Download presentation
Presentation is loading. Please wait.
Published byRosamund Nelson Modified over 8 years ago
1
Securing Databases in the Cloud Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)
2
Presentation Overview – Cloud Overview – Database Overview – Big Data Overview – Cloud-Based DB Solutions – Securing Cloud-Based DB Solutions Vulnerabilities Found in Cloud-Based Offerings Securing Your Relational Cloud-Based Offerings Securing Your Non-Relational Cloud-Based Offerings – Privacy & Data Protection for Cloud-Based DBs – Case Study: MySQL & SimpleDB in the Cloud Securing Databases in the Cloud
3
Source: NIST
4
Service Delivery Models Source: Swain Techs
5
Source: Matthew Gardiner, Computer Associates
6
Securing Databases in the Cloud Database Overview – Database Management Systems Relational Database Management Systems (RDBMS) Object-Oriented Database Management Systems (OODBMS) Non-Relational, Distributed DB Mgmt Systems (NRDBMS) – Not only – Structured Query Language (NoSQL) – Online Transaction Processing (OLTP) Real-time Data Warehousing – Online Analytical Processing (OLAP) Operational Data Stores (ODS) Enterprise Data Warehouse (EDW)
7
Securing Databases in the Cloud Database Overview – Online Analytical Processing (OLAP) Business Intelligence (BI) – Data Mining – Reporting – OLAP
8
Securing Databases in the Cloud Database Overview – OLAP (Continued) Business Intelligence (BI) (Continued) – OLAP (Continued) » Relational OLAP (ROLAP) » Multi-Dimensional OLAP (MOLAP) » Hybrid OLAP (HOLAP) OLTP ODS EDW (Data Marts) BI (Data Mining) OLTP ODS EDW (Data Marts) BI (Reporting) OLTP ODS EDW (Data Marts) BI (OLAP)
9
Securing Databases in the Cloud Big Data Overview – Aggregated Data From the Following Sources: Traditional Sensory Social – Aggregators Predominantly: NRDBMS – Column Family Stores: Cassandra (FB), BigTable (Google), HBase (Apache) – Key-Values Stores: App Engine DataStore (Google), DynamoDB & SimpleDB (AWS) – Document Databases: CouchDB, MongoDB – Graph Databases: Neo4J
10
Securing Databases in the Cloud Big Data Overview – Serial Processing Hadoop – Hadoop Distributed File System (HDFS) – Hive – DW – Pig – Querying Language Riak – Parallel Processing HadoopDB – Analytics Google MapReduce Apache MapReduce Splunk (for Security Information / Event Management [SIEM])
11
Source: Cloudera
12
Source: Wikispaces
13
Source: Google
14
Source: Cloudera
15
Securing Databases in the Cloud Cloud-Based Database Solutions – PaaS DBaaS – Force.com – Intuit QuickBase – Amazon Web Services (AWS) » Relational Database Service (RDS) Oracle 11g / MySQL » DynamoDB » SimpleDB – Google App Engine » Datastore – Oracle Public Cloud » 11g
16
Securing Databases in the Cloud Cloud-Based Database Solutions – IaaS Build MySQL, Microsoft SQL Server, or Oracle 11g Instance Leverage Compute Node & Storage Node Effectively – AWS Elastic Compute Cloud (EC2) – AWS Elastic Block Store (EBS) – OpenStack Compute (Nova) – OpenStack Storage (Swift)
17
Securing Databases in the Cloud Vulnerabilities Found in Cloud-Based DB Solutions – General Cloud Service Middleware Vulnerabilities » Open / Java Database Connectivity (ODBC / JDBC) Attacks Database Vulnerabilities » Improper (Logical) Access Controls » Change / Configuration Management » Backups » Multi-Tenancy Virtualization Vulnerabilities – Insecure Hypervisor / Management Backplane » Hyperjacking – Rogue Hypervisor » Virtual Machine (VM) Theft – Data Loss » VM Hopping – One VM to Another » VM Sprawl – Unmanaged (Legacy VMs) » VM Escape – One VM to Another
18
Securing Databases in the Cloud Vulnerabilities Found in Cloud-Based DB Solutions – General Cloud Service (Continued) Internal (Cloud Service Provider) Attack Vectors: – Legacy Accounts » Automate Provisioning / De-Provisioning – Lack of Segregation / Separation of Duties – Lightweight Directory Access Protocol (LDAP) Injection Application Vulnerabilities: – SQL Injection – Cross-Site Scripting (XSS) – Cross-Site Request Forgery (XSRF)
19
Securing Databases in the Cloud Vulnerabilities Found in Cloud-Based DB Solutions – IaaS Infrastructure: – Improper Physical Access Controls – Change / Configuration Management – Physical Separation of Compute & Storage Nodes » Performance Degradation – Backups » VM Backup Location, Jurisdiction » Data File Backup Location, Jurisdiction Operating System (OS): – Improper (Logical) & Physical Access Controls – Change / Configuration Management
21
Source: Flickr
22
Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – PaaS DBaaS – SIEM – Logical Segregation / Separation of Duties (DBA, Developer) – Enforce Logical Access Controls » Virtual Firewalls – Encryption » Enforce Compliance Encryption Requirements for Data » Public Key Infrastructure (PKI): Remote & Application Access » Key Management – User Rights Management (URM) » Identity & Access Management (IAM)
23
Securing Databases in the Cloud Source: Chris Brenton
24
Securing Databases in the Cloud Source: FireRack
25
Securing Databases in the Cloud Source: Chris Brenton
26
Securing Databases in the Cloud
27
Source: Chappell & Associates
28
Securing Databases in the Cloud
33
Securing Relational Cloud-Based DB Solutions – PaaS DBaaS (Continued) – Backups & Disaster Recovery » Physically / Geographically Separate » Build RTO & RPO Into SLA » Regularly Test (Semi-Annually) – Application & Middleware-level Security » Web Application Firewalls (WAF) / Proxy » XML Firewalls » Security Development Lifecycle (SDL) » Static Application Security Testing (SAST) » Dynamic Application Security testing (DAST)
34
Securing Databases in the Cloud Source: Imperva
35
Securing Databases in the Cloud Source: SANS
36
Securing Databases in the Cloud Source: Microsoft
37
Securing Databases in the Cloud
39
Securing Relational Cloud-Based DB Solutions – PaaS DBaaS (Continued) – AWS RDS Oracle 11g & Java Apache Tomcat EC2 Scenario: » Setup VPC Public & Private via NAT w/ IPSec VPN » Setup App Security Group » Build Public App Instance on EC2 w/ Java & Apache Tomcat » Setup DB Security Group w/ App Security Group Added » Build Private AWS RDS Oracle 11g DB » Leverage PL/SQL Audit Triggers for Compliance » Leverage CloudWatch for App & DB Instances » Leverage Prepared Statements & Error / Exception Handling
40
Securing Databases in the Cloud
41
Securing Relational Cloud-Based DB Solutions – IaaS Server / Infrastructure – Physical Access Controls – Hypervisor / Management Backplane » Grouping – Segmenting VMs » Generalization – Leveraging a Template » Aspect-Oriented Management – Tiering » Automation Provisioning » Air Gapping – Siloed Virtual Networks (VLANs)
42
Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS OS – OS Firewalls (Windows) – Patching / Configuration Management (Chef / Puppet) – PKI Encryption Key Management – Logical Access Controls – Anti-Virus (AV) – Authentication, Authorization & Accounting (AAA) » IAM – Vulnerability Assessment Scanning » Amazon Elastic Compute Cloud (EC2) Instance: CloudInspect
43
Securing Databases in the Cloud
46
Source: CORE
47
Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Database – Backups – URM – Segregation / Separation of Duties – Vulnerability Scanning » McAfee Database Security Scanner (DSS) for MS SQL Azure – Database Activity Monitoring (DAM) » Database Firewall – IAM
48
Securing Databases in the Cloud Internet AWS Cloud EC2 Availability Zone EC2 S3 Storage EBS EC2 EBS EBS Snapshot Source: Amazon
49
Securing Databases in the Cloud Source: McAfee
50
Securing Databases in the Cloud Source: Application Security
51
Securing Databases in the Cloud Source: Oracle
52
Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Database – LAMP Stack & phpMyAdmin Scenario: » Setup VPC Public & Private via NAT » Setup App Security Group » Build Public App Instance on EC2 w/ LAP & phpMyAdmin » Setup DB Security Group w/ App Security Group Added » Build Private MySQL DB Instance on EC2 w/ Encrypted EBS » Leverage CloudWatch for App & DB Instances
53
Securing Databases in the Cloud
59
Securing Relational Cloud-Based DB Solutions – IaaS Storage – PKI Encryption Key Management – Logical Access Controls » RBAC Groups (OpenStack Swift) – Authentication, Authorization & Accounting (AAA) » IAM – Monitoring – Information Governance » Lifecycle
60
Securing Databases in the Cloud
62
Securing Relational Cloud-Based DB Solutions – IaaS Database – IAM » Federated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services – Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
63
Source: OASIS
64
Source: Intuit
65
Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Database – IAM » Federated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services – Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
66
Source: OASIS
67
Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Database – IAM » Federated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services – Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
68
Source: Apache
69
Securing Databases in the Cloud
72
Securing Relational Cloud-Based DB Solutions – IaaS Database – IAM » Federated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services – Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
73
Source: OASIS
74
Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Database – IAM » Federated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services – Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)
75
Securing Databases in the Cloud Source: Microsoft
76
Source: Chappell & Associates
77
Securing Databases in the Cloud Source: Microsoft
78
Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Application & Middleware – WAF / Proxy – XML Firewall – SDL – SAST – DAST
79
Securing Databases in the Cloud Securing NRDBMS Cloud-Based DB Solutions – General Focus on Application / Middleware-Level Security – SQL Injections Are Still Possible – Leverage Application IAM for NRDBMS URM – Leverage Application & System Logging for AAA Segregation of Duties – Read / Write Namespaces – Read-Only Namespaces – Specific Document – Consistency Assurance Key / Value – Ensure Referential Integrity
80
Securing Databases in the Cloud
82
Privacy & Data Protection for Cloud-Based DBs – Jurisdictions* Regional: EU DPA National: PIPEDA, GLBA, HIPAA / HITECH, COPPA, Safe Harbor Statutory: Bavarian, CA SB 1386 / 24, MA 201 CMR 17, NV SB 227 – Data Flow & Jurisdictional Adherence Data Sharing with Third Parties – Pseudonymization / De-Identification Consent & Notices – Contract Clauses Model Contracts – Privacy Best Practices Generally Accepted Privacy Principles (GAPP) * Not all inclusive.
83
Securing Databases in the Cloud Case Study: MySQL & SimpleDB in the Cloud – Background SMB Healthcare Service Provider (HIPAA Business Associate) Providing Services for Larger HIPAA Covered Entities Fall 2011 Project – Drivers Cost Savings HIPAA / HITECH Compliance More Cost Effective & Simplistic BCP / DRP Planning Parse Out Non-Protected Health Information (PHI)
84
Securing Databases in the Cloud Case Study: MySQL & SimpleDB in the Cloud – Technologies AWS: – EC2 – EBS – Simple Storage Service (S3) – SimpleDB Linux (Ubuntu AMI), Apache, MySQL, & PHP (LAMP) Stack OpenLDAP Splunk – Limitations Skill-Sets (AWS EC2, SimpleDB) Risk Posture Vendor Management
85
Securing Databases in the Cloud Case Study: MySQL & SimpleDB in the Cloud – Risks Vendor Lock-In – AWS EC2 and / or SimpleDB Legal Concerns – Lack of Bargaining Power – Service Level Agreements (SLAs) Data Security & Privacy Concerns – Geographic Jurisdiction Business Continuity / Availability – DataCom Circuits Variable Costs – Data Transfer
86
Securing Databases in the Cloud Case Study: MySQL & SimpleDB in the Cloud – Lessons Learned Cloud Strategy / Roadmap Matters Availability Issues w/ SimpleDB Learning Curve – SimpleDB – Elastic Block Store (EBS) Not as Cost Effective as First Thought – Backups & S3 – Next Steps Leveraging NoSQL for More Log Data Enhanced use of Splunk for SIEM Splunk to the Cloud (on AWS EC2)
87
Presentation Take-Aways – Databases in the Cloud are Here to Stay – Secure Cloud-Based DBs Through Defense-in-Depth – Application / Database – Middleware – OS – (Virtual) Infrastructure – Stay Abreast of New Technologies / Services – Big Data – Federated Identities Securing Databases in the Cloud
88
Questions? Contact – Email: steve@ncontrol-llc.com – Twitter: markes1 – LI: http://www.linkedin.com/in/smarkey – CSA-DelVal: http://www.csadelval.org/
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.