As you move databases to cloud database platforms, data security and compliance requirements move along with it. This article explains how you can apply database audit and monitoring controls when migrating your database to cloud services, including the following:
Relational Database as a Service (RDaaS) provides the equipment, software, and infrastructure needed for businesses to run their database on RDaaS, rather than putting something together in-house. Examples of RDaaS include AWS Relations Database Services (RDS) and Microsoft Azure SQL Relational Database Service
The advantages of RDaaS adoption can be fairly substantial. Here are just a few of the benefits:
From a high-altitude viewpoint, cloud security is based on a model of “shared responsibility” in which the concern for security maps to the degree of control any given actor has over the architecture stack.
Amazon states that AWS has “responsibility for security of the cloud,” while customers have “responsibility for security in the cloud.” What does that mean for you?
Cloud vendors provide the tools and services to secure the infrastructure (such as networking and compute machines), while you are responsible for things like network traffic protection and application security. For example, cloud vendors help to restrict access to the compute instances on which the web server is deployed (by using security groups/firewalls and other methods); they also deny web traffic from accessing restricted ports by setting only the needed HTTP or HTTPS listeners in the public endpoints (usually the load balancer).
But public cloud vendors do not provide the necessary tools to fully protect against application attacks such as the OWASP Top 10 risks, automated attacks or database vulnerabilities. The responsibility falls to you to establish security measures that allow only authorized web traffic to enter your cloud-based data center— just as with a physical data center. Securing your data in physical data centers is typically done by a database activity monitoring against the database and fortunately, similar measures can be deployed in the public cloud as well.
The benefit that a solution such as SecureSphere Database Activity Monitoring (DAM) provides is integrating the oversight of Amazon RDS into a broad view across all enterprise databases. With SecureSphere, here are some things you can do to ensure the security of your data in the cloud:
Use the same scalable architecture proven to cost-effectively monitor thousands of on-premises databases for your databases in AWS. For AWS, non-intrusive virtual appliances, deployed individually or in HA pairs, monitor network traffic and incorporate Amazon RDS audit data into a holistic enterprise-wide compliance dashboard.
Deploy a common security and compliance policy for consistent security across on-premises and cloud databases. Secure and audit databases in the cloud and on-premises via one lens. Protect data in AWS with alerts and then block unauthorized activity.
Demonstrate compliance with data protection and privacy regulations for databases in AWS. Provide unified audit reports across data in the cloud and on-premises. Get detailed reports for regulations such as SOX, PCI DSS and more.
SecureSphere Discovery and Assessment streamlines vulnerability assessment at the data layer. It provides a comprehensive list of over 1500 tests and assessment policies for scanning platform, software, and configuration vulnerabilities. Database assessments leverage Common Vulnerabilities Scoring System (CVSS) and the latest research from the Imperva Defense Center to assess database servers and assign a vulnerability severity level. Assessment scans can be run on-demand or at scheduled intervals, giving security teams the flexibility to scan when it least impacts IT operations. Assessment policies are available for a broad range of databases including Oracle, Microsoft SQL, IBM DB2 and more. The vulnerability assessment process, which can be fully customized, uses industry best practices such as DISA STIG and CIS benchmarks.
For complete visibility and control of user access to sensitive data, SecureSphere Discovery and Assessment can be extended to include database activity monitoring organizations can implement security policies to block or alert on attempts to exploit a vulnerability, providing virtual patch protection while software patches are developed by software vendors.
The need for quick panoramic visibility to the entire delivered application and data infrastructure, no matter where it is located, is paramount. Quick and coordinated control and mitigation are essential to bring the balance of defense back into the defender’s court.
Learn more about how Imperva solutions can help you ensure the safety of your database and enterprise-wide data.