blog
How to Keep a Hybrid Cloud Environment Secure
Having a Hybrid Cloud Environment is a common topology for a Disaster Recovery Plan (DRP), or even to have redundancy on your systems, but there are some security considerations to take into account before implementing this kind of environment that could be a limitation in some cases.
In this blog, we will see what a Hybrid Cloud Environment is and how to keep it as secure as possible.
What is Hybrid Cloud?
It is a topology that uses a mix of private, and public cloud, and even on-premises services. It sounds similar to a Multi-Cloud environment, but the main difference is that this concept refers to the combinations of public and private specifically, which could include on-prem too.
Securing Communications
For security reasons, the communication between the Cloud Providers, the Cloud Provider and On-Prem, or between Private and Public Cloud must be encrypted, and you must restrict the traffic only from known sources to reduce the risk of unauthorized access to your network.
The usage of VPN, SSH, or Firewall Rules, or even a combination of them, is a must for this point.
Controlling Database Access
You should always restrict both physical and remote access.
-
Physical access (On-prem): Restrict unauthorized physical access to the database server.
-
Remote access: Limit the remote access to only the necessary people, and from the less amount of source possibles. Using a VPN to access it is definitely useful here, but there are also other options like SSH Tunneling.
Managing Database User Accounts
Depending on the technology, there are many ways to improve security for your user accounts.
-
Remove inactive users.
-
Grant only the necessary privileges.
-
Restrict the source for each user connection.
-
Define a secure password policy (or, depending on the technology, enable a plugin for this if there is one available).
Secure Installations and Configurations
There are some changes to do to secure your database installation.
-
Install only the necessary packages and services on the server.
-
Change the default admin user password and restrict the usage from only the localhost.
-
Change the default port and specify the interface to listen in.
-
Enable password security policy plugin.
-
Configure SSL certificates to encrypt data-in-transit.
-
Encrypt data-at-rest.
-
Configure the local firewall to allow access to the database port only from the local network, or from the corresponding source.
Implement a WAF (Web Application Firewall)
SQL Injections or DoS attacks (Denial of Service) are the most common attacks to a database, and the most secure way to avoid them is by using a WAF to catch this kind of SQL queries or a SQL Proxy to analyze the traffic.
Keep Your OS and Database Up-to-Date
There are several fixes and improvements that the database vendor or the operating system release in order to fix or avoid vulnerabilities. It is important to keep your system as up-to-date as possible by applying patches and security upgrades.
Check CVE (Common Vulnerabilities and Exposures) Frequently
Every day, new vulnerabilities are detected for your database server. You should check it frequently to know if you need to apply a patch or change something in your configuration. One way to know it is by reviewing the CVE website, where you can find a list of vulnerabilities with a description, and you can look for your database version and vendor, to confirm if there is something critical to fix ASAP.
Conclusion
Your Hybrid Cloud Environment will be safer by checking the points mentioned above, but unfortunately, there is always a risk of being hacked as there is not a 100% secured system.
The key here is to minimize this risk, and for that, you should run periodically security scan tools like Nessus, looking for vulnerabilities, and to have a good monitoring system like ClusterControl, that not only allow you to have your system monitored, but also auto recover your systems in case of failure, or even quickly set up replication in a Hybrid Cloud environment, between different Cloud Providers, or even between a Cloud Provider and an On-prem environment and manage the setup in an easy and friendly way.