Protecting Your Cloud-Based Relational Databases

As more enterprises move more sensitive data to the cloud, how you secure  and protect your public cloud services and resources is critical. While Amazon does a stellar job of securing the underlying server hardware and software as their part of the Shared Security Model, securing what you put “in the cloud,” or the services you set up on the infrastructure they provide, is your responsibility.

What is RDS?

Amazon Relational Database Service (Amazon RDS) enables you to easily set up, operate, and scale a relational database in the cloud. It automates administrative tasks, often time-consuming, such as hardware provisioning, database setup, patching and backups and providing cost-efficient and resizable capacity.

In a nutshell, Amazon RDS can free you up, or your team, to focus on delivering the availability, performance, and security expected of your applications, rather than on database administration.

Amazon RDS enables you to quickly provision and run any relational database you want in the cloud, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, and Microsoft SQL Server, and makes it easy for you to migrate or replicate your existing databases to Amazon RDS with the AWS Database Migration Service.

What are the Risks to a Misconfigured RDS?

One of the common uses of RDS is doing a lift-and-shift from a private datacenter – with all of its traditional security controls such as network and application firewalls – to AWS, with its comprehensive but hard to configure security controls. While you may accomplish this quickly, you may overlook security issues because you’re dealing with a new environment where security controls are implemented differently.

When it comes to database security, you need to worry about all 3 major infosec concepts: confidentiality, integrity, and availability. You don’t want hackers stealing critical data such as credit card numbers, personally identifiable information, healthcare records, and the like, so you need to make sure that information is kept confidential. But stealing data isn’t the only concern, hackers may also modify the data to suit their nefarious purposes, to essentially trick the application into benefiting them in some way. So you must also ensure that the data’s integrity is maintained, i.e., that it cannot be modified without detection.

Lastly, if the information isn’t available, your application is effectively down, costing you customers and money. That’s why you need to make sure your databases are available all the time.

If you lose a mission-critical database, you may never be able to fully recover, so proper configuration is essential.

What are the Risks to a Misconfigured Amazon RDS?

• If your databases are accessible from the Internet, then they’re open to being probed and potentially attacked. For example, using default ports makes it easy for attackers to know when they’ve found a database and identify what service you’re using based on the port its running on. The reason the port may be left at default is as simple as someone forgetting to change it to a non-standard port, which is the suggested best practice.
• Leaving your data unencrypted while at rest, or in transit, leaves it open to be stolen if attackers are able to access the communications or storage facilities.
• If your database is destroyed or deleted, you lose all that data or have to take the time to restore it.
• If potentially malicious activities against a RDS instance are not being logged, you will not have necessary visibility and you won’t be able to defend against it.

How Does Halo Cloud Secure Help?

Halo checks, monitors and alerts you so you can ensure your RDS is:

• Encrypted so your data is protected
• Not publicly accessible, due to open port(s)
• Not using default ports that can be easily probed and attacked
• Configured properly for automatic database backups
• Logging events against your RDS instance and notifying you if somebody is trying to connect to it maliciously.

Learn more about how Halo Cloud Secure can help you reduce your AWS attack surface. You can also request a customized demo.