Securing_Dbs_in_Cloud_v12

Securing Databases in the Cloud
Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud
Essentials
Principal, nControl, LLC
Adjunct Professor
President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)

• Presentation Overview
– Cloud Overview
– Database Overview
– Big Data Overview
– Cloud-Based DB Solutions
– Securing Cloud-Based DB Solutions
• Vulnerabilities Found in Cloud-Based Offerings
• Securing Your Relational Cloud-Based Offerings
• Securing Your Non-Relational Cloud-Based
Offerings
– Privacy & Data Protection for Cloud-Based DBs
– Case Study: MySQL & SimpleDB in the Cloud

Service Delivery Models
Source: Swain Techs

Source: Matthew Gardiner, Computer Associates

• Database Overview
– Database Management Systems
• Relational Database Management Systems (RDBMS)
• Object-Oriented Database Management Systems (OODBMS)
• Non-Relational, Distributed DB Mgmt Systems (NRDBMS)
– Not only – Structured Query Language (NoSQL)
– Online Transaction Processing (OLTP)
• Real-time Data Warehousing
– Online Analytical Processing (OLAP)
• Operational Data Stores (ODS)
• Enterprise Data Warehouse (EDW)

– Online Analytical Processing (OLAP)
• Business Intelligence (BI)
– Data Mining
– Reporting
– OLAP

– OLAP (Continued)
• Business Intelligence (BI) (Continued)
– OLAP (Continued)
» Relational OLAP (ROLAP)
» Multi-Dimensional OLAP (MOLAP)
» Hybrid OLAP (HOLAP)
OLTPODSEDW (Data Marts)BI (Data Mining)
OLTPODSEDW (Data Marts)BI (Reporting)
OLTPODSEDW (Data Marts)BI (OLAP)

• Big Data Overview
– Aggregated Data From the Following Sources:
• Traditional
• Sensory
• Social
– Aggregators
• Predominantly: NRDBMS
– Column Family Stores: Cassandra (FB), BigTable (Google), HBase
(Apache)
– Key-Values Stores: App Engine DataStore (Google), DynamoDB &
SimpleDB (AWS)
– Document Databases: CouchDB, MongoDB
– Graph Databases: Neo4J

• Big Data Overview
– Serial Processing
• Hadoop
– Hadoop Distributed File System (HDFS)
– Hive – DW
– Pig – Querying Language
• Riak
– Parallel Processing
• HadoopDB
– Analytics
• Google MapReduce
• Apache MapReduce
• Splunk (for Security Information / Event Management [SIEM])

• Cloud-Based Database Solutions
– PaaS
• DBaaS
– Force.com
– Intuit QuickBase
– Amazon Web Services (AWS)
» Relational Database Service (RDS) Oracle 11g / MySQL
» DynamoDB
» SimpleDB
– Google App Engine
» Datastore
– Oracle Public Cloud
» 11g

• Cloud-Based Database Solutions
– IaaS
• Build MySQL, Microsoft SQL Server, or Oracle 11g Instance
• Leverage Compute Node & Storage Node Effectively
– AWS Elastic Compute Cloud (EC2)
– AWS Elastic Block Store (EBS)
– OpenStack Compute (Nova)
– OpenStack Storage (Swift)

• Vulnerabilities Found in Cloud-Based DB Solutions
– General Cloud Service
• Middleware Vulnerabilities
» Open / Java Database Connectivity (ODBC / JDBC) Attacks
• Database Vulnerabilities
» Improper (Logical) Access Controls
» Change / Configuration Management
» Backups
» Multi-Tenancy
• Virtualization Vulnerabilities
– Insecure Hypervisor / Management Backplane
» Hyperjacking – Rogue Hypervisor
» Virtual Machine (VM) Theft – Data Loss
» VM Hopping – One VM to Another
» VM Sprawl – Unmanaged (Legacy VMs)

– General Cloud Service (Continued)
• Internal (Cloud Service Provider) Attack Vectors:
– Legacy Accounts
» Automate Provisioning / De-Provisioning
– Lack of Segregation / Separation of Duties
– Lightweight Directory Access Protocol (LDAP) Injection
• Application Vulnerabilities:
– SQL Injection
– Cross-Site Scripting (XSS)
– Cross-Site Request Forgery (XSRF)

– IaaS
• Infrastructure:
– Improper Physical Access Controls
– Change / Configuration Management
– Physical Separation of Compute & Storage Nodes
» Performance Degradation
– Backups
» VM Backup Location, Jurisdiction
» Data File Backup Location, Jurisdiction
• Operating System (OS):
– Improper (Logical) & Physical Access Controls
– Change / Configuration Management

• Securing Relational Cloud-Based DB Solutions
– PaaS
• DBaaS
– SIEM
– Logical Segregation / Separation of Duties (DBA, Developer)
– Enforce Logical Access Controls
» Virtual Firewalls
– Encryption
» Enforce Compliance Encryption Requirements for Data
» Public Key Infrastructure (PKI): Remote & Application Access
» Key Management
– User Rights Management (URM)
» Identity & Access Management (IAM)

Source: Chris Brenton

Source: FireRack

Source: Chappell & Associates

– PaaS
• DBaaS (Continued)
– Backups & Disaster Recovery
» Physically / Geographically Separate
» Build RTO & RPO Into SLA
» Regularly Test (Semi-Annually)
– Application & Middleware-level Security
» Web Application Firewalls (WAF) / Proxy
» XML Firewalls
» Security Development Lifecycle (SDL)
» Static Application Security Testing (SAST)
» Dynamic Application Security testing (DAST)

Source: Imperva

Source: SANS

Source: Microsoft

– PaaS
• DBaaS (Continued)
– AWS RDS Oracle 11g & Java Apache Tomcat EC2 Scenario:
» Setup VPC Public & Private via NAT w/ IPSec VPN
» Setup App Security Group
» Build Public App Instance on EC2 w/ Java & Apache Tomcat
» Setup DB Security Group w/ App Security Group Added
» Build Private AWS RDS Oracle 11g DB
» Leverage PL/SQL Audit Triggers for Compliance
» Leverage CloudWatch for App & DB Instances
» Leverage Prepared Statements & Error / Exception Handling

– IaaS
• Server / Infrastructure
– Physical Access Controls
– Hypervisor / Management Backplane
» Grouping – Segmenting VMs
» Generalization – Leveraging a Template
» Aspect-Oriented Management – Tiering
» Automation Provisioning
» Air Gapping – Siloed Virtual Networks (VLANs)

– IaaS
• OS
– OS Firewalls (Windows)
– Patching / Configuration Management (Chef / Puppet)
– PKI Encryption Key Management
– Logical Access Controls
– Anti-Virus (AV)
– Authentication, Authorization & Accounting (AAA)
» IAM
– Vulnerability Assessment Scanning
» Amazon Elastic Compute Cloud (EC2) Instance: CloudInspect

Source: CORE

– IaaS
• Database
– Backups
– URM
– Segregation / Separation of Duties
– Vulnerability Scanning
» McAfee Database Security Scanner (DSS) for MS SQL Azure
– Database Activity Monitoring (DAM)
» Database Firewall
– IAM

InternetInternet
AWS CloudAWS Cloud
EC2 Availability Zone
EC2
S3 Storage
EBS
EBS
EC2 EC2
EBS
EBS
EBS
EBS
EBS
EBS
EBS
EBS
EBS
EBS EBS Snapshot
EBS Snapshot
EBS Snapshot
EBS Snapshot
EBS Snapshot
EBS Snapshot
EBS Snapshot
EBS Snapshot
EBS Snapshot
EBS Snapshot
Source: Amazon

Source: McAfee

Source: Application Security

Source: Oracle

– IaaS
• Database
– LAMP Stack & phpMyAdmin Scenario:
» Setup VPC Public & Private via NAT
» Setup App Security Group
» Build Public App Instance on EC2 w/ LAP & phpMyAdmin
» Setup DB Security Group w/ App Security Group Added
» Build Private MySQL DB Instance on EC2 w/ Encrypted EBS
» Leverage CloudWatch for App & DB Instances

– IaaS
• Storage
– PKI Encryption Key Management
– Logical Access Controls
» RBAC Groups (OpenStack Swift)
– Authentication, Authorization & Accounting (AAA)
» IAM
– Monitoring
– Information Governance
» Lifecycle

– IaaS
• Database
– IAM
» Federated Identity
-Security Assertion Markup Language (SAML)
-Open Authorization (OAuth)
-Representational State Transfer (REST)
-AWS IAM
-Windows Azure Access Control Service (ACS)
-Web Services – Trust Language (WS-Trust)
-Active Directory Federation Services (ADFS)
-Microsoft Federation Gateway (MFG)

– IaaS
• Application & Middleware
– WAF / Proxy
– XML Firewall
– SDL
– SAST
– DAST

• Securing NRDBMS Cloud-Based DB Solutions
– General
• Focus on Application / Middleware-Level Security
– SQL Injections Are Still Possible
– Leverage Application IAM for NRDBMS URM
– Leverage Application & System Logging for AAA
• Segregation of Duties
– Read / Write Namespaces
– Read-Only Namespaces
– Specific
• Document
– Consistency Assurance
• Key / Value
– Ensure Referential Integrity

• Privacy & Data Protection for Cloud-Based DBs
– Jurisdictions*
• Regional: EU DPA
• National: PIPEDA, GLBA, HIPAA / HITECH, COPPA, Safe Harbor
• Statutory: Bavarian, CA SB 1386 / 24, MA 201 CMR 17, NV SB 227
– Data Flow & Jurisdictional Adherence
• Data Sharing with Third Parties
– Pseudonymization / De-Identification
• Consent & Notices
– Contract Clauses
• Model Contracts
– Privacy Best Practices
• Generally Accepted Privacy Principles (GAPP) * Not all inclusive.

• Case Study: MySQL & SimpleDB in the Cloud
– Background
• SMB Healthcare Service Provider (HIPAA Business Associate)
• Providing Services for Larger HIPAA Covered Entities
• Fall 2011 Project
– Drivers
• Cost Savings
• HIPAA / HITECH Compliance
• More Cost Effective & Simplistic BCP / DRP Planning
• Parse Out Non-Protected Health Information (PHI)

– Technologies
• AWS:
– EC2
– EBS
– Simple Storage Service (S3)
– SimpleDB
• Linux (Ubuntu AMI), Apache, MySQL, & PHP (LAMP) Stack
• OpenLDAP
• Splunk
– Limitations
• Skill-Sets (AWS EC2, SimpleDB)
• Risk Posture
• Vendor Management

– Risks
• Vendor Lock-In
– AWS EC2 and / or SimpleDB
• Legal Concerns
– Lack of Bargaining Power
– Service Level Agreements (SLAs)
• Data Security & Privacy Concerns
– Geographic Jurisdiction
• Business Continuity / Availability
– DataCom Circuits
• Variable Costs
– Data Transfer

– Lessons Learned
• Cloud Strategy / Roadmap Matters
• Availability Issues w/ SimpleDB
• Learning Curve
– SimpleDB
– Elastic Block Store (EBS)
• Not as Cost Effective as First Thought
– Backups & S3
– Next Steps
• Leveraging NoSQL for More Log Data
• Enhanced use of Splunk for SIEM
• Splunk to the Cloud (on AWS EC2)

• Presentation Take-Aways
– Databases in the Cloud are Here to Stay
– Secure Cloud-Based DBs Through Defense-in-Depth
–Application / Database
–Middleware
–OS
–(Virtual) Infrastructure
– Stay Abreast of New Technologies / Services
–Big Data
–Federated Identities

• Questions?
• Contact
– Email: steve@ncontrol-llc.com
– Twitter: markes1
– LI: http://www.linkedin.com/in/smarkey
– CSA-DelVal: http://www.csadelval.org/

Securing_Dbs_in_Cloud_v12

More Related Content

What's hot

Viewers also liked

Similar to Securing_Dbs_in_Cloud_v12

Securing_Dbs_in_Cloud_v12

Editor's Notes