Exploring the dark side DBaaS offerings

Database as a Service (DBaaS) offerings are a good deal for many organizations, but they can come with a certain amount of risk, which is often unexpected.

Earlier this summer, a report from 451 Research said that DBaaS offerings will drive IT over the next few years, and the DBaaS industry will grow to about $1.8 billion in 2016 (it was worth just $150 million in 2012).

That's an amazing jump, but expected given the flexibility that DBaaS offers organizations when it comes to application development and deployment, database sprawl reduction initiatives, and centralized database management. But by far, the feature that organizations love the most is rapid provisioning.

The problem is that as the business moves to the cloud to take advantage of all that DBaaS has to offer, some organizations fail to adjust their risk profile and management practices. DBaaS means that organizations don't have to maintain a large collection of silos anymore, but some will leap to a DBaaS offering without looking at the potential problems.

What happens if the DBaaS provider is compromised? Will your data be ok? If not, how do you address that situation? What happens if an application is compromised, and that leads to additional data loss? While each database in a DBaaS deployment is maintained in its own container, this isn't a foolproof protection scheme. What happens if a database vulnerability enables an attacker to move from customer to customer within the DBaaS provider's network? Can you detect such an incident, or mitigate loss?

Risk aside, the explosion in the DBaaS market isn't just something that legitimate businesses are coming to enjoy; criminals are taking advantage of the agile environment too. A recent report [PDF] from datacenter security provider Imperva covers this exact topic:

"[DBaaS] offers less legitimate businesses such as criminals a platform for hosting their dubious servers. Using DBaaS is an easy way for someone to set up a Command and Control (C&C) server, store stolen data, and enjoy full anonymity while doing so. The low monthly startup cost is definitely affordable for even small time crooks..."

Imperva's report highlights how criminals have created modules for various malware packages that enable both local and remote database connections in order to retrieve, manipulate, and exfiltrate information. Moreover, some are using DBaaS as a tool to manage botnets, turning the cloud-based platform into a Command and Control resource, as well as a scaled repository for various malicious payloads.

"While we didn’t find malware that directly attacked a database, our research did find and analyze malware with a module able to connect to Microsoft MSSQL. Moreover, the research found that this malware was used to automatically connect to MSSQL cloud service for both C&C and data exfiltration purposes," Imperva notes.

"As an interesting side note, we also stumbled upon a cool sample after the writing of this report: malware that brought its own MySQL dll library to the infected machine. This fact correlates with our assessments of growing trends in data center security threats."

Another aspect to the report is the fact that due to the growing criminal use of DBaaS platforms, organizations will need to assess how they manage database vulnerabilities, especially those that impact the big three: PostgreSQL, Oracle, and MSSQL.

Cybersecurity market research: Top 15 statistics for 2017