You’re an early adopter and know that it’s your responsibility to lead your company to the next stage of cloud migration – the database. Gartner reports that more than 80% of early adopters are already using AWS for DBaaS. You have hundreds of databases in your organization, and you cannot move all of them at once, but you have to start somewhere.
According to a recent report from Deutsche Bank Securities, AWS Database as a Service (DBaas) subscriptions have cut data center and staff costs by 50%, while delivering flexibility, ease of maintenance, faster time to market of new products, and an improvement in business agility and scalability.
Database provisioning occurs in minutes instead of weeks or months. You can also extend your data center for IT projects requiring capacity “bursts” without having to maintain onsite storage that goes unused most of the time. But what about the all-important issue of security?
Just like any on premise database or virtual private cloud-based database, you need to ensure it is protected. Yes, AWS does provide security, as does every other cloud provider. Between your efforts and Amazon’s, you’ve already implemented various protective layers such as network firewall, WAF, DDOS, IPS, and IDS.
Remember, though, these are perimeter protections, not actual database protection – so your sensitive data within the databases remains vulnerable to insider or outsider attacks. And don’t forget you have to follow very strict regulatory requirements that require checks and balances on all activities involving sensitive data.
Database protection requires a well-known set of activities:
- User authentication (migration of Active Directory)
- Access control (IP, ports, protocol, db users…)
- Masking sensitive data
- Intrusion protection (zero minutes)
- Separation of duties
- SSL encrypted connection to a DB instance
- Amazon RDS security groups
- Admin/root user privileges
However, this is the most critical area where security often breaks down when you move to the cloud – you can’t use traditional security defenses because DBaaS doesn’t provide OS control. Thus, you cannot install any agent-based protection.
The only true way to achieve database security for RDS/DBaaS is by using a database reverse proxy technology. It eliminates the security worries in the OS layer because it sits in between the application users (high privilege users and casual users) and the cloud database, filtering each query and stored procedure response. It overwrites given credentials and monitors each and every action, from basic login events up to an admin command. It also authenticates users, provides SQL injection protection, and masks sensitive data.
Of course, your friendly, neighborhood cloud database security solution – HexaTier – provides the reverse proxy tech in minutes.
Get more information here: AWS RDS Database Security Guide or