Today's Challenge: Database Security in the Cloud

Posted on by Christopher Burgess

There is more to loud data security than just data security in the cloud.

The core product offerings for cloud data storage services (or Cloud Sync and Share as they my be called) include storage, sync, share, view, collaborate, Web and mobile support, and APIs, said Rich Mogull of Securosis.   "Without a solid security baseline it really doesn't matter what else the service officers," Mogull wrote.

While cloud storage and security have gone well beyond the database, the security implementation still matters.

What Are We To Do?

Organizations should make sure cloud service providers address the following six areas before entrusting the provider with their data. This is more than simply syncing  a database to the cloud.

Application security: Is the provider investing in Web application security, controls, and processes? Can the provider prove it has ongoing tests? If you would be entrusting your data to their environment, it is not unreasonable to ask how they plan to protect your data.

Business continuity: Where is your data stored? Is your data replicated and available in the event of a catastrophic loss of a data center, network outage, or any other calamity? Mother Nature strikes when it suits her and doesn’t care about your schedule. If the primary data center is down or destroyed, what does the provider plan to do? Does the service provider have failover to other data centers?

Data center security: Don’t just take the providers’ word for it. Get a copy of the reports, such as the SSAE-16 attestation and SOC 2 third party assessments. Understand the physical and logical security protocols the provider will use to protect your data.

Encryption: Your provider may treat database security and encryption as two different things. The service provider may offer to encrypt your data at rest on their servers—always say yes. You should encrypt your customer's personally identifying information and payment card data. On top of all that, verify the provider protects all inter-device connectivity, to and from the service provider and your client devices, with secure socket links (SSL).

Internal controls: Who is watching those with access? ZDNet reports a recent AT&T breach occurred when a trusted individual accessed and stole client data. Just assume anyone who has access to your company data is potentially a threat.

Transparency: Is the service provider willing to engage and demonstrate their security acumen? If your service provider doesn’t provide information or visibility into how it handles security, then that is a problem.

Protecting the Database and Its Availability

While the six areas listed above talk about what roles the cloud service provider has to play, remember that organizations also have a very important role to play. Netflix  balances both availability and security. Its "chaos monkey" introduces chaos into the production service, and tests the company’ sresilience and security. For example, Netflix anticipated portions of its infrastructure would fail when Amazon took portions of its Amazon Web Service offering offline for "security updating of the AWS nodes." Because the company knew what the provider was going to do and acted pre-emptively, Netflix experienced zero downtime. Other organizations weren’t that lucky or well-prepared.

Christopher Burgess

, Prevendra Inc.

cloud security data security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community