* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download The Complete Guide to Securing Amazon RDS
Survey
Document related concepts
Serializability wikipedia , lookup
Entity–attribute–value model wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
Extensible Storage Engine wikipedia , lookup
Microsoft Access wikipedia , lookup
Oracle Database wikipedia , lookup
Ingres (database) wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Concurrency control wikipedia , lookup
Functional Database Model wikipedia , lookup
Relational model wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Database model wikipedia , lookup
Transcript
The Complete Guide to Securing Amazon RDS Databases | HexaTier The Complete Guide to Securing Amazon RDS © All rights reserved to HexaTier 1 Table of Contents Background ........................................................................................................................................ 3 Introducing HexaTier.......................................................................................................................... 3 AWS Shared Security Responsibility Model ........................................................................................ 4 Amazon RDS Security.......................................................................................................................... 4 The Network Level ......................................................................................................................................5 The User Level ............................................................................................................................................5 The Database Level.....................................................................................................................................5 The Database Firewall ....................................................................................................................... 6 Network Isolation .......................................................................................................................................7 Monitoring ..................................................................................................................................................7 Auditing ......................................................................................................................................................8 Database Activity Monitoring .....................................................................................................................8 Sensitive Data Discovery .................................................................................................................... 9 Data Encryption ............................................................................................................................... 10 In-Transit Encryption ................................................................................................................................10 At-Rest Encryption ....................................................................................................................................11 Dynamic Data Masking .................................................................................................................... 11 Database Authentication ................................................................................................................. 13 Access Management.................................................................................................................................13 SQL Injection Attacks ....................................................................................................................... 14 Database Compliance Reports ......................................................................................................... 16 Role Management ....................................................................................................................................16 Tracking at the RDS API Level ...................................................................................................................17 Tracking Changes at the Database Level ..................................................................................................17 The Complete Guide to Securing Amazon RDS Databases | HexaTier Background As more companies use Amazon Web Services (AWS), it the organization's responsibility to make sure they are keeping their sensitive data as secure as possible. According to the AWS shared security responsibility model, “While AWS manages the security of the cloud security in the cloud is the responsibility of the customer.” This dictates which security controls are AWS’ responsibility and which are the customers. Large public data breaches are usually a result of inadequate security measures at the customer level. Organizations must understand the shared responsibility portion of working with AWS and what it requires. An organization's data is only as secure as it makes it. Even if the public cloud being used is secure, data may be exposed or risk to other internal or external attacks. Organizations need to plan and secure their data to prevent security problems. This includes considering hiring a third-party security solution to flush out the problem areas. In this paper, we will discuss in detail the security controls that AWS offers as part of their shared security responsibility model on Amazon RDS. In addition, we will explain how HexaTier’s unified database security and compliance solution provides the perfect match for ensuring that security in the cloud is covered, helping you protect the database and meet more stringent compliance requirements. Introducing HexaTier HexaTier provides a unified database security and compliance solution for databases running on Amazon Web Services (AWS) RDS and EC2. With a software-based approach, HexaTier offers a scalable and agile solution that is easy to install, operate and maintain. Providing stronger security on and off the cloud in a single solution with four key features of database security, discovery of sensitive data, database activity monitoring and dynamic data masking. Screenshot 1: HexaTier’s unified database security and compliance solution. Compatible for protecting AWS EC2 and RDS databases. © All rights reserved to HexaTier 3 The Complete Guide to Securing Amazon RDS Databases | HexaTier AWS Shared Security Responsibility Model AWS secures the underlying infrastructure, while the customer is responsible for securing the operating systems (OS), platforms and data. It is up to the customer to secure their passwords and the administrative access assignments. When referring to AWS’ managed services like Amazon’s Relational Database Service (Amazon RDS). The shared security model falls under what they call, container services. In this model, AWS is responsible for handling basic security tasks like the guest OS, AWS infrastructure, as well as the AWS foundation services, security patching, firewall configuration and disaster recovery. Figure 1: AWS Shared Security Responsibility Model Amazon RDS Security Data integrity, privacy, and security are of utmost importance to every large organization. So how do you prevent others from accessing data in an unauthorized manner? With managed services like Amazon RDS, you need to protect your AWS account credentials with Amazon Identity and Access Management (IAM) so that you can implement segregation of duties. Organizations should also use multi-factor authentication (MFA), requiring the use of SSL/TLS to communicate with your AWS resources, and set up API/user activity logging with AWS CloudTrail. Amazon RDS has implemented multiple features that can improve the reliability and availability of production databases, such as database security groups, permissions, SSL connections, automated backups, database snapshots, and multi-AZ deployments. What’s more, users can configure RDS inside VPC private subnets for increased security and data isolation. For starters, when you create a database instance within Amazon RDS you need to ensure that you can control the access to it. © All rights reserved to HexaTier 4 The Complete Guide to Securing Amazon RDS Databases | HexaTier Screenshot 2: Amazon’s RDS dashboard –The launch of database instance configuration and security and network details. AWS provides a number of security levels - from the network and user level to the database itself. The Network Level Amazon RDS is supported by AWS security groups to prevent any unauthorized connections based on IP address ranges, or EC2 security groups, within the same and different AWS accounts. The Amazon RDS account owner can configure requests from specific IP addresses or security groups that are allowed access to the database. This feature has been explained in detail under the Database Firewall’s network isolation, yet it still leaves a lot to be desired for various situations, such as: 1. Someone gaining access to a computer within an IP range 2. Someone accidentally deleting data The User Level AWS provides the IAM service, which enables to securely control the Amazon RDS operations and resources (i.e. security groups, database, and configuration parameters) based on user defined policies. IAM allows to configure different policies, templates, users, and groups for access management and allows you to enable multi-factor authentication (MFA) supported by RDS. This ensures an added layer of security for authorization. The Database Level In databases, access to different kinds of operations and tables should be managed by database master users. These users have associated usernames inside the database, which are only allowed access to certain tables and database objects that are necessary to perform respective duties. Creating an RDS by default creates an Amazon RDS database, along with one master user and password. However, you can use database specific tools to create more users/elements required for your application. © All rights reserved to HexaTier 5 The Complete Guide to Securing Amazon RDS Databases | HexaTier The database administrator can also enable a sole SSL connection from inside the database. Connection and data encryption will be discussed in detail in the Database Encryption section. The Database Firewall Database firewalls are installed on servers that host the database in order to monitor and audit activities and prevent unauthorized activities at the OS and database levels. The firewall is preconfigured with common attack signatures for preventing attacks, or to alert the database administrator/owner of an attack. It also acts as an isolating agent as it blocks off the database from unwanted/unauthorized incoming connections. Since Amazon RDS is a managed database service, meaning there is no physical access to the machines or the database. Therefore, it is recommended to install a third party firewall solution on a separate virtual machine for monitoring and blocking all SQL attacks targeting the RDS instance. HexaTier’s Database Security feature includes the implementation of database firewall, SQL injection prevention, segregation of duties, and database access control tools. In effect, it helps mitigates attacks against the database by utilizing the reverse proxy technology. Ensuring that there is no unauthorized communication with the database server. Furthermore, it offers enhanced SQL injection detection and prevention features and provides database control access to selected administrative levels. Delivering a complete solution for monitoring and controlling the flow of information. Using HexaTier’s Database Firewall – “Protected Database”, administrators can define granular permissions based on any combination of database user or Active Directory Users/Groups, IP address, the client application and time of day. The database firewall prevents information theft and enables compliance with regulations such as PCI, SOX and HIPAA and others. The policy can be enforced on an instance, database, table, or even by a specific query or stored procedure. Direct access to the database system is prevented by HexaTier, stopping any attack which attempts to exploit vulnerabilities in the operating system and third-party applications. Problematic or suspicious requests are prevented from reaching the database. © All rights reserved to HexaTier 6 The Complete Guide to Securing Amazon RDS Databases | HexaTier Screenshot 3: HexaTier’s Protected Database Server feature uses a patented reverse proxy architecture for setting up databases and proxies. Network Isolation For additional network access control, on the Amazon RDS control dashboard, there is a security group link on the left-hand side. This helps to manage two different access types to the database: CIDR/IP Access: The database is accessible from an IP Address or the IP Address range is given in the security group. However, this doesn’t work well with cloud infrastructures because of the following reasons: 1. The dynamic IP address allocation to servers in the cloud. 2. A shared physical host, which gives access to other unwanted applications on the host. EC2 Security Group: This option allows your database to become accessible to EC2 instances, which are part of the security group. This partially solves the limitation that was previously mentioned, but there is still the problem of integrating with other cloud infrastructures or service providers, like Heroku, etc. Moreover, you can also use Amazon Virtual Private Cloud (VPC) for additional network access control. A VPC can be created to isolate an infrastructure that consists of databases from direct access to the internet and acts as an organization level firewall. Create an RDS instance in a private subnet along with a virtual private gateway to extend your organization’s network to the cloud. The VPC security group and ACL should also help to control the inbound and outbound traffic. Monitoring Amazon CloudWatch provides monitoring functionality for monitoring operational and performance metrics for all AWS services. It is useful in some cases, like DDOS attacks, or other cases when there is a sudden surge in your database usage. You can also enable notifications for RDS Events that belong to the following source types: © All rights reserved to HexaTier 7 The Complete Guide to Securing Amazon RDS Databases | HexaTier Database Instances Database Snapshots Database Security Groups Database Parameter Groups Many event categories are available in the source types mentioned above. As a user, you can subscribe to different source categories to receive notifications of relevant events. These functionalities are available through the command line interface (CLI), so users can create custom scripts for taking automated actions on notifications. It is recommended that users also set up CloudWatch alarms to get notifications for any performance changes in the database. Auditing Amazon CloudTrail enables an auditing functionality for all AWS services. This is done by enabling users to get their API call history and related events for their AWS accounts. The image below gives a comprehensive understanding of how the CloudTrail service works inside AWS. CloudTrail provides us with the following functionalities that are required to comply with most regulations and laws: Controlled Access to Log Files: Users can leverage the IAM service and S3 bucket policies to manage and control access to logs files. Alerts for Log File Creation and Misconfiguration: Users can leverage the SNS service for real-time notifications regarding the creation of new logs or misconfiguration of logs which may result in improper logging. Manage Changes to AWS Resource and Log Files: CloudTrail produces log data on system change events to enable monitoring of events and for an effective post-mortem of any operational issue. Log File Storage: Log files can be stored for any period of time in compliance with a user’s IT policy. Additional cost savings can be performed by moving logs to cold storage archives, like Amazon Glacier. Generate Customized Reports for Log Data: CloudTrail generates custom logs with over 25 different fields for further analysis. Users can also use database logs that are available via RDS APIs or the RDS console. Logs can be used for diagnosing, troubleshooting, and fixing database configuration and performance issues. Database Activity Monitoring Database Activity Monitoring consists of auditing, analyzing and monitoring database access and activities to prevent unauthorized access or loss of data integrity. Database activity monitoring is independent of the actual database and doesn’t rely on the database for auditing or logs. Installation of database activity monitoring software on Amazon RDS instances is not possible because users don’t have access to underlying EC2 instances. To perform this activity, © All rights reserved to HexaTier 8 The Complete Guide to Securing Amazon RDS Databases | HexaTier you may need third party applications, such as HexaTier. With HexaTier’s reverse proxy technology each and every query is inspected and audited, every administrative access and/or access up to a column level are recorded according to the policy. It also alerts on unauthorized activities. A complete audit of all sensitive tables, including a "before and after" view of all changes made to the table or column, and an indication as to who made them is provided by the Advanced Activity Monitoring option. This ensures that companies comply with key industry and government regulations, such as SOX, HIPAA, PCI DSS, and others. HexaTier's activity monitoring policy is granular, allowing the setting of activity monitoring rules at the column level. Activity monitoring is also sometimes referred to as auditing. Screenshot 4: HexaTier’s dashboard shows granular monitoring of rules up to the column level. Sensitive Data Discovery It is important that sensitive data is managed properly. Companies and organizations should know where their sensitive data is and control how it is stored. Although, the AWS cloud infrastructure is designed to meet these requirements as it is compliant with regulations, such as PCI-DSS, HIPAA, SOC1, 2, 3, etc. On the AWS customer’s side, a proactive approach is required. Primarily, it is recommended that organizations regularly run software scans on their databases to automatically identify sensitive fields, enabling a one-click activation for auditing and data-masking features in those fields. Once sensitive data is identified, you must decide whether to leave it in its secured location, move it, or delete it. Also, it is important to continuously and automatically run discovery tools to maintain control of the sensitive regulated data fields (i.e. SSN, credit card numbers, e-mails, passwords) based on regulations. HexaTier’s discovery of sensitive data feature is the perfect fit for this situation. The © All rights reserved to HexaTier 9 The Complete Guide to Securing Amazon RDS Databases | HexaTier technology randomly scans a thousand rows from a database and analyzes the schema structure as well as the raw data retrieved (however, the data retrieved is not stored anywhere). The key purpose of this scan is to quickly determine which location is considered "sensitive". In addition, it is possible for IT and security teams to generate all the auditing and masking rules manually. Scanning can be performed in accordance with regulatory requirements and analyzed in compliance with SOX, HIPAA, PCI DSS, etc. Furthermore, specific customized sensitive definitions can be added by writing regular expressions. Scheduled scans of the content can be implemented according to date (once a day, once a week or once a month) or upon any schema change and any database changes that are detected will automate a scan. Screenshot 5: Demonstrates HexaTier’s discovery of sensitive data feature set in compliance with database regulatory requirements. Data Encryption Data encryption is of utmost importance in the cloud. To maintain privacy and security of user data being exposed to malicious attacks, you should encrypt all data, whether it be in-transit or at-rest. In-Transit Encryption To access AWS, users should always use secure HTTP (HTTPS) connections. All AWS services, including RDS, provide support for HTTPS connections. Users can also disable unsecured connections to their databases from inside the database. This functionality is supported in the following databases: MySQL: Users can only restrict connections to SSL from the MySQL console. SQL Server: SQL Servers support SSL connections in all AWS regions. PostgreSQL: PostgreSQL also supports SSL connections in all regions. © All rights reserved to HexaTier 10 The Complete Guide to Securing Amazon RDS Databases | HexaTier Oracle: Oracle RDS uses Oracle native network encryption. Users add native network options to their relevant database option’s group to enable this feature. SSL is used to encrypt data while in transit, however, it is not used for database authentication. SSL connections do have an added cost when encrypting and decrypting data, which is increased latency within all operations. At-Rest Encryption A Transparent Data Encryption (TDE) facility is available on Amazon RDS for the following database engines: Oracle: The Oracle Advanced Security option can be leveraged for the TDE and Native Network Encryption features. In TDE, data is encrypted before it is written to the database and decrypted just before it is returned. SQL Server: The SQL Server supports TDE for encrypting data-at-rest. This feature is available at no extra cost apart from what you pay for the MS SQL Server on Amazon RDS. The encryption module creates data and encryption keys to encrypt the database. The encryption keys are encrypted, as well, by a periodically rotated 256-bit AES master key. This master key is unique to RDS and is stored separately under AWS’ control. Apart from Transparent Data Encryption, there is no way to support encryption-at-rest other than encrypting data at the application level before writing data to the database. Users can selectively encrypt database fields using any standard encryption library (i.e. OpenSSL, Bouncy Castle). This kind of encryption disables range query on selected fields. Dynamic Data Masking Dynamic data masking means to make data selectively available based on a user’s authorization level, along with the level of confidentiality of data that is being displayed. In case users are not authorized to see data, we can mask data using random characters or data. We may use other techniques like obfuscation and scrambling of sensitive information to prevent unauthorized access to data. Typically, dynamic data masking is not supported at the database level since it is used to prevent unauthorized usage based on user/application authorization. Dynamic data masking techniques include: Substitution Shuffling Number and date variance Encryption Nulling out or deletion Masking out With HexaTier’s dynamic data masking developers, testers, and administrators can access production and non-production databases, without being exposed to sensitive data. The © All rights reserved to HexaTier 11 The Complete Guide to Securing Amazon RDS Databases | HexaTier dynamic data masking feature is performed at runtime, dynamically, and in real-time so there is no need for a second data source. Enabling organizations to mask or randomize any sensitive information such as Personally Identifiable Information (PII) accessed from application screens, reports, development and DBA tools, by dynamically masking information based on masking policies. No changes at the database or application layer are required. Dynamic Data Masking works in two ways: 1. Request Based Masking: The query is received from the application and is rewritten with masking actions before forwarded to the database in real time. As the database receives the query it includes masking actions that the database is required to perform. 2. Response Based Masking: With the use of the reverse proxy, a request is sent to the database as is and the data is received and masked in real time by HexaTier. Figure 2: Shows how HexaTier's Dynamic Data Masking feature works. © All rights reserved to HexaTier 12 The Complete Guide to Securing Amazon RDS Databases | HexaTier Screenshot 6: Dynamically masking sensitive data with HexaTier Database Authentication Database authentication is the act of authenticating users that are trying to access the database. This ensures that the user can only perform actions that he or she is authorized to do. We will discuss two parts to authentication below: Access Management Database access management can be performed at the network level using a firewall, access to the database at the user level, and in-database access management. Inside database access management is the most important part of database authentication. This feature relies on the underlying database engine and its capabilities to manage access to different database objects. This feature of Amazon RDS has been discussed in detail under Database Access Management. The AWS account owner can also create users and set policies using Amazon IAM to provide users with varied access like to modify the configuration, backup, launch/terminate database instances and so on. HexaTier offers enterprises the option to move to DBaaS while maintaining their organizational policies. With the Database Authentication Proxy feature, users can configure the database © All rights reserved to HexaTier 13 The Complete Guide to Securing Amazon RDS Databases | HexaTier instance (DBaaS or out of your AD network) with a simple static and secure username and password, while HexaTier confirms the identity of any user trying to log on to the organizations AD/LDAP. When using HexaTier’s patented Database Reverse Proxy technology, a transparent Database Authentication Proxy layer is created to authenticate domain users with the local AD/LDAP. This creates a (transparent) connection and uses the provided username and password to connect to the external database. Figure 3 shows how HexaTier’s Database Reverse Proxy system authenticates the Domain Users via the local Active Directory/LDAP, and transparently creates a connection with cloud-hosted or DBaaS platforms using a static username and password. SQL Injection Attacks SQL injections are the insertion of unwanted code by malicious parties in an application’s SQL statement. They are used to leak or compromise data that is stored in SQL databases. These kinds of attacks constitute a major portion of database attacks. Since Amazon RDS is a managed database service, SQL Injection prevention falls under the responsibility of the end user. The list below outlines several steps that need to be taken in order to avoid SQL injection. Secure Access: Use proper authentication and authorization to access RDS databases. Application Level: Use prepared statements with databases instead of normal queries. Access Management: Access management related audits are published in Amazon S3 using Amazon CloudTrails. Looking at Amazon IAM, one can do audits related to access granted to individuals. © All rights reserved to HexaTier 14 The Complete Guide to Securing Amazon RDS Databases | HexaTier Data Encryption (At-Rest and In-Transit): Only the intended audience should read data. Users need to encrypt data at all times (i.e. at-rest or in-transit) in order to ensure that no one, apart from the intended audience, reads the unencrypted data. Auditing: Auditing of all different kinds of events is done by Amazon CloudTrails. These logs are saved securely in Amazon S3. Back Up: An automatic backup facility is available for general use without extra charge in Amazon RDS. Back-ups are saved in Amazon S3 for a user-defined retention period of up to 35 days. A user-initiated backup facility, or snapshot facility, is also available, which can be leveraged to maintain a highly available cross-region system. Disaster Recovery: In the worst-case scenario of disaster, the data back-ups stored in Amazon S3 can be used for disaster recovery. Amazon S3 is a highly available system that maintains replicas on multiple devices and in multiple facilities across the Amazon S3 region. Third Party Tools: We can use popular tools such as HexaTier to avoid SQL injection. Amazon CloudTrail logs can be used to generate customized reports. This task can be automated using Amazon OpsWorks. For additional protection, HexaTier’s reverse proxy filters all traffic in and out of the database. This enables the identification and prevention of malicious attacks. Therefore, suspicious or dangerous queries never reach the database. Moreover, the SQL Injection Prevention hubristic mechanism searches for suspicious combinations of abnormal characters that appear within the query. This mechanism ranks in the risk level of the query, and if the risk is higher than the predefined threshold, it will automatically be blocked and quarantined for the specific query and not the entire connection. Screenshot 7: HexaTier’s dashboard shows a detailed "intrusion log" and date, action, risk result, rule id, and query pattern, etc. © All rights reserved to HexaTier 15 The Complete Guide to Securing Amazon RDS Databases | HexaTier Database Compliance Reports Regulations like HIPAA, PCI-DSS, and other laws require parties collecting sensitive information to perform audits and generate compliance reports for data access over a period of time. Since AWS is a public cloud provider, it is very important that it enforces all mandatory checks and controls to meet the data security and compliance of all clients. It should not only protect the secure data but create a system to avoid any kind of unauthorized access, data leaks, and data disruption or destruction. According to AWS compliance, it provides assurance related to the underlying AWS infrastructure while the AWS customer is responsible for the compliance initiatives related to anything placed on the infrastructure. The AWS cloud infrastructure has been designed and managed in alignment with regulations, standards, and best-practices. Role Management Every user has his or her database username that is used to log into the system. This username is associated with a role inside the database which details its respective rights. A user is allowed to perform any of the operations in the database that are permitted within the limitations of his or her rights. When generating a new EC2 instance in the database, a master user is created for database access and role management. This database user has all of the rights required for database administration and can create other users for access and role management. HIPAA SOC 1/SSAE 16/ISAE 3402 (formerly SAS70) SOC 2 SOC 3 PCI DSS Level 1 ISO 27001 FedRAMP(SM) DIACAP and FISMA ITAR FIPS 140-2 CSA MPAA Compliance Reports Amazon RDS is compliant with PCI-DSS-LEVEL-1, SOC, as well ISO 27001 certified. An organization can request the reports and certifications that are produced by AWS third-party auditors who attest to the design and operating effectiveness of the AWS environment. In addition, organizations will need to provide a periodic report of their database administrators and their respective privileges, password rotation and policies, access, and actions taken. © All rights reserved to HexaTier 16 The Complete Guide to Securing Amazon RDS Databases | HexaTier Tracking at the RDS API Level AWS provides CloudTrail as a complimentary service for tracking all kinds of user access and activities performed through RDS APIs. These logs are saved in pre-configured S3 buckets, which again can be protected at 2 levels: the IAM and S3 bucket level. These logs come in the form of JSON with over 25 fields that provide every relevant detail about the logged activity. Users can further utilize these logs for generating customized compliance reports by writing scripts to parse or filter the logs. Tracking Changes at the Database Level AWS CloudTrail logs events for Amazon RDS API calls only. If an organization wants to audit actions taken on the database which is not part of the Amazon RDS API, such as users connecting to a database, or changes within the database schema, the organization needs to use the monitoring capability of the database engine. The organization can use the log file generated by each database engine to get information about changes made to the database (i.e. if the organization is using MySQL, they can use the MySQL general query log to get user connection and statements received from clients or use Binary Log to get the statements that changed the data). To help organizations meet more stringent compliance requirements for anything placed on the infrastructure. HexaTier offers Database Activity Monitoring – as mentioned above as well as generates compliance reports that presents information to database users with administrative privileges about users who did not update their passwords for "x" days, users who have not accessed the database for "x" days, recent administrator actions, and reports of any time a user's privileges were modified. These reports provide a list of security threats plus insight into all database activity and can also be customized. Screenshot 8: HexaTier’s dashboard showing detailed compliance reports with a list of all the database security threats and activity. © All rights reserved to HexaTier 17 The Complete Guide to Securing Amazon RDS Databases | HexaTier Contact us at: [email protected] Headquarters U.S. Offices (West Coast) U.S. Offices (East Coast) HexaTier Ltd. HexaTier Inc. HexaTier Inc. 21 BarCochva, 9891 Irvine Center Drive, 745 Atlantic Ave, BneiBerak, 5126018 Israel Suite 200 Irvine, California, 92618 United Boston, MA 02111 United States Phone: +972-3-688-8090 States Phone: +1 617-459-4607 Phone: +1-949-398-8242 Toll - Free: (800) 617-0276 © All rights reserved to HexaTier 18