I have concluded that nobody is using Database Activity Monitoring (DAM) in public Infrastructure or Platform as a Service. I never see it in any of the cloud migrations we assist with. Clients don’t ask about how to deploy it or if they need to close this gap. I do not hear stories, good or bad, about its usage. Not that DAM cannot be used in the cloud, but it is not.
There are certainly some reasons firms invest security time and resources elsewhere. What comes to mind are the following:
- PaaS and use of Relational: There are a couple trends which I think come into play. First, while user installed and managed relational databases do happen, there is a definite trend towards adopting RDBMS as a Service. If customers do install their own relational platform, it’s MySQL or MariaDB, for which (so far as I know) there are few monitoring options. Second, for most new software projects, a relational database is a much less likely choice to back applications – more often it’s a NoSQL platform like Mongo (self-managed) or something like Dynamo. This has reduced the total relational footprint.
- CI:CD: Automated build and security test pipelines – we see a lot more application and database security testing in development and quality assurance phases, prior to production deployment. Many potential code vulnerabilities and common SQL injection attacks are being spotted and addressed prior to applications being deployed. And there may not be a lot of reconfiguration in production if your installation is defined in software.
- Network Security: Between segmentation, firewalls/security groups, and port management you can really lock down the (virtual) network so only the application can talk to the database. Difficult for anyone to end-run around if properly set up.
- Database Ownership: Some people cling to the misconception that the database is owned and operated by the cloud provider, so they will take care of database security. Yes, the vendor handles lots of configuration security and patching for you. Certainly much of the value of a DAM platform, namely security assessment and detection of old database versions, is handled elsewhere.
- Permission misuse is harder. Most IaaS clouds offer dynamic policy-driven IAM. You can set very fine-grained access controls on database access, so you can block many types of ad hoc and potentially malicious queries.
Maybe none of these reasons? Maybe all the above? I don’t really know. Regardless, DAM has not moved to the cloud. The lack of interest does not provide any real insights as to why, but it is very clear.
I do still want some of DAM’s monitoring functions for cloud migrations, specifically looking for SQL injection attacks – which are still your issue to deal with – as well as looking for credential misuse, such as detecting too much data transfer or scraping. Cloud providers log API access to the database installation, and there are cloud-native ways to perform assessment. But on the monitoring side there are few other options for watching SQL queries.
Reader interactions
2 Replies to “DAM Not Moving to the Cloud”
Adrian,
Wondering how you came up with such a conclusion. Allow me to add 2c. Perhaps you are making such a conclusion because of seeing old legacy vendors do not have a proper DAM solution for public cloud.
The good news and you might find surprising that many companies (customers) do use DAM or active database security in cloud. This is part of the compliance requirements, they have to when moving a database workload to the cloud.
Whether customers of managed services like Amazon RDS, Azure SQL or Dynamo DB. Or self services like Cassandra, Mongo DB or MySQL.
Here is a post on AWS database blog that might address your concern.
https://aws.amazon.com/blogs/database/monitor-amazon-aurora-database-activities-using-datasunrise-database-security/
Regards, Arthur
I wonder what other security technologies are in the same bucket: “Not that [tech X] cannot be used in the cloud, but it is not.”
We are facing the same question regarding what we call NTA, some clients told us the same on EDR (surprising), and perhaps other tech too.