How to Secure Modern Apps and Databases for Hybrid Multicloud Operations

Experts share best practices for taking a holistic, development-through-lifecycle approach to secure apps and protect data while still supporting rapid software delivery.

By Gene Knauer

By Gene Knauer January 26, 2024

Modern applications deployed in hybrid multicloud environments handle vast amounts of data exposed to myriad security vulnerabilities. Securing apps and data after the development process isn’t enough, according to experts from Nutanix. Instead, they advise making security integral to development and the application’s full lifecycle. Using best practices and new tools can help.

They argue that security for new or refactored distributed apps, and the database technologies and services associated with them should be folded into development from the start and follow the same meticulous security standards long used for legacy app development.  

“Scan the public Internet and you can find over 700,000 Microsoft SQL servers right now that are accessible from anywhere in the world and vulnerable to bad actors," warned George Kaminski, a senior manager at Nutanix. 

“Whether your databases are on-premises or in the public cloud, there is an array of protections that should be top of mind.”


Getting Beyond Day-Two Postgres Database Challenges

The total annual number of data breaches in the U.S. reached an all-time high before the fourth quarter of 2023, according to the Identity Theft Resource Center. By the end of September, the ITRC recorded over 2,100 data breaches and leaks impacting 233.9 million people. Its October 2023 report stated that Zero-Day attacks increased by 1,620% compared to the full year of 2022.

“More than ever, it’s critical to follow best practices and leverage the right tools for protecting databases,” Kaminski said.

Circumventing New Pitfalls

The use of containers and microservices have greatly accelerated time to market for app developers. Portability, modularity, scalability and automation are just some of these tools’ traits that enable developers and operations teams to work together, enabling a DevOps culture.

Database deployment, for example, once might have taken days or weeks, can now be done almost instantly. And that's where important security measures can be overlooked or rushed.

“Many of the early cloud-native applications were stateless - think web search, for example-  and data and databases were an afterthought,” said Jeff Kelly, head of marketing for Nutanix Database Service. 


Software Developers and Database Administrators Make Dynamic Duo

“But today, the vast majority of cloud-native or modern applications require a database to manage and protect the data associated with the app. So developers should be using security best practices from the very beginning, given the range of Web application security risks.”

4 Musts for Robust Protection

There are four functions essential to protecting modern applications, according to Kaminski and Kelly.

Data encryption with VM access – Using secure, encrypted drives at the data storage layer with key management systems is a security-maximization must, they said. Another way to enhance encryption in distributed cloud applications is to gain access to the virtual machine (VM) layer as well as the database engine.

That can be challenging when using public cloud database services, which often restrict access to the database engine and VM layer.

Kaminski and Kelly recommend organizations consider the level of access needed to maintain a strong security posture when evaluating database-as-a-service or managed database solutions.

“With that access, you can implement all the available Oracle encryption capabilities to maximize your protection. It’s the same with other database engines from other vendors.”

Network segmentation – Even with apps that run in containers, which isolate each microservice, networks should be segmented, Kaminski and Kelly agreed. The reason is that applications can be accessed and compromised via port-scanning techniques. They noted that network segmentation provides an additional layer of physical or logical isolation that limits the lateral movement of attackers, even if they should succeed at compromising one segment.

Microservices segmentation rules, distributed across different servers or containers, should be accompanied by least-privileged access rules, the experts added. This way, they said, no person, application or process has access to the data except those that require it.

Regular patching regimen – Patching databases and other apps against new and evolving vulnerabilities remains essential. Yet Kaminski noted that many IT teams do not patch their databases often enough to keep up with cyber threats. On a broader scale, a 2022 Ponemon Institute survey revealed that 60% of breach victims said their breach’s cause was an unpatched known vulnerability. 

In the database world alone, thousands of vulnerabilities have been identified and sometimes hundreds are uncovered for a single individual database engine. Hackers are also using newer versions of older attacks, capitalizing on identification and authentication failures and software and data integrity gaps to steal data or bring entire applications down.

Automation with a golden image – “The biggest friction point we see is between development teams and DBAs,” or database administrators, said Kaminski. 

“Developer requests for copies of databases or patches against common vulnerabilities take DBAs’ time away from running business-critical workloads, tuning the databases, and optimizing the data structures.”

The solution, he suggested, is to automate security wherever possible so that it’s consistently applied. One way to do that is by deploying a golden image of a database or other application that has already been hardened with the right security settings, encryption, segmentation and the latest patches.


Reimagining Database Management in a Hybrid Multicloud World

A golden image is a template for a VM, server or hard drive created with the exact specifications needed, saved and then used as a pattern for future copies. Golden images can save time, ensure consistency and reduce errors and their associated risk by eliminating the need for repetitive configuration changes and performance tweaks.

“If you have to rely on a DBA to harden a database manually, it’s going to slow down the DevOps process,” Kaminski said. “Things might be missed or misconfigured. It’s much better to deploy a golden image that has already been secured using up-to-date standards and includes an automated rollout. You can have confidence that it’s the right version with all the latest protections and that it doesn’t hold up the development cycle.”

To simplify deploying security automation, as-a-service platforms are available for conducting the task across multiple engines, located both on-premises and in the cloud. Admins can perform provisioning, registration, cloning and restoral using one platform and manage applications and databases throughout their lifecycle.

Elevate Awareness

Practical solutions incorporating best practices for enhancing application and data security are readily available. Given the growing number of cybersecurity threats and their potentially dire consequences for businesses, every DevOps team must understand the challenges of securing applications and databases in multicloud environments and the effective solutions and tactics to safeguard them.


4 Database Automation Innovations to Turbocharge DevOps

Security best practices should be baked into the DevOps process from the beginning of software development, according to experts. The use of automation to speed up testing and the deployment of hardened golden images free IT security operations (SecOps) teams and DBAs from repetitive, manual tasks that are error-prone and introduce risk. Patching regularly helps ensure protection against the latest vulnerabilities.

Together, all these measures help developers, SecOps teams, and DBAs sleep better, knowing that their applications are well protected.

Editor’s note: Learn how Nutanix Database Services can efficiently and securely manage hundreds to thousands of databases.

Gene Knauer is a contributing writer who specializes in B2B marketing for technology companies.

© 2024 Nutanix, Inc. All rights reserved. For additional legal information, please go here.