first line of security surprisingly often missing, according to Chris Vickery, a security researcher who looks for database exposures at the cybersecurity company UpGuard.
“There’s so many different platforms out there these days,†Vickery saysOpens a new window . “From one to the other, you’re going to have varying levels of default security.â€