The number of cyber attacks is constantly increasing. Companies must protect all IT systems and pay particular attention to the business-critical data in their cloud databases.
According to the current Allianz risk barometer, cyber-attacks were among the top risks for the economy last year. And the danger has increased with the Ukraine war. A particularly exposed part of the IT infrastructure is cloud databases. Companies must also extend their security concepts to them. There is a shared responsibility. Database providers guarantee that the Database is available and up-to-date and provide security tools.
The companies using them are responsible for using these tools themselves. To do this, companies must implement three key security measures: strong user authentication, encryption, and backups. Cloud databases come in two different forms: In the case of infrastructure providers, the Database runs on a virtual server. The company using it is fully responsible, while the provider ensures trouble-free operation.
Table of Contents
Cloud Databases: Shared Responsibility For Security
With platform services, i.e., Database as a Service (DBaaS), companies and providers share responsibility, relieving administrators. The operator ensures that the database system is always up-to-date and equipped with the necessary security updates and provides essential security functions. The users are responsible for all other aspects of database security. You can choose between numerous security options, some of which must be activated.
Also Read: What Is The Cloud? What Advantages For SMEs?
First Security Measure: Rights For Users Of Cloud Databases
When authenticating users of cloud databases, all users should only be able to access the Database via precisely defined roles and rights. For example, pure users should be severely restricted so that they can neither change the configuration nor the structure of the Database. The corresponding user identities are assigned and managed with software solutions for Identity & Access Management (IAM).
This makes it possible, for example, to give users from a company’s department only access to the applications and data they need in the database system and to exclude all other types. Administrators’ accounts need protection: It makes sense to create additional reserves that are not integrated into a single sign-on (SSO) procedure. They allow access if SSO is unavailable due to a disruption or cyber attack.
However, the login via username and password, the standard for applications, is not sufficient for adequate protection. Therefore, companies should enable multi-factor authentication for the applications that access their cloud databases. This means: A user logs on to a database with at least two identification features. This is, for example, a password (1st factor) and a confirmation code (2nd factor). The user finds it as an SMS or an authentication app on the smartphone.
Second Security Measure: Encrypt Data And Connections
However, secure user authentication is not enough to ward off all cyber-attacks and must be supplemented with encryption. Data and transport encryption should be used. When configuring the encryption, it is essential only to use secure current encryption methods, such as AES128 for data encryption and at least TLS 1.2 for transport encryption. The data encryption is aimed at the data stored in the tables. They are encrypted at the application level with the corresponding functions of the database system and only then written to the Database. With this form of encryption, hackers cannot read the data because they only see “cryptic” characters. The encryption may not be active when the Database is initially configured since a key must first be generated. Businesses shouldn’t forget to turn them on.
Even if encryption is active, the data must be decrypted for transport between the database system and an application. Additional transport encryption is therefore necessary. This transmission protocol, like TLS, builds an encrypted tunnel between two endpoints – the Database and the application. It protects the application’s connection to the database system from being eavesdropped by cybercriminals.
Third Security Measure: Use And Encrypt Backups
The Database is already well protected by the described strict authentication and encryption. Nevertheless, companies should take precautions for disaster recovery and enable the backup function. Most providers then back up the Database daily and keep the copies. They reside in vendor storage areas, so only the backup procedure can access the backup copies. For increased security, it makes sense to store database copies elsewhere – in the case of a hyperscale, for example, in another region. Some providers allow external storage, and specialised cloud services take over the backup.
There are integrated functions for encrypting the backup copies, which are often not active at first. The companies using them should switch them on – otherwise, the backups are openly readable by anyone who gains access to the data. These basic security measures ensure that companies can take advantage of one of the most important advantages of cloud databases: easy and secure access from anywhere.