Why we can’t have nice things

If you spend your professional life worrying about security, it can get a little disconcerting when you see that some enterprises have a tough time managing even base levels of security. What’s worse is that the challenge just got more complicated. As Satya Nadella recently said, COVID-19 has truncated the two years of digital transformation into two months, and that holds true for security considerations too.

With the sudden shift brought on by COVID-19, teams have embraced the economic benefits of the cloud to solve many issues. But every rose has its thorn, and along with the great benefits of cloud migration, companies have also adopted the new security concerns that come with it, and many are wholly unprepared.

A recent analysis of 2 million scans of 300,000 public cloud assets running on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) revealed more than 80% of organizations have at least one neglected, internet-facing workload that is either running on an unsupported operating system or has remained unpatched for more than 180 days. The report also found that 60% of organizations have at least one neglected internet-facing workload that it is no longer provided with security updates. Any of these issues in an organization should merit immediate patching; however this rarely happens.

There are many reasons, especially in the current climate, why these security lapses remain unresolved within enterprises. Many organizations in the time of COVID-19 are dealing with budget cuts, and for many, teams are being consolidated and reorganized. While these cuts are understandable, given an average cost of $4.77 million per data breach, DBAs, developers, and security teams need to rise above and be more careful with their new tools.

Your cloud database services vendor is not your mother

Recently, I attended a virtual conference session on database security considerations when migrating workloads to the cloud.” An attendee asked the question, “What can I do to ensure a cloud vendor can secure my company’s sensitive data?” And, rightfully, the speaker replied, “It’s not the cloud vendor’s responsibility to ensure your security controls are being extended to cloud environments; it’s yours.”

As is the case with any service provider, the company will do its best to ensure there are no flaws in their overall systems to allow a breach, but your organization’s data within the cloud instance is your responsibility. Think of it like a storage unit. The unit provider provides you with the storage locker itself and will ensure the locker is up to standards, sometimes even providing some basic perimeter security. But you are responsible for buying your own lock and ensuring the security of your unit. If you decide not to lock it, don’t be surprised if people access your locker and steal your property. It’s a common and dangerous misconception that the cloud vendor has visibility and oversight over how your sensitive data is being protected. It’s not the cloud vendor’s responsibility to provide it. They provided you with the service, but security is on you.

Your security teams don’t know what they don’t know

Oftentimes, even when a company acknowledges its security responsibility, the unfortunate reality is that internal miscommunication is almost as big a problem as misunderstanding the service provider’s responsibility towards your data. The developers and DBAs that migrated and configured the system are responsible for the service-level of the database or application itself, not the security of the data within. They believe the security teams are entirely responsible for data security, virtually absolving themselves of many responsibilities in that area. Meanwhile, many times the security teams were never even informed of the new service the developer used, yet are somehow expected to secure it. All the while, this cloud-based environment may well be exposing sensitive data and be susceptible to breaches.

Be your organization’s security conscience

If you are waiting for your cloud vendor to be a true collaborative partner on security issues, or for your developers to suddenly develop strong security wherewithal, you have a long wait ahead of you. Cloud environments can be a huge boon for companies looking to reduce budgets, however with timetables for cloud migrations being shortened and new systems being added more rapidly, the process is not always handled responsibly. Databases present a target-rich environment and are being unnecessarily exposed to enterprising hackers. Companies need to rein in the process to ensure proper security.

It’s true that maintaining security is a challenge, but it’s not impossible. Clear communication between security teams and the DBA and application owners and clear understanding of the delegation of responsibilities are a major first step and will prevent security best practices from falling by the wayside. Now is the time to take a security inventory, because ultimately it does not matter how strong your perimeter security is or how much money you save migrating to the cloud if you’re exposing your valuable data.

Ron Bennatan is the founder and CTO of jSonar and is an expert on data security, having worked in the industry for over 25 years at companies such as J.P. Morgan, Merrill Lynch, Intel, IBM, and AT&T Bell Labs. He was co-founder and CTO at Guardium, which was acquired by IBM where he later served as a Distinguished Engineer and the CTO for Data Security and Governance. He has a Ph.D. in Computer Science and has authored 11 technical books.