Max Mednik
  • Home
  • About
  • Interests
    • Angel investing
    • Magic
    • Scuba Diving
  • Blog
  • Contact

Readings and musings

Notes on Securing Cloud Databases

7/30/2011

1 Comment

 
Picture
A couple weeks ago, I went to a talk on Securing Databases in the Cloud. The speaker was Mike Frank from Gazzang, a company that sells software to help with the exact problem he was speaking about: the risks with open source software tools and cloud hosting. The talk felt like a slightly awkward mix between promotion and education, but there was enough education that I got some good stuff out of it.

I know the importance of security and am quite fanatic about having proper security practices and aiming towards zero trust policies anywhere possible. I still managed to pick up a few new things, including considering anew the security implications of cloud-based hosting.

The most striking question that Mike brought up and which caused me pause was about virtual images. Hosting on AWS is extremely popular, and users have the perception of having a dedicated server. Most of my attention when thinking about security before went to security within the server (data architecture and encryption of data in the database) rather than security of the overall server image. Mike brought up the scenario of your AWS image, a virtual machine sitting somewhere in memory and disk, and an engineer somewhere having access to that virtual image and being able to do anything with it. How do you protect yourself in that scenario? Coming from that perspective, it made it obvious that security end-to-end and zero trust even of the (virtualized) hardware layer is important.

During the talk, Mike spoke about encrypting data within MySQL, PostgreSQL, Drizzle, and NoSQL databases Cassandra and MongoDB. Mike is Director of Products at Gazzang and prior to that, he was one of the senior product managers for MySQL both under Sun Microsystems and Oracle. He clearly knew his stuff.

Below are my notes from the talk.

1. Huge security risks out there. A new AWS instance spun up will get attacked (attempted) within minutes.

2. Non-obvious stuff that's important to protect:
  • DB config files, log files, data directory
  • Application source code
3. Ways to protect:
  • Linux firewall
  • AES 256, SHA 256, RSA
  • OpenSSL
  • mcrypt
  • ecryptfs
  • dm-crypt
  • Cloud provider's firewall and security
  • Encrypted cloud storage
  • Encrypted file system
  • Access control restrictions
4. Key management options:
  • In database (less ideal)
  • OS kernel key ring
  • Outside database
5. Always use SSL for transport security

6. Database encryption functions for data at rest. Keys on outside key store.

7. Gazzang's product is ezNcrypt. How they solve it:
  • On disk seamless encryption
  • Keys stored outside DB
  • Provide secure environment to run MySQL, Apache, PHP
  • Handle ACLs
  • Towards zero trust
8. Good article out there on issues with PCI compliance in the cloud

9. Gazzang built on top of ecryptfs
  • They added keys and access controls
  • All files are AES-encrypted so files stolen (like if AWS hacked) are worthless
  • Performance hit of encryption: 1% hit on transactions per second and latency.
  • Single passphrase and salt or RSA key for system
  • Each file encrypted with separate key which master key can access. This allows changing the master key without re-encrypting all data (that's smart).
  • Can also use their product to do PHP and perl encryption.
1 Comment
broadband internet link
8/22/2012 09:11:21 pm

i was always little bit confused about cloud computing...but this blog clear most of the doubts of mine...thanks for sharing,,

Reply

Your comment will be posted after it is approved.


Leave a Reply.

    Archives

    June 2021
    May 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    April 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    May 2019
    March 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    February 2018
    January 2018
    November 2017
    October 2017
    September 2017
    May 2017
    April 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    July 2011
    June 2011
    May 2011
    April 2011
    March 2011
    February 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    July 2010
    June 2010
    May 2010
    April 2010
    March 2010
    February 2010

    Categories

    All
    Angel Investing
    Cacti
    Cars
    China
    Community Service
    Culture
    Design
    Djing
    Dogs
    Education
    Entertainment
    Entrepreneurship
    Family
    Finance
    Food
    Google
    Happiness
    Incentives
    Investment Banking
    Judaism
    Law
    Lighting
    Magic
    Marketing
    Medicine
    Networking
    Nolabound
    Philosophy
    Professionalism
    Psychology
    Reading
    Real Estate
    Religion
    Romance
    Sales
    Science
    Shangri-La
    Social Entrepreneurship
    Social Media
    Sports
    Teams
    Technology
    Travel
    Turtles
    Ucla
    Venture Capital
    Web Services
    Weddings
    Zen

    Subscribe

    RSS Feed

Picture
Picture
  • Home
  • About
  • Interests
    • Angel investing
    • Magic
    • Scuba Diving
  • Blog
  • Contact