Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 123»»»

Cloud Safety Expand / Collapse
Author
Message
Posted Tuesday, January 10, 2012 10:06 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 7:12 AM
Points: 33,266, Visits: 15,432
Comments posted to this topic are about the item Cloud Safety






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1233713
Posted Wednesday, January 11, 2012 2:43 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Tuesday, June 3, 2014 8:16 AM
Points: 295, Visits: 1,011
How do you make sure your company does not lose critical data to usa? Companies in usa are required to hand over data that the usa gov requests.

How can you be sure data is not sold to others?

How can you be sure of the price and performance?

Does not the agreements from the companies providing these services reserve themselves for chaining the agreements?

What right to data security and availability do you get? If the cloud service goes down for some reason, which has happened and will happen again.
Post #1233813
Posted Wednesday, January 11, 2012 8:47 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 7:12 AM
Points: 33,266, Visits: 15,432
Many countries have laws requiring disclosure of items to the government. The government can do the same thing to your company. Granted, you can delay if you have the data, but they can still often seize it with law enforcement. Lots of countries, not all, have reciprocal agreements between governments for this. I don't worry about this, since most of the businesses that are legitimate have little to fear here.

You can't be sure your data isn't sold to others, though in many cloud environments, you are still controlling the security in your VM. Someone could potentially copy the VM and crack passwords, but I'm not sure this is easier in the cloud. They can easily pay one of your admins to do the same thing at your company. I'm not sure this is a huge potential problem. Tons of companies use hosting services, and this hasn't been a bit issue there, and those companies have physical access to your systems and could copy things.

Does not the agreements from the companies providing these services reserve themselves for chaining the agreements?


Not sure that you mean. The sentence doesn't make sense.

In terms of security and reliability, it's a gamble, but is it worse than your company? Arguably they have more experience providing services on a scale and do a better job because an outage affects lots of customers, and could put them out of business. I've worked in dozens of companies where the admins/developers/DBAs there caused outages because they weren't competent.

Contract for services, have penalty clauses, and work with the limitations. The cloud isn't for every company, nor for every database. You can keep complaining, or you can look for valid reasons why it will, or will not, work and use those as appropriate. It's not a blanket "bad idea". That's the complaint I heard about hosting services years ago, and about SaaS companies (like Salesforce). They're just not valid complaints for every situation.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1234051
Posted Wednesday, January 11, 2012 8:48 AM


SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Yesterday @ 11:54 AM
Points: 4,427, Visits: 3,423
"Security is a process, not a product."

It is a developing mindset.
Post #1234056
Posted Wednesday, January 11, 2012 11:51 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, March 6, 2014 1:05 PM
Points: 1,334, Visits: 3,068
"how can you make sure your cloud provider can protect your data?"


Very simple, ask your Cloud Provider about 20 or so very pointed questions, and make sure you are satisfied with those answers. If not, move on quickly. Here they are:


1.Does the provider take responsibility for the security and integrity of your systems and data or does it consider them your responsibility? If so, what security aspects does the provider take responsibility for?
2.Does the provider encrypt data in transit and at rest?
3.What measures does the provider take to destroy data after it is released by customers?
4.What security certifications does the provider possess: SAS 70 Type I or II. PCI-DSS? What proof can the provider offer of those certifications? Can you examine the SAS 70 report? How often are its security practices audited and by whom?
5.What physical security measures, processes, and monitoring capabilities does the provider have in place to prevent unauthorized access to its data centers and infrastructure?
6.How does the provider screen its employees and contractors? Do those screening procedures differ at different international locations? How?
7.Who at the provider’s premises can see your data? What internal controls does the provider have in place to prevent unauthorized viewing, copying, or emailing of customer information?
8.What is the provider’s backup and disaster recovery strategy? How often are incremental backups made? How many copies of your data does the provider store and where are they stored? How far back do the copies go? How often and how do they test their backup and recovery infrastructure?
9.If the provider stores data in non-U.S. locations can you specify where you want your data stored? How can it ensure your data will not be stored in other locations?
10.What notice will the provider offer when it changes its data center locations or security practices?
11.If the provider uses multitenant server model, what measures does it take to isolate individual tenant systems and data from each other?
12.What visibility will the provider offer your organization into security processes and events affecting your data?
13.Does the provider have an incident response plan? Can you see it? Does it measure up to your own? Does the provider include your organization in the incident response process?
14.How do the provider’s identification and authentication systems integrate with your own?
15.How can the provider ensure compliance with regulations your company must comply with?
16.Does the provider offer periodic reports confirming compliance with your security requirements and SLA’s? Will it provide reports of attempted or successful breaches of its systems, impacts, and actions taken?
17.What is the remediation process if the provider cannot live up to its security obligations? Token compensation may not be enough, as a serious breach can damage some organizations severely or even put them out of business.
18.What will happen to your applications and data if the provider goes out of business? How can the provider ensure they won’t become the property of creditors?
19.How does the provider ensure that legal actions taken against other tenants will not affect access to your data?
20.If you decide to switch providers or take your systems and data in house, what will it take to migrate your systems and data?


"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ..."
Post #1234252
Posted Wednesday, January 11, 2012 1:46 PM


SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Yesterday @ 11:54 AM
Points: 4,427, Visits: 3,423
TravisDBA (1/11/2012)
"how can you make sure your cloud provider can protect your data?"


Very simple, ask your Cloud Provider about 20 or so very pointed questions, and make sure you are satisfied with those answers. If not, move on quickly. Here they are:


1.Does the provider take responsibility for the security and integrity of your systems and data or does it consider them your responsibility? If so, what security aspects does the provider take responsibility for?
2.Does the provider encrypt data in transit and at rest?
3.What measures does the provider take to destroy data after it is released by customers?
4.What security certifications does the provider possess: SAS 70 Type I or II. PCI-DSS? What proof can the provider offer of those certifications? Can you examine the SAS 70 report? How often are its security practices audited and by whom?
5.What physical security measures, processes, and monitoring capabilities does the provider have in place to prevent unauthorized access to its data centers and infrastructure?
6.How does the provider screen its employees and contractors? Do those screening procedures differ at different international locations? How?
7.Who at the provider’s premises can see your data? What internal controls does the provider have in place to prevent unauthorized viewing, copying, or emailing of customer information?
8.What is the provider’s backup and disaster recovery strategy? How often are incremental backups made? How many copies of your data does the provider store and where are they stored? How far back do the copies go? How often and how do they test their backup and recovery infrastructure?
9.If the provider stores data in non-U.S. locations can you specify where you want your data stored? How can it ensure your data will not be stored in other locations?
10.What notice will the provider offer when it changes its data center locations or security practices?
11.If the provider uses multitenant server model, what measures does it take to isolate individual tenant systems and data from each other?
12.What visibility will the provider offer your organization into security processes and events affecting your data?
13.Does the provider have an incident response plan? Can you see it? Does it measure up to your own? Does the provider include your organization in the incident response process?
14.How do the provider’s identification and authentication systems integrate with your own?
15.How can the provider ensure compliance with regulations your company must comply with?
16.Does the provider offer periodic reports confirming compliance with your security requirements and SLA’s? Will it provide reports of attempted or successful breaches of its systems, impacts, and actions taken?
17.What is the remediation process if the provider cannot live up to its security obligations? Token compensation may not be enough, as a serious breach can damage some organizations severely or even put them out of business.
18.What will happen to your applications and data if the provider goes out of business? How can the provider ensure they won’t become the property of creditors?
19.How does the provider ensure that legal actions taken against other tenants will not affect access to your data?
20.If you decide to switch providers or take your systems and data in house, what will it take to migrate your systems and data?

No cloud provider can answer question number 20. How can say Microsoft know what would it take to migrate to Amazon, or worse to a new, not yet established startup, two years from today?

Cloud provider should not attempt to answer question number 18 because in case of filing for Chapter 7 that decision is entirely up to the court.

Answering question number 11 would probably violate any serious provider's policies. If I got an honest answer, I would probably consider the provider naive and therefore unsafe.

Other questions seems to be pretty good.
Post #1234348
Posted Wednesday, January 11, 2012 1:51 PM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, March 6, 2014 1:05 PM
Points: 1,334, Visits: 3,068
I agree on #20, that is a question that the folks on "your" side need to assess if that is indeed the case, and although I agree with the provider not being able to give a "definitive" answer on #18, they should still be able to give some logical input to that question. You can be pretty sure that they have been asked that question before and should know how to handle it generally enough to at least give you an idea anyway.

"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ..."
Post #1234353
Posted Wednesday, January 11, 2012 2:19 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 7:12 AM
Points: 33,266, Visits: 15,432
That's a good list, and whether they can actually answer all of them is debatable, but the way they answer will say something. If they look at #20 and go "sure, we can do anything", you know they haven't really thought it through. Or if they say "we won't do that", you have an idea of how flexible they'd be.

A few of these apply to any partner, so I'm not sure they're fair questions, but they would be good to ask, just to gauge how they're handled.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1234382
Posted Wednesday, January 11, 2012 4:08 PM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Sunday, September 8, 2013 5:39 PM
Points: 263, Visits: 862
It's fair to scrutinize the security mechanisms and processes offered by cloud providers. However, you have to ask yourself: Can I do it as well or better? I dare say the real answer in most cases is: probably not. Using [perceived lack of] security as an excuse to not go with a cloud provider is getting weaker and weaker as more proven businesses run in the cloud. And anyone who brings up the AWS outage from last year as a reason needs to get a reality check and move on with their life.

It's kind of like flying vs. driving:

When you fly you have absolutely no control over your own fate. You've put your life completely in the hands of a 3rd party. As it turns out, flying is THE safest way to travel. Why? Because aircraft have multiple redundant systems and are mostly well maintained, pilots are well-trained (and well-paid) and the operational conditions of an aircraft are tightly controlled and monitored. Unfortunately, disasters do happen and planes crash (and people really do win the Mega Millions). That said, airlines learn from their mistakes.

Compare that with driving. Your fate is somewhat in your own hand...but not entirely. However, practically any idiot can get a license. In the US, state governments happily hand over loaded weapons to inexperienced 16 year-old drivers every day. There are plenty of good drivers around but sadly they share the same roads with the really bad drivers. Maintenance is shoddy or non-existent. Training really isn't required. Bad drivers don't learn from their mistakes, they just keep driving badly. As a result, driving is THE worst form of travel.

I see cloud providers as airlines in this scenario (yes, yes....there ARE some good ones...in Asia ) and the rest of us as drivers (some good, many not). Make your list as TravisDBA suggests, check it twice, make a decision and then just get on with it.

Besides, in a few years I don't think there will be much of a viable alternative anyway; if you want cost-effective and rock-solid, you will run in the cloud.



James Stover, McDBA
Post #1234446
Posted Wednesday, January 11, 2012 6:26 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 7:12 AM
Points: 33,266, Visits: 15,432
James Stover (1/11/2012)
Can I do it as well or better?


Well put, although I don't know if we are training all cloud providers better than the average sysadmin. I'd hope so, but I worry that some of these companies are playing fast and loose, and using the same people that we might hire, so they aren't doing it better.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1234501
« Prev Topic | Next Topic »

Add to briefcase 123»»»

Permissions Expand / Collapse