cloud environment database vs on-premise security

The following is an excerpt from Chapter 7 of the book Mining New Gold - Managing Your Business Data by Penny, Jeffrey and Gillian Garbus which can be purchased here.

Cloud security often instills a sense of false over-confidence.  A significant number of people seem to be under the impression that if their data is stored in a third-party cloud, the information is safe and protected. They think, “I don’t have to worry about my data, it’s in the cloud.” Yet, cross the room to another group of people, and you may hear them say, “I can’t have my data in the cloud. It isn’t as safe as my own on-premises environment.”

The reality is that both opinions are partially incorrect. Cloud environments are not inherently riskier than on-site servers, nor are they more secure. Cloud environments have the same security risks as on-site storage. They both require the same protections and setup demands on the application and cloud environment side.

Statistically, cloud environments are attacked less often than on-site storage. Perhaps hackers feel the security is stronger and are less interested in attempting to penetrate it. However, cloud environments are susceptible to Denial of Service (DOS) attacks. This is where one server sends a crushing number of requests to another, basically tying up the attacked server with insignificant queries, overwhelming its ability to do the work it was intended for.

Most cloud vendors have sophisticated, well-educated, and equipped security professionals who can adapt to changing security needs. Hiring a team like this for your own environment is costly. But ensuring the proper maintenance and support needed by different tiers of the environment can provide comfort to a business owner, as cloud fees tend to be less expensive than having experts on payroll.

So how do you choose the right cloud provider?

The business owner, IT manager, or application manager should meet with the cloud provider and discuss in detail the available levels of security. Which duties can be delegated to the cloud provider? Do they have any expectations around security that you will cover some of your bases yourself? By establishing clear lines of which roles will be accomplished by whom, you’ll be able to find holes and patch them up.

For example, if your contract doesn’t specifically establish that the cloud provider watches for DDOs (Distributed Denial of Service) attacks and there is an attack, you would likely incur additional fees for them to be resolved.

Also, make sure data is always backed up and sent to another site by the cloud provider. Backups on premises (or often on the same server) are not good at all. This is because in the case of a natural disaster, fire, flood, or any other type of catastrophic damage to the location, you want the peace of mind that comes with knowing that your backed up data was sent off-site.

The Backup Process

These backup processes can be very pricey, as the throughput charges from the vendor can be excessive. The best option to make sure you have a copy of your own data may be out of your budget.

If your business requires customers have access to applications or data, you should have a replicated environment on a second cloud environment. These services are usually offered. It’s up to you to take advantage of them.

When you sit down with your provider, bring the following checklist.

  • Where will the backups be stored?
  • How often is information backed up?
  • How can the backups be restored?
  • What is your strategy against a DDOS attack?
  • What’s the security process? Are there any vulnerabilities?

Once you have all this information, flesh out the details of the security process by asking the following questions:

  • Is environment access limited?
  • Is data access limited?
  • Are checks completed regularly to make sure deactivated accounts are deactivated properly?
  • Do they have proper SSL certificates?
  • Are developers hiding passwords inside their code?
  • Does the provider share passwords within the office?
  • Are passwords properly stored and utilized?
  • Are firewalls and antivirus software used on all computers?
  • Do they use proper network standards?

No two computers should shared files on the network. The core data structure or database server should not allow other computers to have open access to it.

The table represents differences in vulnerability between cloud and on premises security environments.

Key Takeaways About Cloud Storage

1. Regardless of whether you choose to store data in the cloud or in an on-premises environment, you’ll need to ensure adequate security and maintenance strategies. Never assume these issues are automatically taken care of.

2. Make sure you fully understand which plans will be implemented and have them be provided to you in writing. Also, validate responsibility and document maintenance completion and security tasks every single time they occur. Use tools to validate your backups, maintenance jobs, and security access controls; and consider using a tool that allows you to know every day, hour, or minute, that your environment is protected.

3. If you do choose to go the cloud route, review the costs of proper backup procedures and the cost of the throughput for your users in the application. There may be costs that you had not expected; yet they may still be less than maintaining the hardware, software, and staff that you would need on-premise. Just always make sure to know where your data is being stored, where the backup information is located, and that you always have ways to recover it.

It is perhaps no longer an exaggeration to say the Internet is everywhere. The corollary to this statement is if your data is accessible with the Internet, usually via a web page, you can get your data from anywhere.

Make sure the database server is behind a firewall, and only the applications accessing the data have means to query the data. When you can, you should use table or column-level data encryption. Limit access to the database except through queries in the application.

Do not under any circumstances allow the data to be accessed directly without using a virtual private network (VPN).
Enforce password complexity standards. Use all the security techniques you can without limiting your performance, use three strike methods to keep bad folks out.