Cloud database security: Why it's a good idea to be paranoid

IT managers should ask cloud providers some pointed questions about the security of data stored in cloud databases, says expert Mark Whitehorn.

Is cloud database security still an issue that IT managers should be concerned about?

In my opinion, yes. Security is a major issue in non-cloud databases -- you only have to look at recent security breaches to see that. Putting data in the cloud means moving it off-site and that has to add a further level of risk.

"But…but... those nice cloud people say that security is their number-one concern. They say that they employ specialists whose sole job is to prevent security breaches. These are experts. They know much more than my people, surely?"

I agree that it is perfectly possible to have a cloud database for which the security is managed by experts who do know more than your people. But there are other factors to consider.

One is whether your particular cloud provider really employs the best people. That's an important consideration because for them this is simply a business and it is common for businesses try to balance costs against income in order to maximize profit.

I'm not suggesting that all -- or indeed any -- cloud providers are cutting corners. I am suggesting that you must ask very searching questions about the people they employ, the qualifications they require and, most importantly, what exactly they do if they cannot, in any given month, find people who match those exacting standards. Do they cancel their existing contracts and hand the data back to you, or do they hire the best people available at the time and hope that nothing goes wrong? If you manage data in-house, you have exactly the same problems with hiring people, but at least you're aware when hiring that standards have to be dropped.

Second, no matter who is involved, a cloud-based database involves more people -- yours and theirs --and people are often the biggest security risk of all. So there is an argument to be made that the more people who have access to the data, the greater the chance of a security breach.

Third, cloud is a wonderful term -- it implies that data just disappears "up there" to a nebulous storage facility in the sky. But the truth is that it has to reside somewhere on some physical piece of hardware, complete with a power supply, backup system and all those other boring IT details.

So, good questions to ask your cloud provider are:

  • Where is my data being stored and where is it being managed?
  • What are the data protection laws in that country or those countries?
  • Do you guarantee that it will stay exactly there? If not, where might it be stored?
  • What, if any, outside agencies can gain access to my data?
  • Can you even answer the last question, or are you already bound in some way to give an inaccurate reply?

Finally, your data has to get to the cloud and back again. So there are more questions:

  • What are the data protection laws in the countries through which my data passes?
  • Will it always use the same transit paths?
  • Is it encrypted? If so, how is it encrypted?
  • Which agencies, if any, have access to the encryption key?

I know these are embarrassing questions to ask because they sound as if you don't trust those nice cloud people with your cloud database security. And I really don't have any reason to distrust cloud people any more than I distrust anyone else in business -- but I have no reason to distrust them any less either.

I'm fully aware that I sound paranoid here, but security is about being paranoid. And my paranoia does not extend to cloud-based systems in general; it really doesn't. They can be excellent when you need to store and manipulate data that isn't security-sensitive. But most business data is valuable to the legitimate owner and may have value for other people. Let's be careful out there.

This was last published in May 2014

Dig Deeper on Database management system (DBMS) software and technology



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

1 comment


Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: