Historically, there have been loads of security-related concerns related to running key applications in the cloud, particularly essential systems. And some would-be users of Microsoft's SQL Azure cloud-based database service are still holding back, but not because of any gaps in SQL Azure security. Rather, they’re nervous about surrendering control over their database environments, according to experts in the field.
"A lot of the issues just come from the fact that people get concerned about things they can't control," said Denny Cherry, an independent consultant specializing in all things SQL Server and the author of Securing SQL Server. Cherry cites as an example the fact that Microsoft takes care of all the physical security in the data center in addition to Windows security. "It makes them leery," he explained. "There's no way they can get a report of everyone logging in to the system in the last 30 days -- Microsoft isn't going to do that."
Many SQL Azure enthusiasts and early adopters will argue that security concerns about the cloud version are no different than concerns surrounding traditional server-based SQL Server, especially with SQL Azure’s features designed to enforce security, including a server-side firewall, which lets database administrators (DBAs) manage and control connections from various sources to specific IP addresses or ranges. In addition, the cloud-based offering also supports SQL authentication while maintaining a secure connection to a database with SQL Server's own protocol encryption.
Cherry himself draws little distinction between security best practices in the new SQL Azure world and what most DBAs are used to with traditional SQL Server environments. "SQL Server in itself is a secure platform, and SQL Azure is just another SQL Server instance. There aren't really a whole lot of security issues with the platform itself.”
Usually, he said, the problems can be traced to a certain user or a developer who doesn’t know how to properly limit access rights. “We're talking the same set of issues you see with regular databases," Cherry said.
Standard security guidelines
That's not to say there aren't some remaining gaps or common miscues that undermine security in a SQL Azure environment. For example, there are limited auditing tools for SQL Azure, so some companies employ these capabilities in SQL Server environments to verify the concept of trusted users, according to Herve Roggero, one of the authors of the book Pro SQL Azure and managing partner for Blue Syntax Consulting, which provides consulting and development services around the Azure cloud platform..
"With on-premises SQL Server databases, you run auditing tools to warn you if things are taking place that aren't supposed to … and in the cloud, there are no such auditing capabilities," Roggero explained. "It's a significant problem because it impacts compliance initiatives which require you have complete auditing of data, knowing when it is being changed and who is changing it. You don't know that in SQL Azure."
Another concern around SQL Azure security is how to easily get your data back if you decide the cloud isn't the right path for your environment. "What if you decide this isn't the solution for you and you want to change providers?" said K. Brian Kelley, database administrator and architect for AgFirst Farm Credit Bank. "Right now there are a lot of solutions that aren't seamless, and that's obviously a concern."
Cherry said that if DBAs simply follow their standard security best practices, they should keep most of these lingering security concerns at bay. For instance, SQL Azure's firewall by default is only accessible to Microsoft's internal Azure servers. Cherry said users have to be careful to "poke only as few holes as possible in the firewall" to ensure optimal security.
They should also apply strong password protection and minimize the permissions required for applications to run. In addition, DBAs should enforce guidelines on minimum security rights, granting users the minimum rights they need to perform their jobs.
"Applying standard security practices when available is really important," Roggero said. "Strong passwords for database accounts are key, as is use of database schema for help in securing specific tables. These are all things that were available before and add layers of security."
Beth Stackpole is a freelance writer who has been covering the intersection of technology and business for 25-plus years for a variety of trade and business publications and websites.
This was first published in December 2011