Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Financial Data in the Cloud?

By Phil Factor,

The use of the Cloud for financial data is not currently a realistic option. It is fine for simple websites, but not for any application which is subject to regulation. It may seem churlish to dismiss a technology out of hand, but there have been many occasions when a technology has been presumed to be safe and secure until events and human ingenuity have proven otherwise. Companies have little choice but to assume the worst, now that they're in the grip of an ever-tightening regulatory framework. These regulations are not just Government-initiated, such as DPA or Sarbanes-Oxley, but come from banks, international agencies and payment-card providers.

Companies that store sensitive personal information are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. They are still obliged to ensure that data was correctly and legally held. The Cloud makes this a great deal more difficult. They must make sure that there is adequate segregation of data, encryption and resilience from disaster. They must also put in place a number of different types of 'control' over the selection, access and supervision of privileged administrators who manage the data, even if it is outsourced.

Service Providers have to be checked for regulatory compliance, and scrutinized by independent audits and security certifications. Application security has to be checked every time a software change is made or service pack is installed, so the 'cloud' provider would need to inform the customer about every such change, so the customer can perform basic security-management.

The whole issue of compliance is complicated by the fact that it is generally unclear where the data is, so it's hard to know which legal jurisdictions apply, including the local laws for data protection, privacy and retention. This may seem fussy, but companies don't just have to worry about cyber-criminals getting hold of data, but also various governments: anti-terrorism legislation varies widely from country to country: For example, whereas the EU generally insists on strict protection of privacy, the US Patriot Act gives powers to government agencies to access company information held in the cloud within US jurisdiction, despite the 'US Safe Harbor Privacy Principles'.

Financial databases are designed like fortresses nowadays. It is difficult to predict the nature of the attack, so a number of independent systems must monitor attempts at intrusion, and audit all access. It is difficult to provide this in a multi-tenancy service where the Cloud application is decoupled from specific hardware resources, where logging is shared, and where data could be held anywhere. Even simple exception-monitoring systems aren't that straightforward.

There have been several concerted attempts to solve some of these security and monitoring issues, such as IBM, SAP and Cisco's 'Open Cloud Manifesto' and some individual initiatives are taking place.

In the meantime, Cloud service providers are insisting that they are steeped in the 'culture of security' advocated by OECD Guidelines for the Security of Information Systems and Networks. The SAS70 auditing standard has been adopted by most of the Cloud service providers, and some are getting their services certified to the US Government's Federal Information Security Management Act (FISMA) standards. There is also a move to getting ISO27001 accreditation so as to facilitate independent audit.

Nevertheless, there will have to be further compromises between the pioneers of The Cloud and the regulators, before companies feel safe in entrusting their data to such an abstract service, seemingly 'remote from sand and iron'. And I still haven't found a Cloud provider who can tell me about failed attempts to access my data.

Phil Factor (Guest Editor)

Total article views: 252 | Views in the last 30 days: 1
 
Related Articles
ARTICLE

Cloud Safety

Is the cloud secure? How can you be sure? Steve Jones talks a little about some ways you can try to ...

ARTICLE

Cloud Hacking

Steve Jones thinks that security will be one of the biggest impediments to the adoption of cloud com...

ARTICLE

Cloud Concerns

Security is a concern in the cloud, but should it be your number one concern? Steve Jones notes that...

ARTICLE

Cloud Storage Security: Are You Doing Your Part?

If the level cloud storage encryption are so high, then why is the cloud security industry experienc...

ARTICLE

The Cloud

I was interested to hear about Microsoft providing some services and storage in the "Cloud." I remem...

Tags
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones