Kit Wai Chan - Fotolia
My organization is looking to deploy databases in Amazon Web Services. From a security standpoint, what is the safest AWS database option? Are there scenarios when a particular database would be more beneficial security-wise to an enterprise?
Amazon offers a number of database options. The best option should be determined by your enterprise's data and application requirements, and not just based on security. There are, however, several things to consider from a security perspective.
All AWS database offerings run on the Amazon infrastructure and have the same types of physical security; there is no advantage of one type of database over the others from a physical security perspective.
However, a key decision for choosing a cloud database is deciding on a database as a service or administering your own database on Amazon virtual machines. Amazon offers Oracle, MySQL and SQL Server as part of its Relational Database Service (RDS). With RDS, customers can create databases using well-established relational database management systems (RDBMSes). End users have full control over the data model and user level access to the database. Amazon, however, is responsible for patching database software and managing database administration tasks. In addition to RDS, Amazon recently announced a highly scalable version of MySQL called Aurora. Redshift is another database service for deploying data warehouses in the cloud; it is based on PostgreSQL and optimized for business intelligence and analytic workloads.
One advantage of using a database service such as Redshift is that its database is configured for security by Amazon. Redshift, for example, runs on servers that do not have open SSH ports. There is no need for database administrators to harden the OS or RDBMS when using a database service. If the configuration of database services meets your security requirements as well as your data management needs, then it should be considered as an option.
Regardless of whether you use a database service or run your own database, you will be responsible for key security controls, such as authorizing users, classifying data and establishing disaster recovery plans. You will also need to monitor events related to security events for any database. If data leaks are a particular concern, consider using a cloud access security broker to employ additional security measures.
Also, be sure to plan for securing exports and backups. Sensitive data downloaded from the cloud should be encrypted when in motion as well as when stored on storage systems hosted on premises or other platforms, such as mobile devices.
Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your questions now via email. (All questions are anonymous.)
Get help matching an AWS database service to your enterprise's needs
Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading