geometrix - Fotolia
We've been asked to explore the risk profile of migrating proprietary databases (no PII) to the AWS cloud. What additional security controls should be considered versus a traditional database migration, and are there additional AWS security mechanisms that can/should be applied?
When migrating proprietary databases to any cloud environment, enterprises should certainly maintain standard database security practices related to authentication, authorization, server hardening and separation of duties with regards to database administrators.
If you are managing your own database server rather than using a database service, then consider hardening your servers. To do this, minimize the number of services running, remove compilers, close unused network ports, minimize the number of users with login access and restrict remote connections to trusted servers. Also use a vulnerability scanner to probe for missed vulnerabilities. Note: Be sure to let Amazon know anytime you run a vulnerability scanner or perform penetration testing, as it might think you are an actual attacker; see Amazon's guidance on this kind of testing.
If you are migrating to Amazon Relational Database Service, you will not have to test and patch servers, Amazon will take care of that for you. You will, however, still need to set up authentication and authorization. Decide if you will use Amazon Identity and Access Management services directly, or if you want to integrate your Active Directory. See the AWS blog for tips on federating IAM and Active Directory.
Enterprises could also consider using Amazon CloudWatch to monitor activity on database servers. Metrics on network traffic, for instance, can help spot unusual traffic spikes, which could be an indication of unauthorized access or download, or it could be a new use case by end users running new, large reports. In either case, monitoring services will help your enterprise get a heads up on migration security issues that might need attention when moving to a proprietary database to the cloud.
Ask the Expert!
Want to ask Dan Sullivan a question about cloud security? Submit your question now via email! (All questions are anonymous.)
Learn more about cloud databases
Uncover 10 questions to ask when storing data in the cloud
Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading