aws-portal

Securing SQL Server on Amazon Web Services

Background

Are you considering deploying your Microsoft SQL Server database on Amazon Web Services (AWS) cloud infrastructure? If so, you will need to focus on the following measures to secure your SQL server. Discover how you can protect your AWS-hosted database from any potential security threats. AWS solutions for hosting your Microsoft SQL Server database on AWS:

AWS offers two different hosting solutions for Microsoft SQL Server database; EC2 and RDS.

  • EC2  is a fully-scalable compute and storage solution in the cloud. The customer gets complete administrative control over the server instance, operating system, database software, the administrative and tuning tasks typically associated with running a database server.
  • RDS is a managed cloud-hosted database solution. Amazon handles all infrastructure management and database administration and customers do not have access to the underlying operating system or database software.

There also might be significant differences in the cost, functionality, performance, and availability of the two options. To decide which solution suits you best, customers should check out Amazon’s Running Databases on AWS page for more information.

Once you have decided which solutions fits your needs, use the following checklist to secure your cloud-hosted database from hackers and insider threats. As well as, help you stay compliant with data-security-related regulations and standards, such as PCI, HIPAA, SOX, and others.

Security chmeasures for hosting your SQL server on AWS.

  • Network Security on Amazon’s VPC
  • Database Access Control
  • High Availability (HA)
  • Monitoring your Database Activity
  • Securing your Operating System (E2 Only)
  • Security at the SQL Server Level

Network Security on Amazon’s VPC (Virtual Private Cloud)

  • Define the Security Groups – Security groups act as a virtual firewall for your instance to control inbound and outbound traffic at the instance level (not the subnet level). More info.
  • Define VPC Access Control Lists (ACLs) – The ACL acts as a firewall for controlling traffic in and out of a subnet. More info.
  • Implement public/private subnets (tiered network) –  An application is publicly accessible while still maintaining back-end servers that are not publicly accessible, e.g., a multi-tier website, with web servers in a public subnet and database servers in a private subnet. More info.
  • Implement Elastic IP Addresses (EIP) – An elastic IP address is a static, public IP address that can be associated with any instance or network interface for your VPC, allowing you to move all the attributes of the network interface from one instance to another in a single step. More info.
  • Implement custom route tables – A route table contains a set of rules that are used to determine where network traffic is directed. More info.
  • Implement a Virtual Private Network (VPN) – AWS allows implementation of a virtual private gateway, enabling communication with your own network over an IPsec VPN tunnel. More info.

Database Access Control

  • Require Multi-Factor Authentication (MFA) – MFA is a method of authenticating a user using multiple sources of identifiable information, typically something the user knows (e.g., a password) plus something the user has (e.g., a particular hardware device) and sometimes something the user is (e.g., a biometric factor, such as a fingerprint). More info.
  • Implement Identity and Access Management (IAM) – IAM allows users, services and applications full or limited access to your Amazon VPC resources without sharing your security credentials. More info.
  • Implement One-Time Passwords (OTPs) – An OTP is an automatically-generated number or string of characters that authenticates the user for a single transaction or session. More info.
  • Enforce Separation of Duties in databases – This allows you to assign appropriate privileges so that users (or applications) with access to the database can perform their intended roles and nothing more. For example, a DBA should be able to perform only administrative tasks without having access to sensitive information. Properly defined and enforced separation of duties provides safeguards against a variety of security breaches and potential data leaks in organizations.

High Availability (HA)

  • Design for High Availability – Designing High Availability for the database layer is the most critical priority in any fault-tolerant architecture. To avoid a single point of failure in AWS databases, it is recommended to launch multiple database servers in master-slave replication or cluster mode. This is also known as multi-availability zones (multi-AZ). More info. (EC2) | More info. (RDS)

Monitoring your Database Activity

  • Monitor Application Health – Application health monitoring continuously measures the responsiveness of your production website or application, and generates alerts triggered when thresholds are exceeded. More info.
  • Monitor Network Traffic – Deploy a service that collects and tracks relevant server/database network metrics and log files, and generates alarms on suspicious or problematic circumstances. More info.
  • Monitor Database Performance metrics – Keep an eye on resource utilization metrics to prevent downtime and to plan scale-up steps. More info. (RDS)
  • Monitor Infrastructure Changes and API Service – Deploy a service to record all AWS API calls for your account and delivers log files to you. Analyze the data for security analysis, resource change tracking, and compliance auditing. More info.

Secure your Operating System

  • Harden the Server – Like any other server you manage, you need to implement hardening best practices on your EC2 servers. This means that you should, among other things, install/run only necessary software/services, make sure that all security-related patches are applied, use long and complex account passwords, set up RDP to require secure transport and certificate-based authentication, change default ports when possible and test for unnecessary open ports.
  • Install and Maintain Antivirus Software – It is important to have up-to-date antivirus software on the server. Many commercial options are available. Many security professionals consider the free Microsoft Security Essentials good enough. More info.
  • Install a Host-based Firewall – The firewall options are more limited on EC2 than for on-premises servers, it is worth considering augmenting network-based security by using a host-based firewall. This is a software firewall running on the server, providing application-level protection, rather than at the network level. Aside from native OS firewalls for Windows virtual machines, you can also consider firewall controls managed by security-as-a-service providers. More info.
  • Monitor OS Changes – Deploy a flexible and reliable way to store, retrieve and review operating system log files, and keep on top of any suspicious changes made to the OS. More info.

Securing your SQL Server 

  • Implement Separation of Duties -To improve both data security and compliance, it is important to minimize access privileges of users and administrators to sensitive data that they do not require to do their jobs. This is an important way to reduce opportunities for data breaches, fraud, and other data-related threats. Map the minimum data access requirements for each role, and then use the tools provided by SQL Server to support restrictive role-based data access policies.
  • Implement In-transit Data Encryption– Encrypting data while traveling between computers on a network is necessary to prevent data theft via “eavesdropping” of network traffic by unauthorized users. This kind of encryption is usually implemented using SSL or client-side encryption. More info.: SQL Server Configuration Manager | RDS SQL Server SSL Support
  • Implement At-rest Data Encryption – Encrypting data at rest (i.e., the actual data tables stored on hard disks), prevents someone with access to the physical media from stealing sensitive data and can help in regulatory compliance. Amazon RDS for Microsoft SQL Server offers this capability using Transparent Data Encryption (TDE).
  • Protect Against SQL Injection Attacks – SQL injection attacks are the most prevalent database breach method in use today. It is important to protect databases from SQL injection attacks by inspecting and analyzing all traffic in and out of the database and blocking suspicious or dangerous queries from ever reaching the database.

 

By David Maman, CTO of HexaTier and Lahav Savir, CEO emind Architect & CEO