January 10, 2012 at 10:06 pm
Comments posted to this topic are about the item Cloud Safety
January 11, 2012 at 2:43 am
How do you make sure your company does not lose critical data to usa? Companies in usa are required to hand over data that the usa gov requests.
How can you be sure data is not sold to others?
How can you be sure of the price and performance?
Does not the agreements from the companies providing these services reserve themselves for chaining the agreements?
What right to data security and availability do you get? If the cloud service goes down for some reason, which has happened and will happen again.
January 11, 2012 at 8:47 am
Many countries have laws requiring disclosure of items to the government. The government can do the same thing to your company. Granted, you can delay if you have the data, but they can still often seize it with law enforcement. Lots of countries, not all, have reciprocal agreements between governments for this. I don't worry about this, since most of the businesses that are legitimate have little to fear here.
You can't be sure your data isn't sold to others, though in many cloud environments, you are still controlling the security in your VM. Someone could potentially copy the VM and crack passwords, but I'm not sure this is easier in the cloud. They can easily pay one of your admins to do the same thing at your company. I'm not sure this is a huge potential problem. Tons of companies use hosting services, and this hasn't been a bit issue there, and those companies have physical access to your systems and could copy things.
Does not the agreements from the companies providing these services reserve themselves for chaining the agreements?
Not sure that you mean. The sentence doesn't make sense.
In terms of security and reliability, it's a gamble, but is it worse than your company? Arguably they have more experience providing services on a scale and do a better job because an outage affects lots of customers, and could put them out of business. I've worked in dozens of companies where the admins/developers/DBAs there caused outages because they weren't competent.
Contract for services, have penalty clauses, and work with the limitations. The cloud isn't for every company, nor for every database. You can keep complaining, or you can look for valid reasons why it will, or will not, work and use those as appropriate. It's not a blanket "bad idea". That's the complaint I heard about hosting services years ago, and about SaaS companies (like Salesforce). They're just not valid complaints for every situation.
January 11, 2012 at 8:48 am
"Security is a process, not a product."
It is a developing mindset.
January 11, 2012 at 11:51 am
"how can you make sure your cloud provider can protect your data?"
Very simple, ask your Cloud Provider about 20 or so very pointed questions, and make sure you are satisfied with those answers. If not, move on quickly. 😀 Here they are:
1.Does the provider take responsibility for the security and integrity of your systems and data or does it consider them your responsibility? If so, what security aspects does the provider take responsibility for?
2.Does the provider encrypt data in transit and at rest?
3.What measures does the provider take to destroy data after it is released by customers?
4.What security certifications does the provider possess: SAS 70 Type I or II. PCI-DSS? What proof can the provider offer of those certifications? Can you examine the SAS 70 report? How often are its security practices audited and by whom?
5.What physical security measures, processes, and monitoring capabilities does the provider have in place to prevent unauthorized access to its data centers and infrastructure?
6.How does the provider screen its employees and contractors? Do those screening procedures differ at different international locations? How?
7.Who at the provider’s premises can see your data? What internal controls does the provider have in place to prevent unauthorized viewing, copying, or emailing of customer information?
8.What is the provider’s backup and disaster recovery strategy? How often are incremental backups made? How many copies of your data does the provider store and where are they stored? How far back do the copies go? How often and how do they test their backup and recovery infrastructure?
9.If the provider stores data in non-U.S. locations can you specify where you want your data stored? How can it ensure your data will not be stored in other locations?
10.What notice will the provider offer when it changes its data center locations or security practices?
11.If the provider uses multitenant server model, what measures does it take to isolate individual tenant systems and data from each other?
12.What visibility will the provider offer your organization into security processes and events affecting your data?
13.Does the provider have an incident response plan? Can you see it? Does it measure up to your own? Does the provider include your organization in the incident response process?
14.How do the provider’s identification and authentication systems integrate with your own?
15.How can the provider ensure compliance with regulations your company must comply with?
16.Does the provider offer periodic reports confirming compliance with your security requirements and SLA’s? Will it provide reports of attempted or successful breaches of its systems, impacts, and actions taken?
17.What is the remediation process if the provider cannot live up to its security obligations? Token compensation may not be enough, as a serious breach can damage some organizations severely or even put them out of business.
18.What will happen to your applications and data if the provider goes out of business? How can the provider ensure they won’t become the property of creditors?
19.How does the provider ensure that legal actions taken against other tenants will not affect access to your data?
20.If you decide to switch providers or take your systems and data in house, what will it take to migrate your systems and data?
"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
January 11, 2012 at 1:46 pm
TravisDBA (1/11/2012)
"how can you make sure your cloud provider can protect your data?"Very simple, ask your Cloud Provider about 20 or so very pointed questions, and make sure you are satisfied with those answers. If not, move on quickly. 😀 Here they are:
1.Does the provider take responsibility for the security and integrity of your systems and data or does it consider them your responsibility? If so, what security aspects does the provider take responsibility for?
2.Does the provider encrypt data in transit and at rest?
3.What measures does the provider take to destroy data after it is released by customers?
4.What security certifications does the provider possess: SAS 70 Type I or II. PCI-DSS? What proof can the provider offer of those certifications? Can you examine the SAS 70 report? How often are its security practices audited and by whom?
5.What physical security measures, processes, and monitoring capabilities does the provider have in place to prevent unauthorized access to its data centers and infrastructure?
6.How does the provider screen its employees and contractors? Do those screening procedures differ at different international locations? How?
7.Who at the provider’s premises can see your data? What internal controls does the provider have in place to prevent unauthorized viewing, copying, or emailing of customer information?
8.What is the provider’s backup and disaster recovery strategy? How often are incremental backups made? How many copies of your data does the provider store and where are they stored? How far back do the copies go? How often and how do they test their backup and recovery infrastructure?
9.If the provider stores data in non-U.S. locations can you specify where you want your data stored? How can it ensure your data will not be stored in other locations?
10.What notice will the provider offer when it changes its data center locations or security practices?
11.If the provider uses multitenant server model, what measures does it take to isolate individual tenant systems and data from each other?
12.What visibility will the provider offer your organization into security processes and events affecting your data?
13.Does the provider have an incident response plan? Can you see it? Does it measure up to your own? Does the provider include your organization in the incident response process?
14.How do the provider’s identification and authentication systems integrate with your own?
15.How can the provider ensure compliance with regulations your company must comply with?
16.Does the provider offer periodic reports confirming compliance with your security requirements and SLA’s? Will it provide reports of attempted or successful breaches of its systems, impacts, and actions taken?
17.What is the remediation process if the provider cannot live up to its security obligations? Token compensation may not be enough, as a serious breach can damage some organizations severely or even put them out of business.
18.What will happen to your applications and data if the provider goes out of business? How can the provider ensure they won’t become the property of creditors?
19.How does the provider ensure that legal actions taken against other tenants will not affect access to your data?
20.If you decide to switch providers or take your systems and data in house, what will it take to migrate your systems and data?
No cloud provider can answer question number 20. How can say Microsoft know what would it take to migrate to Amazon, or worse to a new, not yet established startup, two years from today?
Cloud provider should not attempt to answer question number 18 because in case of filing for Chapter 7 that decision is entirely up to the court.
Answering question number 11 would probably violate any serious provider's policies. If I got an honest answer, I would probably consider the provider naive and therefore unsafe.
Other questions seems to be pretty good.
January 11, 2012 at 1:51 pm
I agree on #20, that is a question that the folks on "your" side need to assess if that is indeed the case, and although I agree with the provider not being able to give a "definitive" answer on #18, they should still be able to give some logical input to that question. You can be pretty sure that they have been asked that question before and should know how to handle it generally enough to at least give you an idea anyway. 😀
"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
January 11, 2012 at 2:19 pm
That's a good list, and whether they can actually answer all of them is debatable, but the way they answer will say something. If they look at #20 and go "sure, we can do anything", you know they haven't really thought it through. Or if they say "we won't do that", you have an idea of how flexible they'd be.
A few of these apply to any partner, so I'm not sure they're fair questions, but they would be good to ask, just to gauge how they're handled.
January 11, 2012 at 4:08 pm
It's fair to scrutinize the security mechanisms and processes offered by cloud providers. However, you have to ask yourself: Can I do it as well or better? I dare say the real answer in most cases is: probably not. Using [perceived lack of] security as an excuse to not go with a cloud provider is getting weaker and weaker as more proven businesses run in the cloud. And anyone who brings up the AWS outage from last year as a reason needs to get a reality check and move on with their life.
It's kind of like flying vs. driving:
When you fly you have absolutely no control over your own fate. You've put your life completely in the hands of a 3rd party. As it turns out, flying is THE safest way to travel. Why? Because aircraft have multiple redundant systems and are mostly well maintained, pilots are well-trained (and well-paid) and the operational conditions of an aircraft are tightly controlled and monitored. Unfortunately, disasters do happen and planes crash (and people really do win the Mega Millions). That said, airlines learn from their mistakes.
Compare that with driving. Your fate is somewhat in your own hand...but not entirely. However, practically any idiot can get a license. In the US, state governments happily hand over loaded weapons to inexperienced 16 year-old drivers every day. There are plenty of good drivers around but sadly they share the same roads with the really bad drivers. Maintenance is shoddy or non-existent. Training really isn't required. Bad drivers don't learn from their mistakes, they just keep driving badly. As a result, driving is THE worst form of travel.
I see cloud providers as airlines in this scenario (yes, yes....there ARE some good ones...in Asia :-)) and the rest of us as drivers (some good, many not). Make your list as TravisDBA suggests, check it twice, make a decision and then just get on with it.
Besides, in a few years I don't think there will be much of a viable alternative anyway; if you want cost-effective and rock-solid, you will run in the cloud.
James Stover, McDBA
January 11, 2012 at 6:26 pm
James Stover (1/11/2012)
Can I do it as well or better?
Well put, although I don't know if we are training all cloud providers better than the average sysadmin. I'd hope so, but I worry that some of these companies are playing fast and loose, and using the same people that we might hire, so they aren't doing it better.
January 12, 2012 at 12:22 am
Steve Jones - SSC Editor (1/11/2012)
Not sure that you mean. The sentence doesn't make sense.
The agreement you must sign to use the cloud from a cloud provider is reserving itself for potential changes in the agreements. Or at least so I've read on some news sites. If this is the case, it makes the agreement worthless.
In terms of security and reliability, it's a gamble, but is it worse than your company? Arguably they have more experience providing services on a scale and do a better job because an outage affects lots of customers, and could put them out of business. I've worked in dozens of companies where the admins/developers/DBAs there caused outages because they weren't competent.
Competence will always be an issue, you still need dba's for your cloud services. I do not really see what you gain in DBA competence by using a cloud service. It's my experience that several companies that sells their services to others, like tieto and logica for instance, does not hold much competence at all.
Contract for services, have penalty clauses, and work with the limitations. The cloud isn't for every company, nor for every database. You can keep complaining, or you can look for valid reasons why it will, or will not, work and use those as appropriate. It's not a blanket "bad idea". That's the complaint I heard about hosting services years ago, and about SaaS companies (like Salesforce). They're just not valid complaints for every situation.
Complaining? I'd say there is a difference between complaining and criticizing mayor flaws with a product. A product that can not be viewed as close to finished.
This is often the case with companies today, push it out to the market, reserve against issues in the agreement and sell sell sell. No regards to quality.
Still, you have no idea what you are purchasing in terms of processing power at all.
Then there is another issue, but perhaps only limited to a few countries like mine, Sweden. Some types of data you must be able to answer for where it is stored, the location, and it may not be stored where ever or in what ever fashion someone wishes to store it.
January 12, 2012 at 8:23 am
The agreement you must sign to use the cloud from a cloud provider is reserving itself for potential changes in the agreements. Or at least so I've read on some news sites. If this is the case, it makes the agreement worthless.
Perhaps it's a language barrier, but "reserving itself for" isn't a phrase that makes sense.
Many contracts to contain language that says the contract may be modified. Lots of software has this, but it always requires a notification of the customer, who may then cancel the contract. It's standard, and exists for co-location hosting, and other services. Nothing new here. The agreement isn't worthless, it's subject to change.
I am sure there are companies selling services that don't have good staff. That's not a blanket indictment on the entire idea of cloud services. Go back and read James' post in this thread. There is a good reason for service companies to have better qualified people. Doesn't mean they will, but you perform due diligence checks.
I, too, worry about this. It's easy to hire the same level of staff as the average company and sell a service. I would be looking for a higher quality of staff before I used a particular company for anything important. But keep in mind that many companies don't have DBAs, or don't even have quality staff. There is a nice challenge in managing lots of cloud instances and you might get better quality people applying. Not will, or won't, but might.
You can criticize the idea or the product, but it seems you're basing criticism on outdated ideas.
You have an idea of processing power, what you're limited on is performance. Not every app needs a guarantee of performance all the time. You are trusting the cloud company to balance the load across servers. It's worked very well for web servers, which are often "cloud" based and virtualized, and work well for thousands of companies.
If you are mandated to have control of data, the cloud probably doesn't work FOR THAT APP. However there are usually multiple apps in a company, and not all of them require the data to be secured in a certain way. Usually there are multiple levels of data security that you have to maintain.
Choosing the cloud doesn't mean abandoning your internal servers. It means that for some applications, it makes sense. For others it doesn't.
January 12, 2012 at 12:06 pm
I'm not sure if this question should also be on the list: What is the pay range for the DBAs and admins (in relation to the regoin the service is located)?
Since the human being is still one of the weakest links in the security context, cloud DBAs / admins with a low pay range seems to be an interesting "target".
I might even ask about a specific scenario: How would they detect that a sysadmin took a unauthorized backup or copied a backup to a destination it should not go to? To my knowledge it is close to impossible to prevent so all that can be done is to detect it. Or am I wrong here?
January 12, 2012 at 12:37 pm
Steve Jones - SSC Editor (1/12/2012)
The agreement you must sign to use the cloud from a cloud provider is reserving itself for potential changes in the agreements. Or at least so I've read on some news sites. If this is the case, it makes the agreement worthless.
Perhaps it's a language barrier, but "reserving itself for" isn't a phrase that makes sense.
Many contracts to contain language that says the contract may be modified. Lots of software has this, but it always requires a notification of the customer, who may then cancel the contract. It's standard, and exists for co-location hosting, and other services. Nothing new here. The agreement isn't worthless, it's subject to change.
I am sure there are companies selling services that don't have good staff. That's not a blanket indictment on the entire idea of cloud services. Go back and read James' post in this thread. There is a good reason for service companies to have better qualified people. Doesn't mean they will, but you perform due diligence checks.
I, too, worry about this. It's easy to hire the same level of staff as the average company and sell a service. I would be looking for a higher quality of staff before I used a particular company for anything important. But keep in mind that many companies don't have DBAs, or don't even have quality staff. There is a nice challenge in managing lots of cloud instances and you might get better quality people applying. Not will, or won't, but might.
You can criticize the idea or the product, but it seems you're basing criticism on outdated ideas.
You have an idea of processing power, what you're limited on is performance. Not every app needs a guarantee of performance all the time. You are trusting the cloud company to balance the load across servers. It's worked very well for web servers, which are often "cloud" based and virtualized, and work well for thousands of companies.
If you are mandated to have control of data, the cloud probably doesn't work FOR THAT APP. However there are usually multiple apps in a company, and not all of them require the data to be secured in a certain way. Usually there are multiple levels of data security that you have to maintain.
Choosing the cloud doesn't mean abandoning your internal servers. It means that for some applications, it makes sense. For others it doesn't.
The the agreement is subject to change is cause for great worry since leaving a cloud is no simple matter.
Security is still an issue, the Swedish military will not even send request for offer to companies using cloud services.
Load balance in microsoft azure you have to add different types of roles if you want to have increased processing power. What each role actually gives you, you will have to test and try out. Thus, the price model really is a joke to me.
I do however actually view cloud services as a big part of the future, it's nearly the same as the alternatives that has existed since the beginning of visualization. However, the cloud services look to be in the beta stage still to me.
January 12, 2012 at 2:00 pm
IceDread (1/12/2012)
The the agreement is subject to change is cause for great worry since leaving a cloud is no simple matter.
Is it? Leaving SQL Azure is a backup from the cloud and a restore on your local instance. Can't speak for the app side, but that's all in how you architect it.
Security is still an issue, the Swedish military will not even send request for offer to companies using cloud services.
That's only an issue for people seeking that business. The US government uses cloud services, Amazon has government cloud services available.
It's an issue, but point that out rather than saying security is an issue in general. It's not a general issue, not more than it is in your company.
Thus, the price model really is a joke to me.
Me, too. I am hoping something will change.
Viewing 15 posts - 1 through 15 (of 20 total)
You must be logged in to reply to this topic. Login to reply