Advantage Using Cloud Managed Database From Security Perspective

The database is one of the most critical components in any Tech company ecosystem. From a business continuity point of view, the company can’t do business without a running database system. It’s expected to have a dedicated team to manage the database.

Purnaresa Yuliartanto
Geek Culture
4 min readMar 19, 2021

--

Currently, a cybersecurity attack related to the database is growing exponentially. A single data leak incident can cost a million dollars. Even worst, attack kind of data destruction or ransom can stop the business activity instantly. Cybersecurity is not the Database or Cybersecurity team’s responsibility but a collaboration of all stakeholders related to the database, including the Infrastructure and Developer Team.

Hacked Database News

Objective

Analyze the threat of managing a database system and understand how to control the threat by leveraging Public Cloud managed database.

In most modern digital-native business, the activity related to the database are the following:

  • Storing data for application
  • Replication of database for high-performance data access
  • Redundancy for high-availability setup
  • Backup data for a business continuity plan
  • Managing DB credential for application usage
  • Managing the DB Server instance
Activity Around Database

Threat Vector

Server Instance Compromised

There are many servers to support the High Availability and High-Performance Setup. Server as a technology component inherits the threat by nature from OS and Hardware vulnerability. When an attacker can access the server by exploiting the weakness, they can do many things. Or simply, they can target the server administrator to gain access to the server.

Credential Leaked

Local user access in the database is authenticated using a username and password. Its single-factor authentication creates a weakness in the Authentication process. Renew or recreate credentials is not easy for the native DB engine. Therefore when an attacker can get a credential by successful attack reconnaissance, they can utilize the credential to make a more severe attack.

Backup Center Compromised

The backup center holds equal importance to the primary database system. By design, they should have the same data. There are two points where weakness can be exploited. One is to the backup storage, and another is the data transfer access. And most incident related to Data exfiltration is actually targeting database backup center.

Threat Analysis

Based on the threat above, we can update the previous diagram.

As a qualitative analysis, the following heatmap can represent the threat every team must manage.

Threat Heatmap on self-managed database

Managed Database

The managed database is a solution to provide a database system where the user does not have to operate the infrastructure. In a traditional (self-manage) database, the user must manage the infrastructure, provide the server, maintain the OS, and hardening the instance. To support business use-case using self-managed database setup requires us to handle various stuff like simple OS patching to complex database backup.

Self-managed database system responsibility

Self-managed database setup has been around for decades and is seen as the standard setup. But the introduction of Manage-database is changing the perspective of what is the right design. By allowing the user to focus on the database, the mange-database will reduce the database team’s burdens.

Managed database system responsibility

Managed Database Provider

Amazon Web Service — RDS

RDS is a managed database by Amazon Web Service (AWS). They offer high-availability by using a Multi-Availability Zone in each region. We can also set up the replication to support high-performance read access. We can also access the database using AWS IAM to allow better credential management and distribution. The most important thing is their pricing, which relatively cheap compares to the manhour required to set up and operate all of the features if done by an in-house team. The database team operation effort will be reduced by auto backup and auto-update feature from AWS RDS.

Check here for more info.

Google Cloud Platform — Cloud SQL

Google Cloud Platform (GCP) is offering its managed database named Cloud SQL. It supports high-availability, auto backup, and access using GCP IAM. It also uses the pay-as-you-go concept, which helps managing costs easier.

Check here for more info.

Verdict

Based on the feature that two Public Cloud offers, here is the highlight from a security perspective.

  • secure servers to host the database
  • flexible access to the database
  • integrated backup functionality

We can see the advantage of the managed database from this heatmap.

Threat Heatmap using Managed Database

By leveraging the Managed database from the Public cloud, we can transfer the threat to the service provider. This approach allows us to focus on providing a database that scales well and also secure.

--

--

Purnaresa Yuliartanto
Geek Culture

IT architect at best cloud provider in the planet. Experience in cybersecurity and tech-fire-fighting.