Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Databases in the Cloud Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, nControl, LLC Adjunct.

Published byRosamund Nelson Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Databases in the Cloud Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, nControl, LLC Adjunct."— Presentation transcript:

1 Securing Databases in the Cloud Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, nControl, LLC Adjunct Professor President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)

2 Presentation Overview – Cloud Overview – Database Overview – Big Data Overview – Cloud-Based DB Solutions – Securing Cloud-Based DB Solutions Vulnerabilities Found in Cloud-Based Offerings Securing Your Relational Cloud-Based Offerings Securing Your Non-Relational Cloud-Based Offerings – Privacy & Data Protection for Cloud-Based DBs – Case Study: MySQL & SimpleDB in the Cloud Securing Databases in the Cloud

3 Source: NIST

4 Service Delivery Models Source: Swain Techs

5 Source: Matthew Gardiner, Computer Associates

6 Securing Databases in the Cloud Database Overview – Database Management Systems Relational Database Management Systems (RDBMS) Object-Oriented Database Management Systems (OODBMS) Non-Relational, Distributed DB Mgmt Systems (NRDBMS) – Not only – Structured Query Language (NoSQL) – Online Transaction Processing (OLTP) Real-time Data Warehousing – Online Analytical Processing (OLAP) Operational Data Stores (ODS) Enterprise Data Warehouse (EDW)

7 Securing Databases in the Cloud Database Overview – Online Analytical Processing (OLAP) Business Intelligence (BI) – Data Mining – Reporting – OLAP

8 Securing Databases in the Cloud Database Overview – OLAP (Continued) Business Intelligence (BI) (Continued) – OLAP (Continued) » Relational OLAP (ROLAP) » Multi-Dimensional OLAP (MOLAP) » Hybrid OLAP (HOLAP) OLTP  ODS  EDW (Data Marts)  BI (Data Mining) OLTP  ODS  EDW (Data Marts)  BI (Reporting) OLTP  ODS  EDW (Data Marts)  BI (OLAP)

9 Securing Databases in the Cloud Big Data Overview – Aggregated Data From the Following Sources: Traditional Sensory Social – Aggregators Predominantly: NRDBMS – Column Family Stores: Cassandra (FB), BigTable (Google), HBase (Apache) – Key-Values Stores: App Engine DataStore (Google), DynamoDB & SimpleDB (AWS) – Document Databases: CouchDB, MongoDB – Graph Databases: Neo4J

10 Securing Databases in the Cloud Big Data Overview – Serial Processing Hadoop – Hadoop Distributed File System (HDFS) – Hive – DW – Pig – Querying Language Riak – Parallel Processing HadoopDB – Analytics Google MapReduce Apache MapReduce Splunk (for Security Information / Event Management [SIEM])

11 Source: Cloudera

12 Source: Wikispaces

13 Source: Google

14 Source: Cloudera

15 Securing Databases in the Cloud Cloud-Based Database Solutions – PaaS DBaaS – Force.com – Intuit QuickBase – Amazon Web Services (AWS) » Relational Database Service (RDS) Oracle 11g / MySQL » DynamoDB » SimpleDB – Google App Engine » Datastore – Oracle Public Cloud » 11g

16 Securing Databases in the Cloud Cloud-Based Database Solutions – IaaS Build MySQL, Microsoft SQL Server, or Oracle 11g Instance Leverage Compute Node & Storage Node Effectively – AWS Elastic Compute Cloud (EC2) – AWS Elastic Block Store (EBS) – OpenStack Compute (Nova) – OpenStack Storage (Swift)

17 Securing Databases in the Cloud Vulnerabilities Found in Cloud-Based DB Solutions – General Cloud Service Middleware Vulnerabilities » Open / Java Database Connectivity (ODBC / JDBC) Attacks Database Vulnerabilities » Improper (Logical) Access Controls » Change / Configuration Management » Backups » Multi-Tenancy Virtualization Vulnerabilities – Insecure Hypervisor / Management Backplane » Hyperjacking – Rogue Hypervisor » Virtual Machine (VM) Theft – Data Loss » VM Hopping – One VM to Another » VM Sprawl – Unmanaged (Legacy VMs) » VM Escape – One VM to Another

18 Securing Databases in the Cloud Vulnerabilities Found in Cloud-Based DB Solutions – General Cloud Service (Continued) Internal (Cloud Service Provider) Attack Vectors: – Legacy Accounts » Automate Provisioning / De-Provisioning – Lack of Segregation / Separation of Duties – Lightweight Directory Access Protocol (LDAP) Injection Application Vulnerabilities: – SQL Injection – Cross-Site Scripting (XSS) – Cross-Site Request Forgery (XSRF)

19 Securing Databases in the Cloud Vulnerabilities Found in Cloud-Based DB Solutions – IaaS Infrastructure: – Improper Physical Access Controls – Change / Configuration Management – Physical Separation of Compute & Storage Nodes » Performance Degradation – Backups » VM Backup Location, Jurisdiction » Data File Backup Location, Jurisdiction Operating System (OS): – Improper (Logical) & Physical Access Controls – Change / Configuration Management

20

21 Source: Flickr

22 Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – PaaS DBaaS – SIEM – Logical Segregation / Separation of Duties (DBA, Developer) – Enforce Logical Access Controls » Virtual Firewalls – Encryption » Enforce Compliance Encryption Requirements for Data » Public Key Infrastructure (PKI): Remote & Application Access » Key Management – User Rights Management (URM) » Identity & Access Management (IAM)

23 Securing Databases in the Cloud Source: Chris Brenton

24 Securing Databases in the Cloud Source: FireRack

25 Securing Databases in the Cloud Source: Chris Brenton

26 Securing Databases in the Cloud

27 Source: Chappell & Associates

28 Securing Databases in the Cloud

29

30

31

32

33 Securing Relational Cloud-Based DB Solutions – PaaS DBaaS (Continued) – Backups & Disaster Recovery » Physically / Geographically Separate » Build RTO & RPO Into SLA » Regularly Test (Semi-Annually) – Application & Middleware-level Security » Web Application Firewalls (WAF) / Proxy » XML Firewalls » Security Development Lifecycle (SDL) » Static Application Security Testing (SAST) » Dynamic Application Security testing (DAST)

34 Securing Databases in the Cloud Source: Imperva

35 Securing Databases in the Cloud Source: SANS

36 Securing Databases in the Cloud Source: Microsoft

37 Securing Databases in the Cloud

38

39 Securing Relational Cloud-Based DB Solutions – PaaS DBaaS (Continued) – AWS RDS Oracle 11g & Java Apache Tomcat EC2 Scenario: » Setup VPC Public & Private via NAT w/ IPSec VPN » Setup App Security Group » Build Public App Instance on EC2 w/ Java & Apache Tomcat » Setup DB Security Group w/ App Security Group Added » Build Private AWS RDS Oracle 11g DB » Leverage PL/SQL Audit Triggers for Compliance » Leverage CloudWatch for App & DB Instances » Leverage Prepared Statements & Error / Exception Handling

40 Securing Databases in the Cloud

41 Securing Relational Cloud-Based DB Solutions – IaaS Server / Infrastructure – Physical Access Controls – Hypervisor / Management Backplane » Grouping – Segmenting VMs » Generalization – Leveraging a Template » Aspect-Oriented Management – Tiering » Automation Provisioning » Air Gapping – Siloed Virtual Networks (VLANs)

42 Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS OS – OS Firewalls (Windows) – Patching / Configuration Management (Chef / Puppet) – PKI Encryption Key Management – Logical Access Controls – Anti-Virus (AV) – Authentication, Authorization & Accounting (AAA) » IAM – Vulnerability Assessment Scanning » Amazon Elastic Compute Cloud (EC2) Instance: CloudInspect

43 Securing Databases in the Cloud

44

45

46 Source: CORE

47 Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Database – Backups – URM – Segregation / Separation of Duties – Vulnerability Scanning » McAfee Database Security Scanner (DSS) for MS SQL Azure – Database Activity Monitoring (DAM) » Database Firewall – IAM

48 Securing Databases in the Cloud Internet AWS Cloud EC2 Availability Zone EC2 S3 Storage EBS EC2 EBS EBS Snapshot Source: Amazon

49 Securing Databases in the Cloud Source: McAfee

50 Securing Databases in the Cloud Source: Application Security

51 Securing Databases in the Cloud Source: Oracle

52 Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Database – LAMP Stack & phpMyAdmin Scenario: » Setup VPC Public & Private via NAT » Setup App Security Group » Build Public App Instance on EC2 w/ LAP & phpMyAdmin » Setup DB Security Group w/ App Security Group Added » Build Private MySQL DB Instance on EC2 w/ Encrypted EBS » Leverage CloudWatch for App & DB Instances

53 Securing Databases in the Cloud

54

55

56

57

58

59 Securing Relational Cloud-Based DB Solutions – IaaS Storage – PKI Encryption Key Management – Logical Access Controls » RBAC Groups (OpenStack Swift) – Authentication, Authorization & Accounting (AAA) » IAM – Monitoring – Information Governance » Lifecycle

60 Securing Databases in the Cloud

61

62 Securing Relational Cloud-Based DB Solutions – IaaS Database – IAM » Federated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services – Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)

63 Source: OASIS

64 Source: Intuit

65 Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Database – IAM » Federated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services – Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)

66 Source: OASIS

67 Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Database – IAM » Federated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services – Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)

68 Source: Apache

69 Securing Databases in the Cloud

70

71

72 Securing Relational Cloud-Based DB Solutions – IaaS Database – IAM » Federated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services – Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)

73 Source: OASIS

74 Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Database – IAM » Federated Identity -Security Assertion Markup Language (SAML) -Open Authorization (OAuth) -Representational State Transfer (REST) -AWS IAM -Windows Azure Access Control Service (ACS) -Web Services – Trust Language (WS-Trust) -Active Directory Federation Services (ADFS) -Microsoft Federation Gateway (MFG)

75 Securing Databases in the Cloud Source: Microsoft

76 Source: Chappell & Associates

77 Securing Databases in the Cloud Source: Microsoft

78 Securing Databases in the Cloud Securing Relational Cloud-Based DB Solutions – IaaS Application & Middleware – WAF / Proxy – XML Firewall – SDL – SAST – DAST

79 Securing Databases in the Cloud Securing NRDBMS Cloud-Based DB Solutions – General Focus on Application / Middleware-Level Security – SQL Injections Are Still Possible – Leverage Application IAM for NRDBMS URM – Leverage Application & System Logging for AAA Segregation of Duties – Read / Write Namespaces – Read-Only Namespaces – Specific Document – Consistency Assurance Key / Value – Ensure Referential Integrity

80 Securing Databases in the Cloud

81

82 Privacy & Data Protection for Cloud-Based DBs – Jurisdictions* Regional: EU DPA National: PIPEDA, GLBA, HIPAA / HITECH, COPPA, Safe Harbor Statutory: Bavarian, CA SB 1386 / 24, MA 201 CMR 17, NV SB 227 – Data Flow & Jurisdictional Adherence Data Sharing with Third Parties – Pseudonymization / De-Identification Consent & Notices – Contract Clauses Model Contracts – Privacy Best Practices Generally Accepted Privacy Principles (GAPP) * Not all inclusive.

83 Securing Databases in the Cloud Case Study: MySQL & SimpleDB in the Cloud – Background SMB Healthcare Service Provider (HIPAA Business Associate) Providing Services for Larger HIPAA Covered Entities Fall 2011 Project – Drivers Cost Savings HIPAA / HITECH Compliance More Cost Effective & Simplistic BCP / DRP Planning Parse Out Non-Protected Health Information (PHI)

84 Securing Databases in the Cloud Case Study: MySQL & SimpleDB in the Cloud – Technologies AWS: – EC2 – EBS – Simple Storage Service (S3) – SimpleDB Linux (Ubuntu AMI), Apache, MySQL, & PHP (LAMP) Stack OpenLDAP Splunk – Limitations Skill-Sets (AWS EC2, SimpleDB) Risk Posture Vendor Management

85 Securing Databases in the Cloud Case Study: MySQL & SimpleDB in the Cloud – Risks Vendor Lock-In – AWS EC2 and / or SimpleDB Legal Concerns – Lack of Bargaining Power – Service Level Agreements (SLAs) Data Security & Privacy Concerns – Geographic Jurisdiction Business Continuity / Availability – DataCom Circuits Variable Costs – Data Transfer

86 Securing Databases in the Cloud Case Study: MySQL & SimpleDB in the Cloud – Lessons Learned Cloud Strategy / Roadmap Matters Availability Issues w/ SimpleDB Learning Curve – SimpleDB – Elastic Block Store (EBS) Not as Cost Effective as First Thought – Backups & S3 – Next Steps Leveraging NoSQL for More Log Data Enhanced use of Splunk for SIEM Splunk to the Cloud (on AWS EC2)

87 Presentation Take-Aways – Databases in the Cloud are Here to Stay – Secure Cloud-Based DBs Through Defense-in-Depth – Application / Database – Middleware – OS – (Virtual) Infrastructure – Stay Abreast of New Technologies / Services – Big Data – Federated Identities Securing Databases in the Cloud

88 Questions? Contact – Email: steve@ncontrol-llc.com – Twitter: markes1 – LI: http://www.linkedin.com/in/smarkey – CSA-DelVal: http://www.csadelval.org/

Download ppt "Securing Databases in the Cloud Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, nControl, LLC Adjunct."

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Gold Sponsors Bronze Sponsors Silver Sponsors Taking SharePoint to the Cloud Aaron Saikovski Readify – Software Solution Specialist.

Gold Sponsors Bronze Sponsors Silver Sponsors Taking SharePoint to the Cloud Aaron Saikovski Readify – Software Solution Specialist.
B. Ramamurthy 4/17/20151. Overview of EC2 Components (fig. 2.1) 10..* 1 1 1 1 4/17/20152.

B. Ramamurthy 4/17/ Overview of EC2 Components (fig. 2.1) 10..* /17/20152.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Dr. Bhavani Thuraisingham June 2013

Dr. Bhavani Thuraisingham June 2013
1 NETE4631 Cloud deployment models and migration Lecture Notes #4.

1 NETE4631 Cloud deployment models and migration Lecture Notes #4.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
INTRODUCTION TO CLOUD COMPUTING CS 595 LECTURE 6 2/13/2015.

INTRODUCTION TO CLOUD COMPUTING CS 595 LECTURE 6 2/13/2015.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
The Microsoft Cloud Azure Platform This presentation incorporates some content from Microsoft.

The Microsoft Cloud Azure Platform This presentation incorporates some content from Microsoft.
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.

Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.
Introduction to Distributed Systems

Introduction to Distributed Systems
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
Securing Native Big Data Deployments Steven C. Markey, MSIS, PMP, CISSP, CIPP/US, CISM, CISA, STS-EV, CCSK, Cloud + Principal, nControl, LLC Adjunct Professor.

Securing Native Big Data Deployments Steven C. Markey, MSIS, PMP, CISSP, CIPP/US, CISM, CISA, STS-EV, CCSK, Cloud + Principal, nControl, LLC Adjunct Professor.
Nikolay Tomitov Technical Trainer SoftAcad.bg.  What are Amazon Web services (AWS) ?  What’s cool when developing with AWS ?  Architecture of AWS 

Nikolay Tomitov Technical Trainer SoftAcad.bg.  What are Amazon Web services (AWS) ?  What’s cool when developing with AWS ?  Architecture of AWS 
Cloud: a New Paradigm for Developers Svetlin Nakov Telerik Software Academy academy.telerik.com.

Cloud: a New Paradigm for Developers Svetlin Nakov Telerik Software Academy academy.telerik.com.
M.A.Doman 2011. Model for enabling the delivery of computing as a SERVICE.

M.A.Doman Model for enabling the delivery of computing as a SERVICE.
Cost Effort Complexity Benefit Cloud Hosted Low Cost Agile Integrated Fully Supported.

Cost Effort Complexity Benefit Cloud Hosted Low Cost Agile Integrated Fully Supported.

Similar presentations

Ads by Google