Top 10 DBaaS security concerns

Survey shows the worries users have of their databases in the cloud.

DBaaS security
Credit: Thinkstock
DBaaS security

Placing a database in the cloud significantly changes its security threat landscape. While many of the traditional on-premises risks remain—data leakage risk from privileged users with access to the data, the presence of unidentified sensitive data and SQL injection attacks are some examples—the cloud introduces its own additional risks.

There are also ways to leverage the cloud by outsourcing some of the risk mitigation to the cloud provider. HexaTier recently surveyed 574 IT professionals and here are their concerns.

Safety of data storage
Credit: Thinkstock
Safety of data storage

Some of their worries cited were:

• Where is the data stored?
• Who has access to the data?
• What actions can those with access perform on the data?
• What access is logged and reported?
• A neighbor tenant has indirect access to data (e.g., by shared, non-sanitized memory)
• A neighbor tenant can infiltrate the database

DBaaS provider can access your data
Credit: Thinkstock
DBaaS provider can access your data

A side effect of hosting data in the cloud is that you cannot control who has physical or logical access to the servers on which your data is stored and processed. More specifically, certain employees of the cloud provider will have access to the servers, and therefore, your data. This introduces a possible avenue of data theft over which you have no control at all.

In DBaaS environments, where the provider provisions the software, you are forced to trust the provider and its security practices to a much greater degree.

Physical location of the production data and the backup data
Credit: Thinkstock
Physical location of the production data and the backup data

When data is stored in the cloud, the location of the data becomes a big question. Cloud providers maintain physical data centers in multiple locations for reasons of performance and redundancy. This can introduce problems relating to regulatory compliance and internal company policies.

DBaaS providers back up their clients’ data for the purposes of their own business-continuity/disaster-recovery (BCDR) needs. Second, they offer automatic backups that allow customers to restore data from their own backups. Third, they offer data replication services that mirror their clients’ data, sometimes to other regions, for load-balancing and performance purposes.

External users can access the DBaaS
Credit: Thinkstock
External users can access the DBaaS

When an organization’s database is in the cloud, it becomes possible for people to gain access. All it would take is to crack the database password or exploit some other weakness in the security configuration. DBaaS deployments can be protected by network firewalls that function similarly to on-premises firewalls. They can be configured to allow access only from certain networks or IP addresses. All major cloud providers provide basic firewalls that, with a few simple rules, can ensure that access to the database will only be granted from the organization’s own network.

DBaaS regulatory compliance
Credit: Thinkstock
DBaaS regulatory compliance

DBaaS regulatory compliance refers to the actions taken by organizations to comply with the laws and regulations that apply to databases hosted in the cloud. Commonly applicable regulations include PCI-DSS, SOX, Basel II and HIPAA. It is possible that solutions with the equivalent functionality, stability and performance are not even available yet for cloud environments. Any organization that has to comply with regulations in a DBaaS environment has to use third-party tools to achieve compliance.

DDoS and performance attacks on the database
Credit: Thinkstock
DDoS and performance attacks on the database

A performance attack can be caused by flooding the database with artificial requests (DDoS) or by targeted attacks that impact a sensitive asset in the database. In actuality, cloud-hosted databases are more resistant to performance attacks because of their inherent agility. The flexibility and scalability of DBaaS environments—and thus their resilience in the face of a performance attack—will always be greater than any standard on-premises database.

Hidden sensitive data
Credit: Thinkstock
Hidden sensitive data

The challenge of discovering sensitive data falls into two categories: finding it in structured data and in unstructured data (databases are structured data). Third-party vendors offer technology that is capable of scanning all of an enterprise’s databases and automatically discovering sensitive data. These tools can identify specific data fields based on particular security concerns and/or specific regulations. Finding sensitive and regulated data within enterprise databases is one of the key challenges to implementing data security and regulatory compliance. While the major DBaaS providers do not offer tools for the automatic discovery of sensitive and regulated data, third-party tools are available.

SQL injection attacks
Credit: Thinkstock
SQL injection attacks

In an SQL injection attack, malicious SQL statements intended for execution by a database are inserted into an entry field on a website. One possible result is that the server will expose data from the database that it should never return. These types of attacks exploit a security vulnerability in a Web application’s software and sometimes also in a closed source application.

The first line of defense against SQL injection attacks is one that must be implemented by developers on the code level. The major cloud providers do not currently offer off-the-shelf solutions to this threat; instead, it is expected that third-party solutions be used.

Data theft by authorized users
Credit: Thinkstock
Data theft by authorized users

DBAs, software developers, quality assurance personnel and others (whether employees or external partners) frequently require extensive access to databases in order to perform their roles. This essentially means that the organization cannot block their access, even to sensitive databases, without preventing them from doing their jobs. On the other hand, it is dangerous and unnecessary for these types of roles to have total and unfettered access to all of a company’s sensitive data.

Neighbor tenants can access your data
Credit: Thinkstock
Neighbor tenants can access your data

Cloud-hosted applications and databases typically utilize resources that are shared by multiple customers, or tenants. Two of these shared resources—memory and disk—present the danger that one tenant may be able to access sensitive data belonging to a different tenant. There is no way to fully avoid these tenant-based threats. These risks are part of the price you pay for enjoying the benefits of sharing resources with other tenants.