Perimeter
5/10/2011
04:36 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Secure Access To Relational Data

How to secure relational data in cloud data centers

Use of data in the cloud does not differ all that much from traditional in-house database systems, but there are a couple important differences in how you secure data in a cloud environment. Databases still provide the essential infrastructure to house, manage, and secure data. We still need to authenticate and authorize users as a first line of defense to gate access. And we want to encrypt communication sessions to avoid eavesdropping.

But in cloud environments, elasticity, easy replication, and manage-from-anywhere interfaces mean we have the added responsibility to validate the application before allowing the instance to access a database and provide service. We need to approve new images or recovered snapshot to ensure we have control of the environment. We still need monitor activity, and use obfuscation and rights management tools to provide fine-grained access controls avoid data leakage. The good news is there are lots of options at our disposal. Implementation can be trivial to complex depending upon the threats you want to address.

So keep in mind the goal here is to validate data use, filling in with security features that are absent from the database or application.

* Credentials & Authorization: For users, all cloud services provide access control services or support systems. SaaS and IaaS providers include support as part of your basic service. For PaaS you have both support from the vendor as well whatever additional credentialing systems you choose to deploy; external validation, database internal access controls or a hybrid model. Use of external LDAP services remains the most popular choice. Authenticating the database images on startup is where things get more difficult.

Most customers require unattended database startup because you can't count on an administrator being present whenever you want to spin up a new database instance. Embedding credentials into the database images of IaaS/PaaS is the common method to address this problem. While this is really handy to allow databases images to start up and run on demand by grabbing a credential file, it's extremely difficult to do safely as the credentials can be stolen by anyone who can access the image files. I suggest using encryption and key management to validate the instances/hosts as discussed below.

* Key Management:Some encryption providers are using key management to help validate instances. For example, data volumes are encrypted, and before an application can access that data volume, you authenticate the instance before providing keys that allow access to data archives. In this way you can guard against rogue instances being used to steal database contents or fool users into submitting sensitive data to the unauthorized instance. Not every key management server has this capability, and by default 'unattended mode' of key managers that support transparent database encryption do not protect you. Verify that the service can both validate the credentials as well as the instances allowed. Use of application layer encryption - to encrypt data prior to storing it in the database, is another strategy; that way the application decides proper use cases.

* Encryption: You will want to encrypt the data volume, or use transparent encryption, to protect data archives. This option only exists in PaaS environments as it's up to the service provider for IaaS/SaaS.

* Monitoring: Database Activity Monitoring remains an important part of validating database usage for cloud deployments. You will need to verify that your IaaS/SaaS vendor will allow you to install agents to collect activity. Depending upon the vendors deployment architecture, they can't conceal other customers information in a multi-tenant environment, and therefore cannot provide activity data to you. Still others virtualize the application itself, making it impossible to install a protocol stack agent. Verify with your provider what they allow and see if that matches your DAM deployment options. For PaaS environments you can deploy virtual appliances or software, with the agent feeding events into the server. Selected PaaS providers allow configuration of network 'nodes', so you can route database requests betwee

* Labeling & Masking: These obfuscation technologies help conceal sensitive information. Labeling is a method of tagging rows that are to be read by members of select groups, offering fine grained restriction to data access. In cases where it's not possible to fully trust the user, masking returns a facsimile of the original data in the query results. The result set has the same look and format, but it's random or scrambled - to conceal the actual data.

Object-level controls -- for schemas, tables, columns --- function the same.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading.

Quick reference: Part 1 Intro, Part 2 Cloud Database Models, Part 3 Data Security Lifecycle, Part 4 Create and Part 5 Store. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-0658
Published: 2015-03-27
The DHCP implementation in the PowerOn Auto Provisioning (POAP) feature in Cisco NX-OS does not properly restrict the initialization process, which allows remote attackers to execute arbitrary commands as root by sending crafted response packets on the local network, aka Bug ID CSCur14589.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.