Q

Cloud database security: Why it's a good idea to be paranoid

IT managers should ask cloud providers some pointed questions about the security of data stored in cloud databases, says expert Mark Whitehorn.

Is cloud database security still an issue that IT managers should be concerned about?

In my opinion, yes. Security is a major issue in non-cloud databases -- you only have to look at recent security breaches to see that. Putting data in the cloud means moving it off-site and that has to add a further level of risk.

"But…but... those nice cloud people say that security is their number-one concern. They say that they employ specialists whose sole job is to prevent security breaches. These are experts. They know much more than my people, surely?"

I agree that it is perfectly possible to have a cloud database for which the security is managed by experts who do know more than your people. But there are other factors to consider.

One is whether your particular cloud provider really employs the best people. That's an important consideration because for them this is simply a business and it is common for businesses try to balance costs against income in order to maximize profit.

I'm not suggesting that all -- or indeed any -- cloud providers are cutting corners. I am suggesting that you must ask very searching questions about the people they employ, the qualifications they require and, most importantly, what exactly they do if they cannot, in any given month, find people who match those exacting standards. Do they cancel their existing contracts and hand the data back to you, or do they hire the best people available at the time and hope that nothing goes wrong? If you manage data in-house, you have exactly the same problems with hiring people, but at least you're aware when hiring that standards have to be dropped.

Second, no matter who is involved, a cloud-based database involves more people -- yours and theirs --and people are often the biggest security risk of all. So there is an argument to be made that the more people who have access to the data, the greater the chance of a security breach.

Third, cloud is a wonderful term -- it implies that data just disappears "up there" to a nebulous storage facility in the sky. But the truth is that it has to reside somewhere on some physical piece of hardware, complete with a power supply, backup system and all those other boring IT details.

So, good questions to ask your cloud provider are:

  • Where is my data being stored and where is it being managed?
  • What are the data protection laws in that country or those countries?
  • Do you guarantee that it will stay exactly there? If not, where might it be stored?
  • What, if any, outside agencies can gain access to my data?
  • Can you even answer the last question, or are you already bound in some way to give an inaccurate reply?

Finally, your data has to get to the cloud and back again. So there are more questions:

  • What are the data protection laws in the countries through which my data passes?
  • Will it always use the same transit paths?
  • Is it encrypted? If so, how is it encrypted?
  • Which agencies, if any, have access to the encryption key?

I know these are embarrassing questions to ask because they sound as if you don't trust those nice cloud people with your cloud database security. And I really don't have any reason to distrust cloud people any more than I distrust anyone else in business -- but I have no reason to distrust them any less either.

I'm fully aware that I sound paranoid here, but security is about being paranoid. And my paranoia does not extend to cloud-based systems in general; it really doesn't. They can be excellent when you need to store and manipulate data that isn't security-sensitive. But most business data is valuable to the legitimate owner and may have value for other people. Let's be careful out there.

This was last published in May 2014

Dig Deeper on Database management system (DBMS) software and technology

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Simply moving away from the cloud won’t stop data being accessed by hackers or governments. Security-conscious firms need to know what and where their sensitive assets exist in order to best protect them. The cornerstone of protecting these assets is with restrictive access controls such as network segmentation, blocking off sensitive areas of the network from less sensitive areas of the network to contain a lateral movement of a cyber attacker once within the network.

With increasing application development, constant changes are happening on the network and more and more data assets are being brought into the network. Security policies must continue to be enforced across on-premise, hybrid and cloud based networks or will risk network exposure. Options such as automating the change request process will increase accuracy of the network change and ensure security is continuously embedded into the process.
Cancel

-ADS BY GOOGLE

SearchBusinessAnalytics

SearchAWS

SearchContentManagement

SearchOracle

SearchSAP

SearchSOA

SearchSQLServer

Close