Explainer Series: RDaaS Security and Managing Compliance Through Database Audit and Monitoring Controls

As organizations move to cloud database platforms they shouldn’t forget that data security and compliance requirements remain an obligation. This article explains how you can apply database audit and monitoring controls using Imperva SecureSphere V13.2 when migrating to database as a service cloud offering.

Introduction to RDaaS

A Relational Database as a Service (RDaaS) provides the equipment, software, and infrastructure needed for businesses to run their database in a vendor’s cloud, rather than putting something together in-house. Examples of RDaaS include AWS Relations Database Services (RDS) and Microsoft Azure SQL.

Benefits of RDaaS adoption

The advantages of RDaaS adoption can be fairly substantial. Here are just a few of the benefits:

  • Allows you to preserve capital rather than using it for equipment or software licenses and convert IT costs to an operating expense
  • Requires no additional IT staff to maintain the database system
  • Resiliency and dependability are guaranteed by the cloud provider

Who is responsible for cloud-based DB security?

From a high-altitude viewpoint, cloud security is based on a model of “shared responsibility” in which the concern for security maps to the degree of control any given actor has over the architecture stack.  Using Amazon’s policy as an example, Amazon states that AWS has “responsibility for the security of the cloud,” while customers have “responsibility for security in the cloud.”

What does that mean for you?  It means cloud vendors provide the tools and services to secure the infrastructure (such as networking and compute machines), while you are responsible for things like application or database security. For example, cloud vendors help to restrict access to the compute instances on which a database is deployed (by using security groups/firewalls and other methods); but they don’t restrict who among your users has access to what data.

The onus is on you to establish security measures that allow only authorized users to access your cloud-database— just as with a database in your own “on-premises” data center – and you control what data they can access. Securing your data and ensuring compliance in on-premises data centers is typically done by database activity monitoring against the database and fortunately, similar measures can be deployed in the public cloud as well.

How Imperva SecureSphere ensures compliance and security in the cloud

The benefit that a solution such as Imperva SecureSphere Database Activity Monitoring (DAM) provides is integrating the oversight of an RDaaS into a standardized methodology across all enterprise databases.  With SecureSphere, here are some things you can do to ensure the security of your data in the cloud:

Monitor cloud database services

Migrate data to the cloud without losing visibility and control. SecureSphere is a proven, highly scalable system that covers dozens of on-premises relational database types, mainframe databases, and big data platforms.  It has been extended to support Amazon RDS and Azure SQL RDaaS databases too. SecureSphere enables you to always know who is accessing your data and what they are doing with it.

Unify monitoring policy

Implement a common security and compliance policy for consistent oversight and security across all on-premises and cloud databases. SecureSphere uses the policy to continuously assess threats and observe database user activity – and detects when the policy is violated – alerting you of critical events such as risky user behavior or unauthorized database access.

Automate compliance auditing processes

Demonstrate proof of compliance and simplify audits by consolidating audit log collection and reporting across all monitored assets. SecureSphere makes all the log data available to a central management console to streamline audit discovery and produce detailed reports for regulations such as SOX, PCI DSS and more.

Asses vulnerabilities and detect exposed databases

SecureSphere Discovery and Assessment streamlines vulnerability assessment at the data layer. It provides a comprehensive list of over 1500 tests and assessment policies for scanning platform, software, and configuration vulnerabilities. Assessment policies are available for Amazon RDS Oracle and Postgress RDaaS as well as  Microsoft Azure SQL.  More will soon be available.  The vulnerability assessment process, which can be fully customized, uses industry best practices such as DISA STIG and CIS benchmarks.

Support Hybrid Clouds

While many organizations now pursue a “cloud first” policy of locating new applications in the cloud, few are in a position to move all existing databases out of the data center, so they usually must maintain a hybrid database estate – which SecureSphere gracefully supports.
For some customers, it may be worth deploying SecureSphere on the RDaaS vendor’s infrastructure when monitoring large databases, to optimize for cost and performance.  SecureSphere is available vendor appropriate virtual instances for both AWS and Azure, deployable individually or in HA configurations.

There is a critical need for visibility across an organization’s entire application and data infrastructure, no matter where it is located. Imperva SecureSphere provides a platform to incorporate oversight of RDaaS instances into a broad enterprise compliance and security lifecycle process.
Learn more about how Imperva solutions can help you ensure the safety of your database and enterprise-wide data.

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.