With the rise of database attacks resulting from malicious insiders or outsiders who obtain credentials through social engineering or other methods, many companies are re-evaluating their investments, or lack thereof, in securing production databases. There are many layers involved in securing the data stack including eliminating shared credentials, increased visibility to support incident response programs, and enforcing database field-level controls (e.g. data masking, row filtering, rate limiting and blocking). One critical area that organizations have struggled with is securing network access to mission critical databases in the cloud.
Today, there are a myriad of ways to secure network access to cloud databases but they all have shortcomings that can impact user productivity or increase the risk of data thefts. Some organizations, for example, may rely on network access control lists (ACL) for controlling traffic in and out of subnets in addition to security groups to control incoming and outgoing traffic to cloud databases but these techniques are ultimately missing the context of the local database accounts used when connecting from various locations. Additionally, some companies ask users to first log into bastion hosts within a trusted network before connecting to a database but these workflows are often too complex, slow down development and do not work for applications and external users.
As more companies embrace data democratization, the need for various teams to access production databases for production support, troubleshooting or improving software quality results in a number of severe challenges.
- How can companies restrict access to sensitive database accounts from known, authorized locations without inhibiting user productivity?
- How can organizations extend network security for cloud databases to applications and not just database users?
To address these critical challenges, Cyral recently announced the general availability of Network Shield, which is accessible from the same control plane that centralizes access to databases. Network Shield protects database repositories from internet-facing traffic by controlling access based on both the client’s IP address and local database repository account. This feature works seamlessly for all users and applications, provides self-contained logs that require no data cleansing and unifies controls for database access.
Here’s a breakdown of the challenges that companies face with securing network access to cloud databases and how Cyral’s Network Shield addresses these challenges.
|Restrict access to sensitive accounts from known IP addresses
|Cyral’s Network Shield couples network addresses with database accounts in rule specifications
|Limit use of service accounts within databases to trusted apps
|Cyral’s Network Shield works seamlessly for all users and applications and can enforce usage from known application locations only
|Using VPNs for network segmentation is cumbersome
|Cyral’s Network Shield can be incorporated into customers’ CI/CD pipeline