Contributed by Ken Rugg
There has been a lot of talk about database automation in the last six months and how, as if by magic, it will mean companies no longer have to worry about cyber-security. Sadly, the reality is somewhat different. Automating database functionality does not absolve you of your security related responsibilities.
There are five primary issues:
The on-premises world is different to Cloud: you need to evaluate the completeness of the Cloud offering you are moving to. Gartner has been critical of the completeness of the Oracle Cloud for Infrastructure-as-a-Service saying it "remains a bare-bones ‘minimum viable product." Some commentators also worry that customers assume their existing security policies and tools will work in exactly the same way in the Cloud.
CSPs limit their level of liability: They see their responsibility as managing the Cloud service not the data itself as Lloyd’s of London recently stated.
Protecting data in the Cloud: CSPs will provide a level of support to resolve issues, but if your database involves complex integrations or customisations, you will be expected to take out further support packages.
Living in a multi-Cloud world: According to a study by Microsoft and 451 Research, nearly a third of organisations work with three to four cloud vendors. The security capabilities of these platforms may not all be on the same level and customers must be able to share data between these platforms. If APIs for data transfer are not robust and secure, it will create points of weakness for hackers.
So, if these challenges remain, even with the ability to automate security in the Cloud, how should customers respond? With cyber-security threats being so dynamic planning is clearly essential as it allows your organisation to map out a framework and ground rules to model what your Cloud environment will look like. It will also be important that your strategy, processes and execution are not rigid and have the agility to adapt to the changing threats. As you consider your strategy for security in the Cloud it will be critical to consider the following:
Keep it simple: far easier said than done when shifting legacy databases to the Cloud but using the opportunity of migration to consolidate and simplify your database infrastructure will be important for your governance processes.
Think about the threat vectors: Just as you do on-premises, you must develop a good understanding of what types of threats you are protecting against and ensure that you have a multi-layered strategy to mitigate the risks of these potential attacks.
Know who is accessing your data: It is likely you are using multiple CSPs for different aspects of your Cloud strategy. This creates the potential for multiple access points, which in turn can become a source of security vulnerabilities.
Integrated security strategy: A recent report by Fortinet suggested that companies, who have an integrated approach to cyber-security and create a unified security architecture are less likely to see security breaches.
The support and expertise on offer: If you choose a vanilla implementation of a Cloud application then vendors are more willing to offer full support, but if you have a highly customised database this increases the complexity and therefore the risk for the vendor.
Consider open source: Historically there have been scare stories that open source is less secure, but that argument has run out of steam. Most experts agree open source is just as secure and insecure as closed source software. Of course, I would argue that in the era of Cloud Computing open source offers a faster and more agile way to adopt and adapt to changing security requirements.
Not only do the good communities have a "many eyes" operating model they are underpinned by a principle of collaboration. In today’s dynamic digital world the only way to protect your data is to adopt a collaborative approach where specialist security software can be quickly integrated with your core environment - the "openness" of open source means it is hardwired for such collaboration.
Ultimately, shifting legacy databases to the Cloud will help you to streamline your business, but sticking with the traditional commercial vendors and their promises of security automation will not guarantee you are more secure. If you want to be highly innovative I would strongly recommend considering an open source approach, because it will not only simplify database migration, but support a dynamic, responsive security strategy in the Cloud. It will reduce your total cost of ownership and provide the freedom to integrate the security solutions that are right for your business, which will be critical in an agile Cloud world.
This article first appeared in SC Media UK, the leading information resource for cyber-security professionals in the UK and Europe, on October 18, 2018.