No one can deny the ascendency of the cloud in personal and business computing in recent years. With more applications being shifted to the cloud, more cloud databases are deployed. In fact, cloud databases represent a leading trend in database technology. There are many clear reasons why cloud databases are so popular.
Compared with traditional databases, they’re more scalable, easily accessed, and don’t require the hardware maintenance necessary with on-premises data centers.
But simply because of the separation of the owner of the data and the ones who administer the data (in the cloud), cloud databases represent a significant security risk. Moreover, the industries adopting cloud databases most are ones where data protection is often most critical: government, public utilities, healthcare, and telecommunications. Many data experts in these industries see cloud services as the easiest way to meet strict regulatory requirements, yet risk to the data doesn’t go away just because regulations are met.
How the Cloud Has Changed Security Requirements
When the cloud becomes part of an organization’s computing and storage environment, the traditional security requirements like data integrity, access control, identity authentication, and data confidentiality don’t go away. Plus, new security concerns are introduced, like credibility, and the types of attacks that target cloud data, such as denial of service attacks and side channel attacks.
People Can Be the Biggest Security Risk
With cloud databases, there’s the simple fact that more people are involved with your data: your people, and the cloud provider’s people. It stands to reason that the more people who have access to your data, the greater the risk of a data security problem. Businesses aren’t unaware of security risks posed by cloud databases. A Capgemini study of Microsoft Azure adoption cited “Fear of security breaches” as the top impediment preventing cloud adoption, expressed by 41% of respondents. What can you do to keep data held in cloud databases secure?
What to Find Out Before Entrusting Your Data to a Cloud Database Provider
Don’t just go with a cloud provider after reading their marketing collateral. Ask questions. Mark Whitehorn of the University of Dundee suggests asking:
• Where will the data be stored, and will it be managed from that same location?
• Will the data ever be moved?
• If data will be stored in another country, what are that country’s data protection laws?
• Will our data pass through other countries when we interact with it?
• Will data always take the same path from cloud database to us?
• Is the data encrypted, and if so, how?
• Who has access to encryption keys?
Be sure you can trust whoever has access to encryption keys.
Steps You Must Take to Protect Data Stored in the Cloud
A Skyhigh white paper titled “15 Point Checklist for Cloud Data Protection” lists several steps you must take to ensure data stored in cloud databases is protected. One thing nobody wants to do, but everyone should do, is actually read the Terms and Conditions before agreeing to them. The paper cites an executive who uploaded a confidential presentation to cloud-based presentation service Prezi and only later realized she had granted Prezi a broad, irrevocable usage license for the content of the presentation. That’s a legal risk your company should be well aware it’s taking, and that means digging through the T&C of any cloud service you use.
You also have to realize that, when your organization allows access to one cloud storage service, your firewall could end up unblocking the entire category of cloud storage, which could include higher risk cloud services. Should one or more employees start using those risky cloud services, they could unintentionally put the company at legal risk, or risk of noncompliance.
Skyhigh also suggests creating usage benchmarks as soon as you start using a cloud data storage service. Once you learn what typical usage patterns are, it will be easier to detect anomalous usage patterns that could tip you off to a potential breach. Third-party apps are another risk to be aware of. A 2013 Evernote attack compromised tens of millions of accounts, some of which contained sensitive company documents. And should a third party app corrupt documents stored in the cloud, not having redundant backups could ruin valuable data permanently.