22 November 2013

Cloud Insecurity

Often, one sees the views of those raising reasoned doubts about cloud security dismissed as fogeyish and cloud-phobic. Of course, it’s a persuasive argument that cloud security is actually a non-issue, since under-investment means that the on-premise infrastructure of many organizations is a less secure environment for their applications than the cloud. The ClimateGate evidence, for example, would have been more difficult to get had it been stored in the cloud. However, as recent large-scale security breaches at giants such as Adobe and LinkedIn prove, cloud security can and will be breached, and probably more frequently as hackers turn their attention to the increasing use of cloud storage for personal and financial information.

So is a concern about cloud security an irrational fear? In short, we have no way of knowing. In the case of almost all the data breaches of the past year, the custodians of the data weren’t aware of the extent of their security weaknesses until their vulnerabilities were exposed by hackers. In some cases, they didn’t even know of the breach until the hackers boasted about it. What if they don’t boast?

Successful intrusions may be infrequent – getting thirty million IDs and passwords is a difficult task, even from leaky on-premise infrastructures – but the consequences are devastating. Finding out the extent of a data breach is hard. The seminal book on the topic of SQL Server forensics remains Kevvie Fowler’s SQL Server Forensic Analysis, which explains in gory detail the tools, processes, data and logs required to identify and collect the various data fragments (artifacts) that will allow reconstruction the activity of the intruder.

If part of all of your infrastructure, platform or software is hosted in the cloud, the situation is even more interesting. How do you plan your response to a security breach? How could you find out what cloud data has been stolen? How do you detect and repair any damage inflicted?

This article alone raises a raft of questions to which you need to know the answers, including:

  • What mechanisms the cloud firm has for logging?
  • If it’s a multitenant cloud, how will they separate your logs from those of other tenants?
  • Will the provider preserve data and hard drives for forensic analysis?

Unless you have solid and satisfactory answers to all these questions, the obvious solution is to ‘scope’ your data very carefully, isolating the proportion that requires regulatory compliance and leaving it on-premise; in other words, a hybrid solution. That would, of course, require you to understand and categorize your data but you do that already, I’m sure?

Keep up to date with Simple-Talk

For more articles like this delivered fortnightly, sign up to the Simple-Talk newsletter

This post has been viewed 5659 times – thanks for reading.

  • Rate
    [Total: 0    Average: 0/5]
  • Share

Tony Davis

Tony Davis is an Editor with Red Gate Software, based in Cambridge (UK), specializing in databases, and especially SQL Server. He edits articles and writes editorials for both the Simple-talk.com and SQLServerCentral.com websites and newsletters, with a combined audience of over 1.5 million subscribers. You can sample his short-form writing at either his Simple-Talk.com blog or his SQLServerCentral.com author page.

As the editor behind most of the SQL Server books published by Red Gate, he spends much of his time helping others express what they know about SQL Server. He is also the lead author of the book, SQL Server Transaction Log Management.

In his spare time, he enjoys running, football, contemporary fiction and real ale.

View all articles by Tony Davis