Click here to monitor SSC

Tony Davis is an Editor with Red Gate Software, based in Cambridge (UK), specializing in databases, and especially SQL Server. He edits articles and writes editorials for both the Simple-talk.com and SQLServerCentral.com websites and newsletters, with a combined audience of over 1.5 million subscribers. You can sample his short-form writing at either his Simple-Talk.com blog or his SQLServerCentral.com author page. As the editor behind most of the SQL Server books published by Red Gate, he spends much of his time helping others express what they know about SQL Server. He is also the lead author of the book, SQL Server Transaction Log Management. In his spare time, he enjoys running, football, contemporary fiction and real ale.

Cloud Insecurity

Published 22 November 2013 2:56 pm

Often, one sees the views of those raising reasoned doubts about cloud security dismissed as fogeyish and cloud-phobic. Of course, it’s a persuasive argument that cloud security is actually a non-issue, since under-investment means that the on-premise infrastructure of many organizations is a less secure environment for their applications than the cloud. The ClimateGate evidence, for example, would have been more difficult to get had it been stored in the cloud. However, as recent large-scale security breaches at giants such as Adobe and LinkedIn prove, cloud security can and will be breached, and probably more frequently as hackers turn their attention to the increasing use of cloud storage for personal and financial information.

So is a concern about cloud security an irrational fear? In short, we have no way of knowing. In the case of almost all the data breaches of the past year, the custodians of the data weren’t aware of the extent of their security weaknesses until their vulnerabilities were exposed by hackers. In some cases, they didn’t even know of the breach until the hackers boasted about it. What if they don’t boast?

Successful intrusions may be infrequent – getting thirty million IDs and passwords is a difficult task, even from leaky on-premise infrastructures – but the consequences are devastating. Finding out the extent of a data breach is hard. The seminal book on the topic of SQL Server forensics remains Kevvie Fowler’s SQL Server Forensic Analysis, which explains in gory detail the tools, processes, data and logs required to identify and collect the various data fragments (artifacts) that will allow reconstruction the activity of the intruder.

If part of all of your infrastructure, platform or software is hosted in the cloud, the situation is even more interesting. How do you plan your response to a security breach? How could you find out what cloud data has been stolen? How do you detect and repair any damage inflicted?

This article alone raises a raft of questions to which you need to know the answers, including:

  • What mechanisms the cloud firm has for logging?
  • If it’s a multitenant cloud, how will they separate your logs from those of other tenants?
  • Will the provider preserve data and hard drives for forensic analysis?

Unless you have solid and satisfactory answers to all these questions, the obvious solution is to ‘scope’ your data very carefully, isolating the proportion that requires regulatory compliance and leaving it on-premise; in other words, a hybrid solution. That would, of course, require you to understand and categorize your data but you do that already, I’m sure?

5 Responses to “Cloud Insecurity”

  1. Keith Rowley says:

    This article does not even touch the legal problems of storing data in the cloud. Having spent the last several months off and on trying to get Amazon to sign a Business Associate Agreement so we can stored backups from our electronic medical records system on S3 in a way that is HIPAA compliant I can tell you this can be a real challenge.

    The crazy thing is we pre-encrypt the backups locally so Amazon will only ever have access to an encrypted copy of the data, but we still have to have them sign a BAA that acts like they have access to the full data because the law was obviously written by someone with no understanding of encryption technology.

    We would be buried in paperwork from our lawyers if we wanted to actually host ANY of our systems in the cloud, even ones that don’t have protected health information on them.

    Private networks may or may not be more secure, but they are absolutely easier to explain to a lawyer.

  2. Phil Factor says:

    The Verizon 2013 Data Breach Investigations Report found that, of the 47,000 reported security incidents, involving 174 million compromised records, and 621 data breaches in 27 countries in 2012, 66% weren’t detected for several months and 10% of all breaches were discovered by customers, sometimes coming across their details on hacker sites, before the business itself became aware of them.
    Cloud data-breaches were reported to have increased for three years running.
    See: Verizon 2012 Data Breach Investigations Report

  3. Robert Young says:

    This is another instance of responsibility shirking. Just as ABC Corp. sends its manufacturing sector to countries which permit levels of human exploitation not allowed (well, legally anyway) in their “home” countries, and can thus disclaim any responsibility for the conditions of not-their workers, so they do with data by making it not-their data. In hopes of saving a few bucks, and having contract language insulating them from the inevitable mess. Just today, reports here on the West Side of The Pond detail how NSA slurped data from the backbone carriers, and how said carriers were able to insulate themselves by pointing at “law”. The innterTubes are designed to take “the least delayed path”, which means that US data may well pass through Europe, Eastern Bloc, or Asia. The same is true for EU countries’ data finding itself on the US backbone.

    The issue comes down having what some consider the evil Global Government. While even as late the 19th century, half way around the world was out-of-sight, out-of-mind; now the geophysical fungibility of capital makes it yet easier for those at the top to exploit those not so happily situated.

  4. Ken3 says:

    It really gets to me that the cloud providers keep pushing out marketing blurb saying ‘IT pros are getting over their fear of the cloud and are actively embracing it’. It is not fear, it is just that we are waiting until a year has elapsed since the last major cloud security breach. After all, we can’t just abandon our duty as custodians of the company’s data, however good the marketing blurb of the cloud providers happens to be

  5. paschott says:

    The idea of a hybrid solution has some merit. I remember meeting someone at the PASS conference who used Azure to host some SSIS process that would basically crunch a bunch of data. They spun up the machine when it was needed, imported the data, processed it, exported it, and turned off the machine. That saved them a bunch of money over buying hardware to do something similar.

    I don’t know if any of that data was PII or not, but it was definitely a limited use scenario and a pretty clever way to get more computing power temporarily.

    For my current company, we’d have a bit of trouble going external just because of the risk of data being exposed. It’s easy enough for poorly written code to expose data. I don’t think we’d also want to risk it being hosted on someone else’s servers that could be exposed through something we didn’t write.

    That being said, I do see uses for data and services in the cloud. Now is the time to learn, test, and grow because I do see cloud-based services becoming more important.

Leave a Reply