Data encryption with VM access – Using secure, encrypted drives at the data storage layer with key management systems is a security-maximization must, they said. Another way to enhance encryption in distributed cloud applications is to gain access to the virtual machine (VM) layer as well as the database engine.
That can be challenging when using public cloud database services, which often restrict access to the database engine and VM layer.
Kaminski and Kelly recommend organizations consider the level of access needed to maintain a strong security posture when evaluating database-as-a-service or managed database solutions.
“With that access, you can implement all the available Oracle encryption capabilities to maximize your protection. It’s the same with other database engines from other vendors.”
Network segmentation – Even with apps that run in containers, which isolate each microservice, networks should be segmented, Kaminski and Kelly agreed. The reason is that applications can be accessed and compromised via port-scanning techniques. They noted that network segmentation provides an additional layer of physical or logical isolation that limits the lateral movement of attackers, even if they should succeed at compromising one segment.
Microservices segmentation rules, distributed across different servers or containers, should be accompanied by least-privileged access rules, the experts added. This way, they said, no person, application or process has access to the data except those that require it.
Regular patching regimen – Patching databases and other apps against new and evolving vulnerabilities remains essential. Yet Kaminski noted that many IT teams do not patch their databases often enough to keep up with cyber threats. On a broader scale, a 2022 Ponemon Institute survey revealed that 60% of breach victims said their breach’s cause was an unpatched known vulnerability.
In the database world alone, thousands of vulnerabilities have been identified and sometimes hundreds are uncovered for a single individual database engine. Hackers are also using newer versions of older attacks, capitalizing on identification and authentication failures and software and data integrity gaps to steal data or bring entire applications down.
Automation with a golden image – “The biggest friction point we see is between development teams and DBAs,” or database administrators, said Kaminski.
“Developer requests for copies of databases or patches against common vulnerabilities take DBAs’ time away from running business-critical workloads, tuning the databases, and optimizing the data structures.”
The solution, he suggested, is to automate security wherever possible so that it’s consistently applied. One way to do that is by deploying a golden image of a database or other application that has already been hardened with the right security settings, encryption, segmentation and the latest patches.