Scuba is a free and easy-to-use tool that uncovers hidden security risks. Scuba is frequently updated with content from Imperva’s Defense Center researchers.
With Scuba you can:
- Scan enterprise databases for vulnerabilities and misconfigurations
- Identify risks to your databases
- Get recommendations on how to mitigate identified issues
Available for Windows, Mac, and Linux, Scuba offers over 2,300 assessment tests for Oracle, Microsoft SQL, SAP Sybase, IBM DB2 and MySQL.
 |
Available now – scanning of Amazon Web Services (AWS) databases |
The challenges of applying security standards to cloud databases
Today, with cloud adoption growing, networks are becoming complicated and organizations are facing higher database security risks. Most organizations deploy their computing resources in a hybrid architecture – they have databases both in local networks and in the cloud.
Scuba can scan a cloud database with direct access to the database or without it (using an SSH Tunnel – see below).
Challenge #1 – Access to cloud databases
A CISO or a security admin needs access to cloud accounts containing databases. Sometimes organizations will use multiple cloud vendors. However, databases should not be exposed to the internet nor the company network which makes scanning a cloud database for vulnerabilities a problem. The cloud option added to Scuba will help you overcome this problem, regardless of whether your databases are hosted on AWS EC2 or AWS RDS.
Challenge #2 – Managed cloud databases are a different beast
In many cases, cloud databases are managed by the cloud vendor. For example, AWS offers RDS (Relational Database Service), which is a managed service for databases. Using a managed service makes it easier to install and maintain a database. However, security assessment can be more challenging in such databases, since they are sealed by the vendors. For example it might not be possible to access a system schema to determine if a database is vulnerable or not.
Now adjustments have now been made in the security content of Scuba, making it possible to scan RDS databases.
Scuba release for cloud databases – version 3.0.2.13
How to scan RDS (Amazon Relational Database Service) instances
Scuba supports the following databases:
- Oracle
- Microsoft SQL
- MySQL
We made required permission adjustments to the Scuba user guide to include RDS scanning. Before you scan an RDS instance, please make sure to create a dedicated user for the scan according to the guide.
TIP: If your scan resulted in CVE vulnerabilities, it means your database is missing a security patch. We recommend that you enable the automatic minor version upgrade, as follows:
Figure 1: How to enable automatic minor version upgrade of an RDS instance
Scanning a cloud database without an SSH Tunnel (direct access)
A cloud database can be configured with the following network access options, without the need of an SSH tunnel:
- Public address – everyone can access the DB (not recommended) as in Figure 2
- Network peering (VPN to VPC peering) – a PC connected to the company network can access the database
- Run Scuba on a cloud instance – remotely connect to a remote instance as in Figure 3 (for example by using Windows remote desktop connection. See AWS documentation for more info)
Figure 2: Scuba access to an RDS instance with public IP address (not recommended)
Figure 3: Scuba access to an RDS instance using Windows Remote Desktop
Scanning a cloud database using an SSH Tunnel
If the database is not accessible by the client running Scuba you can use the “Cloud (SSH Tunnel)” option added to Scuba (Figure 5).
You can scan the database using a Bastion server which you may know as a Jump server that is especially designed to withstand attacks. You can use an existing Bastion server, or create a dedicated one for the scan. The scan will be done using an SSH (secure shell) tunnel, through the Bastion server, to the scanned database (Figure 4).
Figure 4: Scuba access to an RDS instance using a Bastion server
You can run a scan with a single click by entering:
- The Bastion details, including SSH credentials
- The database credentials
As follows:
Figure 5: New cloud scanning configuration in Scuba
For more info on how to use SSH tunnel or create your own Bastion server please refer to the Scuba user guide.
Summary
The adoption of cloud makes it harder to apply security standards on databases and is often a lower priority for security teams. Cloud databases should not be ignored since they are as vulnerable as any other database. Scuba can now help you scan your cloud databases to identify and mitigate your risks.
For more information please contact us @ support-scuba@imperva.com.
Try Imperva for Free
Protect your business for 30 days on Imperva.
