Advantage Using Cloud Managed Database From Security Perspective
The database is one of the most critical components in any Tech company ecosystem. From a business continuity point of view, the company can’t do business without a running database system. It’s expected to have a dedicated team to manage the database.
Currently, a cybersecurity attack related to the database is growing exponentially. A single data leak incident can cost a million dollars. Even worst, attack kind of data destruction or ransom can stop the business activity instantly. Cybersecurity is not the Database or Cybersecurity team’s responsibility but a collaboration of all stakeholders related to the database, including the Infrastructure and Developer Team.
Objective
Analyze the threat of managing a database system and understand how to control the threat by leveraging Public Cloud managed database.
In most modern digital-native business, the activity related to the database are the following:
- Storing data for application
- Replication of database for high-performance data access
- Redundancy for high-availability setup
- Backup data for a business continuity plan
- Managing DB credential for application usage
- Managing the DB Server instance
Threat Vector
Server Instance Compromised
There are many servers to support the High Availability and High-Performance Setup. Server as a technology component inherits the threat by nature from OS and Hardware vulnerability. When an attacker can access the server by exploiting the weakness, they can do many things. Or simply, they can target the server administrator to gain access to the server.
Credential Leaked
Local user access in the database is authenticated using a username and password. Its single-factor authentication creates a weakness in the Authentication process. Renew or recreate credentials is not easy for the native DB engine. Therefore when an attacker can get a credential by successful attack reconnaissance, they can utilize the credential to make a more severe attack.
Backup Center Compromised
The backup center holds equal importance to the primary database system. By design, they should have the same data. There are two points where weakness can be exploited. One is to the backup storage, and another is the data transfer access. And most incident related to Data exfiltration is actually targeting database backup center.
Threat Analysis
Based on the threat above, we can update the previous diagram.
As a qualitative analysis, the following heatmap can represent the threat every team must manage.
Managed Database
The managed database is a solution to provide a database system where the user does not have to operate the infrastructure. In a traditional (self-manage) database, the user must manage the infrastructure, provide the server, maintain the OS, and hardening the instance. To support business use-case using self-managed database setup requires us to handle various stuff like simple OS patching to complex database backup.
Self-managed database setup has been around for decades and is seen as the standard setup. But the introduction of Manage-database is changing the perspective of what is the right design. By allowing the user to focus on the database, the mange-database will reduce the database team’s burdens.
Managed Database Provider
Amazon Web Service — RDS
RDS is a managed database by Amazon Web Service (AWS). They offer high-availability by using a Multi-Availability Zone in each region. We can also set up the replication to support high-performance read access. We can also access the database using AWS IAM to allow better credential management and distribution. The most important thing is their pricing, which relatively cheap compares to the manhour required to set up and operate all of the features if done by an in-house team. The database team operation effort will be reduced by auto backup and auto-update feature from AWS RDS.
Check here for more info.
Google Cloud Platform — Cloud SQL
Google Cloud Platform (GCP) is offering its managed database named Cloud SQL. It supports high-availability, auto backup, and access using GCP IAM. It also uses the pay-as-you-go concept, which helps managing costs easier.
Check here for more info.
Verdict
Based on the feature that two Public Cloud offers, here is the highlight from a security perspective.
- secure servers to host the database
- flexible access to the database
- integrated backup functionality
We can see the advantage of the managed database from this heatmap.
By leveraging the Managed database from the Public cloud, we can transfer the threat to the service provider. This approach allows us to focus on providing a database that scales well and also secure.
