SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Cloud Safety

By Steve Jones,

One of the big concerns with databases and cloud computing is security. I recently ran across an article that asked the question, "how can you make sure your cloud provider can protect your data?". There aren't any guarantees, but there is some information in the article about the certifications that your provider might have earned and be able to prove. There are FIPS 200/SP 800-53, ISO 27001/27002, and SSAE 16, SOC 2 & 3 standards listed. Whether these are applicable to you, or provide the security you need is something you will have to decide. Be careful, and do your homework as some of the certifications mean that the certifying company can give you an opinion on security, which is their own and maybe different from the one another company would give.

The article did make some good points about evaluating security for your company. You should understand what these certifications means, and in some cases, make sure the provider has multiple designations. For example, both ISO 27001 and ISO 27002 are needed together to ensure a reasonable level of security. The provider should also be able to provide you with copies of their audits, and contract with you to ensure ongoing audits and vulnerability tests. These are reasonable requests, and they are measures you should have in place for any of your facilities.

Are SQL Azure and Windows Azure secure? Windows Azure does have the ISO 27001: 2005 certification, but I haven't seen ISO 27002 listed. I also don't think this covers SQL Azure, but it's not clear. There is a note that Microsoft has completed the ISO 27001 and the SAS 70 Type I and II certifications, but I haven't seen PCI listed for Microsoft. It is listed for Amazon Web Services, one of the other large SQL Server cloud hosting providers.

Security is a process, not a product. It is something you need to create, adapt, alter, and monitor on a regular basis. Some cloud providers are diligent about applying and documenting their security controls and audit results, some are not. If you need secure services, it's important that you get your requirements in writing from your cloud provider, or find a new vendor. No matter what work your cloud provider does to secure their facilities and network, however, it's even more important that you develop your application securely. Restrict rights, avoid SQL Injection holes, and implement the best practices for secure development of applications as you write your code. It's usually easier to attack your application than the hosting provider.

Steve Jones

The Voice of the DBA Podcasts

Everyday Jones

The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there. Overall RSS Feed: or now on iTunes!

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.

You can also follow Steve Jones on Twitter:

Total article views: 160 | Views in the last 30 days: 1
Related Articles

Cloud Concerns

Security is a concern in the cloud, but should it be your number one concern? Steve Jones notes that...


Cloud Hacking

Steve Jones thinks that security will be one of the biggest impediments to the adoption of cloud com...


Cloud Storage Security: Are You Doing Your Part?

If the level cloud storage encryption are so high, then why is the cloud security industry experienc...


Cloud Security Issues

The cloud is always going to be a challenge for security, but is it harder or easier than on premise...


Podcast: Big Data Solutions in the Cloud

In this podcast I talk with Carlos Chacon of SQL Data Partners on big data solutions in the cloud.  ...

cloud computing