Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Cloud Safety

By Steve Jones,

One of the big concerns with databases and cloud computing is security. I recently ran across an article that asked the question, "how can you make sure your cloud provider can protect your data?". There aren't any guarantees, but there is some information in the article about the certifications that your provider might have earned and be able to prove. There are FIPS 200/SP 800-53, ISO 27001/27002, and SSAE 16, SOC 2 & 3 standards listed. Whether these are applicable to you, or provide the security you need is something you will have to decide. Be careful, and do your homework as some of the certifications mean that the certifying company can give you an opinion on security, which is their own and maybe different from the one another company would give.

The article did make some good points about evaluating security for your company. You should understand what these certifications means, and in some cases, make sure the provider has multiple designations. For example, both ISO 27001 and ISO 27002 are needed together to ensure a reasonable level of security. The provider should also be able to provide you with copies of their audits, and contract with you to ensure ongoing audits and vulnerability tests. These are reasonable requests, and they are measures you should have in place for any of your facilities.

Are SQL Azure and Windows Azure secure? Windows Azure does have the ISO 27001: 2005 certification, but I haven't seen ISO 27002 listed. I also don't think this covers SQL Azure, but it's not clear. There is a note that Microsoft has completed the ISO 27001 and the SAS 70 Type I and II certifications, but I haven't seen PCI listed for Microsoft. It is listed for Amazon Web Services, one of the other large SQL Server cloud hosting providers.

Security is a process, not a product. It is something you need to create, adapt, alter, and monitor on a regular basis. Some cloud providers are diligent about applying and documenting their security controls and audit results, some are not. If you need secure services, it's important that you get your requirements in writing from your cloud provider, or find a new vendor. No matter what work your cloud provider does to secure their facilities and network, however, it's even more important that you develop your application securely. Restrict rights, avoid SQL Injection holes, and implement the best practices for secure development of applications as you write your code. It's usually easier to attack your application than the hosting provider.

Steve Jones


The Voice of the DBA Podcasts

Everyday Jones

The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there. Overall RSS Feed: or now on iTunes!

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.

You can also follow Steve Jones on Twitter:

Total article views: 149 | Views in the last 30 days: 1
 
Related Articles
ARTICLE

Cloud Concerns

Security is a concern in the cloud, but should it be your number one concern? Steve Jones notes that...

ARTICLE

Cloud Hacking

Steve Jones thinks that security will be one of the biggest impediments to the adoption of cloud com...

ARTICLE

Cloud Storage Security: Are You Doing Your Part?

If the level cloud storage encryption are so high, then why is the cloud security industry experienc...

ARTICLE

Certificates Everywhere

Today Steve Jones talks about security and his desire to have certificates be the primary means of s...

ARTICLE

The Special Cloud

Amazon has built a cloud just for the US government. Will we see more specialized clouds in the futu...

Tags
cloud computing    
editorial    
security    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones