Cloud computing has the market divided into two groups. There are the proponents of cloud and then there are the opponents of cloud. The cloud proponents have always sung praises about cloud’s scalability, ease of deployment, and reduced cost of IT ownership. But the opponents have always cautioned against security issues of cloud. And with Amazon’s not-so-distant cloud outage, concerns over cloud’s dependability and security have once again reared their head.
And who can blame them? We already had debates going around cloud’s multi-tenancy and gray area traits. And then all of a sudden we have a name like Amazon going down with “black eye”. As a result, the market has grown wary of cloud. And what’s really giving CTOs restless nights is securing a database in cloud environment.
Now when we say database security, let’s understand that a database does not stand alone in an enterprise. It is part of larger IT network of an enterprise. It has an application sitting on top of it and a host that it interacts with. So when we talk about securing database, the security measures span across network, application, and host. We are already familiar with how to secure these three things. So then what makes it so difficult to secure database in a cloud environment?
Frequent Changes to Environment
The one particular trait that has made cloud so popular is its agility and flexibility. But this is also proving to be its fundamental nemesis. Servers in a cloud environment are continually provisioned and de-provisioned. Every single instance of provisioning and de-provisioning makes these servers and databases residing in them soft targets for hackers.
Secondly, clouds are highly dynamic in nature. But they are also non-transparent in character. As it is, it’s difficult to precisely locate where an application sits in a cloud environment. Add to that the non-transparency factor and you won’t be able to map data exchange. It’s difficult to monitor data access and its use. It’s even more difficult to identify any sort of data tampering or alteration.
So what we really need here is an architecture that can do three things – locate databases in cloud, centrally log database activities, and flag suspicious activities or access.
Loss of Control in Clouds
Loss of control is second nature to cloud environments, especially public clouds. The public clouds have applications of various enterprises residing in the same cloud space. This makes it all the more important that we secure our databases. But in public clouds it’s not only the hackers that we need to worry about. We have employees – current and ex of our enterprise and the cloud service provider – as potential threats. Losing control in such a setting is almost suicidal. Our best bet here is to limit the number of people with full database access privilege to the minimum, vet the people working with the database thorough, and if possible log their access activities through a central repository.
Network Latency Issues
We do have suggestions for off-host processing making rounds in the market. But today, most of the cloud computing resources are made available via WAN. The network bandwidth of such WANs makes off-host processing less viable. The very non-transparent nature of cloud environments makes it difficult to collocate a server with nearby lying databases. As a result, we end up spending additional resources and time on remotely processing every single transaction. The additional time means we may not be really able to prevent malicious attacks in a timely manner. The time lag can also affect application performance. And the additional cost does not make sense because the whole reason behind opting for a cloud environment is cost containment.
So this is again where the industry think-tank needs to do some serious thinking. However, we do have distributed monitoring solutions using sensors that flag local alerts becoming increasingly popular.
Privileged Users Conundrum
Privileged users are the most difficult to monitor in a cloud environment. But who are privileged users? These are the people have access rights to a database and system administrators. With unfettered authority, these privileged users can manipulate sensitive data and then smartly cover up their tracks. Now, in a typical cloud environment there are multiple applications residing with their own set of privileged users. In absence of effective security checks, it’s easy for any one of these users to maliciously compromise your database.
The problem gets compounded in a public cloud environment. Unlike private cloud, you cannot perform background checks on privileged users of third party applications co-habiting with you. As a result, many enterprises have resorted to stealth monitoring of third party privileged users – an act often challenged on ethical grounds.
Clouds are certainly fraught with big time security issues. Some of these are grave enough to discourage enterprises off of cloud hosting. And then we have the recent failures which have done no good to cloud’s reputation. But at the same time, the advantages offered by cloud environments are just too good to pass up for enterprises. So we need to start working our way around these security concerns for clouds are certainly here to stay!
