Taking a Data-Centric Security Approach to Accommodate Cloud Misconfigurations

Today, cloud misconfigurations are the No. 1 reason for cloud data leaks and breaches. Adversaries can use botnets to exclusively search for misconfigured public cloud databases to exploit. In fact, a cloud misconfiguration is what recently exposed the Microsoft Azure Cosmos DB databases. Termed ChaosDB, the vulnerability affected thousands of Microsoft Azure customers across large including Fortune 500 and Global 2000 businesses – and it could have been lurking in the background for months, or years. This is all too common – a study shows that 90% of companies are vulnerable to breaches due to cloud misconfigurations.

As we continue to digitize business processes, organizations are storing sensitive data across locations -- on-prem, off-prem, in various private and public clouds, structured SQL database, unstructured data lakes, and more. There are no longer set perimeters, making traditional perimeter-based security tools a thing of the past. Instead, organizations must shift their security mindset to adopt a data-centric security approach to protect data no matter where it resides.

A strong database security program that follows a data-centric mindset, requires not just security but also personnel, IT infrastructure, business operations, application integrity, risk and compliance, database administration and more to be on board. Organizations also need a solid plan to ensure the processes and technologies are in place to be able to monitor, assess, and remediate critical database security risks across their complex cloud environments.

To make this happen, follow these best practices.

1. Take inventory of all databases. First, take inventory of your current databases across your IT environment so you can identify, classify, and prioritize systems that require attention. An accurate inventory of databases is a critical step in establishing a holistic and effective database security program. You need to know where your data resides in order to protect it. Then, you can identify areas that need remediation and establish a baseline of known database configurations and user privileges.

2. Define standards, security, and compliance policies. Organizations need defined policies and standards to measure compliance and progress. Policies should be customized to support the different environments and database accounts. Remember, managing policy is a continuous process. With every new patch or software version, organizations need to review policies to ensure they account for new and updated configurations and settings.

Organizations should also ensure they fulfill any relevant regulatory compliance requirements to be able to remediate potential vulnerabilities and misconfigurations in a timely manner. Some standards and requirements might include: FISMA, DISA-STIG, CIS, GDPR, PDPA, APRA CPS 234 and more. The Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) standards for database security also provides a great for continuous assessment for organizations to follow.

3. Establish user access controls. The only way to establish meaningful controls that track how users interact with data, or to capture an audit trail for use in a breach investigation, is to know who has access to what data and why/how they’ve been granted that access. As people change roles or leave an organization, user privileges are often not kept up-to-date, and organizations lack a full understanding of who all has access to sensitive data.

Users should only have access to the data and tools critical to fulfill their job. For example, individuals with elevated privileges, broad access and extensive database knowledge often include DBAs, developers, quality assurance staff, contractors and consultants. Alternatively, IT operations, network operations, security and audit personnel may not have the same user rights as authorized users do, but they may be capable of performing privileged activity to systems or security protocols needed for their job.

By establishing clear access controls and user activity policies, administrators and security personnel have sufficient, actionable data to make informed decisions and are not distracted by excessive alerts, false-positives and false-negatives.

4. Implement risk mitigation and compensating controls. Remediating high-risk vulnerabilities and misconfigurations within your databases not only reduces your risk of compromise, but it also narrows the scope of any required compensating controls you might need – such as exploit monitoring. Using data analytics to associate risk scores with the findings from your vulnerability assessment can help identify your most exposed systems or groups so you can focus your efforts where you stand to make the most impact.

5. Utilize DAM for real time detection, alert, and response. For vulnerabilities that cannot be remediated or patched in a timely manner, real-time a policy-based database activity monitoring (DAM) solution utilizes vulnerability, configuration, and user data to produce accurate, efficient monitoring policies.

DAM solutions can alert operations center personnel when a security violation is identified so they can take corrective action. Many organizations also feed these alerts into a security information and event management (SIEM) or network management tool if suspicious or malicious activity is detected, for further investigation and remediation. This can make database security management easier with a set of actionable security and compliance alerts.

Securing Your Most Valuable Asset: Data

Data is an organization’s most precious asset, but with more of it residing in public and private clouds, we can no longer think of a database as something that can be protected with traditional perimeter-based network security. By establishing the right policies, scanning for vulnerabilities, controlling user privilege, implementing risk mitigation and real-time monitoring, organization can create a data-centric security practice that protects sensitive data in any location.  

Technology alone will not reduce your risk of database compromise. A complete program incorporates people, process, and technology. Determining and establishing the appropriate policies, roles, accountability, workflow, mitigation, reporting, and ongoing management will set all stakeholders on a course to achieve a strong database security program.

Mark Trinidad    

Mark Trinidad is senior manager of database security for Trustwave.