Customer data is powerful. It lends an immense depth of understanding across your marketing, sales, and customer experience teams. It helps paint a solid image of your customers’ behavior both online and offline. It’s widely understood that data-driven businesses are more successful; they are, in fact, 23 times more likely to acquire new clients.
But all this data needs to be stored somewhere. If data is the lifeblood of modern business, then databases make up its beating heart. Even worse, consumer data is attractive not just to you: cyber criminals operate a healthy data black market, with email addresses, verified accounts, and SSNs all fetching their own prices.
Managing and taking care of this data entails more than simply keeping it up-to-date. By choosing to collect that data, you also need to guarantee that you protect your customers from data breaches. Cloud database security is more important now than it ever has been, and many businesses are systemically taking that data for granted.
Common Database Security Issues
Before delving into the shocking numbers of mismanaged databases, let’s first address some of the most common database security issues.
SQL injection is a technique that allows attackers to inject and execute code into a database. It represents one of the most common web hacking techniques. SQL injection usually occurs around user input fields. For example, if you have a form or login field on your site which asks the user for a username, an attacker can instead provide an executable SQL statement. Unless protected, this will run on your database.
Mismanaged user privilege is another major issue. Remember how stolen credentials have entire dark web marketplaces dedicated to them? A database that doesn’t keep a tight grip on its privilege distribution becomes a ticking time bomb. It is only a matter of time before a severe data breach occurs. For example, if ordinary users are automatically granted superuser authority, all it takes is for one account to be taken over by an attacker. From there, an attacker with a puppet account can execute code – potentially accessing the entirety of the database.
The third and final issue is habitual procrastination. After a vulnerability is published, it is imperative that the vulnerable piece of architecture is patched or otherwise protected. These two issues combined – privilege over-issuing and slow patching – amplified the massive Equifax data breach of 2017.
Within Equifax’s servers, one of Apache’s third-party software – Apache Struts – was a key component in handling credit disputes from customers. This framework was found to be vulnerable early in the year. A patch was soon issued, but Equifax dragged its feet at updating its servers. By mid-May, a hacking group had used this initial Struts vulnerability to gain access to an internal server on Equifax’s corporate network. The information that these hackers pulled from this included the access credentials of Equifax employees. From this, the attackers had almost full access to the credit monitoring databases.
In total, 147.9 million customer records were stolen.
Making this even worse is the fact that a third of databases have either no auditing or it’s totally misconfigured. This means that you have no idea about the internal goings-on of your database. Auditing is a critical feature, helping you audit and track database events. Without this, recovering from an attack and conducting forensics become nigh-impossible. And if you’ve no idea how an attack occurred, you’re left with all the lawsuits of a data breach – and no idea how to prevent it from happening again.
An Epidemic of Slow and Exposed Databases
Utilizing open-source code, researchers regularly scan for vulnerable company databases. One of these research groups, Group-IB, has marked a year-on-year increase in the number of vulnerable servers across the globe. Clocking in at a staggering 93,685 assets, the US suffers from the highest concentration of exposed servers. The runners-up, China, had a relatively small 54,764.
Group-IB also reinforced how long it takes for server owners to fix up misconfigurations. On average, it takes 170 days. Equifax’s attackers took 28 to utilize that vulnerability.
The method that Group-IB uses is not a trade secret; the same open-source code could easily be used by malicious parties to scan for – and target – vulnerable databases.
Database Best Practices
Within a cloud server environment, it becomes incredibly easy to simply pass all responsibility – along with your data itself – on to your cloud provider. However, almost all of these cloud providers operate under a shared responsibility model. This can vary between specific partners, but a rule of thumb is that cloud providers manage the security of the cloud architecture itself. On the other hand, you need to keep the contents – and access capacity – at a safe and reasonable level.
There are a few cloud server security practices worth considering. The first and most important is to avoid free hosting providers. It’s an unfortunate fact that free databases often skimp on the in-built security features, placing far more of a burden on you to manually configure your own extra layers of protection.
Paid databases are no guarantee of protection, either. Account privilege and permissions are still a major hurdle for most database owners, and the onus lies entirely on you. One time and cost-effective solution to this threat are to manage user account privileges through groups. By establishing a hierarchy of user groups – from minimum privilege to full-fledged superuser – even if one user account becomes compromised, then the entire database may still remain non-critical.
The best form of security is one that deploys automatically and scales with your growth. Third-party solutions can both monitor and defend your database. Whether that’s retaining an up-to-date data inventory, notifying you if anything appears amiss, or classifying sensitive data in real-time.
This way, your database can scale as you grow without your security situation becoming an increasingly tenuous and complex mess. Equally nimble throughout scaling and compliance processes, this leaves you free to pursue the things that matter, freeing you from the chains of manually keeping one eye on your database.
