Cloud databases no panacea for data security

Industry analysts remain confident enterprise data will be pushed into cloud-hosted databases

The emergence of a new SQL injection attack has done nothing to dampen the enthusiasm of industry analysts that remain confident enterprise data will be pushed into cloud-hosted databases on an ever-increasing basis.

Noting many companies' "strong focus" on consolidating existing databases and plans to virtualise them using database-as-a-service (DaaS) techniques, IDC software analyst Vanessa Thompson says the ball towards data processing in the cloud is already rolling: the IDC Asia Pacific Software Survey 2011, released today, predicted revenues from the model would grow at 11 per cent annually through 2015.

DaaS involves the hosting of key enterprise data sets in cloud-hosted database environments, where they can be more easily backed up and managed by utilising the data centre infrastructure of the hosting provider or cloud operator. It's a fast-growing model that's proving particularly attractive to enterprises with massive data sets they don't want to manage alone – but Thompson says the model is no silver bullet when it comes to security problems.

"This move is really dependent on the risk appetite of the organisation," she told CSO Australia.

"If you are going to process data using SQL Server, for example, it's important to be aware of the vulnerabilities of that platform; transitioning your service to a different delivery model doesn't necessarily mean you're not at risk."

That's cold comfort for potential DaaS adopters, who may warm to the benefits of the cloud-delivered database model but be put off by the need to manage exposure to tenacious exploits that refuse to die.

Several days ago, for example, SANS security researcher Mark Hofman noted the emergence of a new SQL injection attack that was targeting Microsoft SQL Server deployments and spreading rapidly via the infected site.

With fresh exploits emerging on a continuous basis, new delivery models are giving many would-be adopters pause for thought. Indeed, a new Australian Computer Society (ACS) Victorian member survey (PDF) found that 54 per cent named ICT security concerns as the most significant forces driving change in the Australian ICT industry over the next 10 to 20 years. The increased volume of consumer-related data was another one, named as a key issue by 24 per cent.

Security and offshoring were of equal concern to respondents, named by 43 per cent each, while cloud computing was pegged as a critical uncertainty by 34 per cent. In a separate question, respondents were asked what they would say if they could go back in time to 1990 and warn ICT industry figures to prepare for coming trends; encouraging the preparation of "flexible corporate approaches" to cater for new technologies was most popular, named by over 21 per cent. And over 35 per cent said they would be best prepared for the new paradigm with scenarios for the likely impact and available options.

As with any technology, many businesses making the jump to DaaS models will start with discrete new projects in which they can shift data into a cloud-hosted model – then work their way up to migrating extant data to the cloud as their security policies and risk assessments allow, and master data management (MDM) initiatives are expanded to account for the new location of corporate data.

"Ultimately, there's the same level of risk [with DaaS]," says Thompson.

"Those that are doing it now are either already comfortable with the model, or willing to move [non-core] workloads such as for rendering large amounts of graphic information, or processing large amounts of open market data. I don't really see security as an inhibitor, but the same rules do still apply."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securityCloudcloud securitycloud computingdata protection

More about Australian Computer SocietyIDC AustraliaMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts