A site I was working at last week required us all to take a security class to help keep their systems secure. The class was the usual mind-numbing stuff.
In the class, it told us how important it was to use special characters in passwords. The beautiful part of that was that to register for the class, you had to create a password, and it specified that you couldn’t use special characters. Also in the class, it was discussing social engineering issues like telling people your password. Yet at the same site, every time they have to set up a new system for me to work with, they ask me for my username/password while they’re doing setup. Etc. etc. Regards, Greg Dr Greg Low 1300SQLSQL (1300 775 775) office | +61 419201410 mobile│ +61 3 8676 4913 fax SQL Down Under | Web: www.sqldownunder.com<http://www.sqldownunder.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Tom Rutter Sent: Thursday, 26 February 2015 8:58 AM To: ozDotNet Subject: Re: Azure and security trust +1 for Greg. This reminds me of a time we pranked the *head security guy* at a company I worked for and easily convinced him to give us some private details like his home address, car rego and so on. On Wed, Feb 25, 2015 at 8:32 PM, Greg Low (博士低格雷格) <[email protected]<mailto:[email protected]>> wrote: I do find it amusing when I hear these stories though, where companies think the data is safer or more secure or more private on premises than somewhere like Azure. On their worst day the Azure guys will do a better job of this stuff than any company I’ve walked in to, and I’ve been to a lot. I see what people do in the real world and it isn’t pretty. But even in terms of intrusion, does anyone really think the company that they work for will do a better job of detecting intrusion than one of these datacentres? Or alternately, they are assuming that their own datacentres will be more bullet-proof when it comes to intruders. Lots of luck with that. In the future, I suspect that the tables will turn completely. The required standards for privacy and security will likely be raised significantly, and these datacentres will be the first places to meet the requirements. Regards, Greg Dr Greg Low 1300SQLSQL (1300 775 775) office | +61 419201410<tel:%2B61%20419201410> mobile│ +61 3 8676 4913<tel:%2B61%203%208676%204913> fax SQL Down Under | Web: www.sqldownunder.com<http://www.sqldownunder.com/> From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Andrew Tobin Sent: Wednesday, 25 February 2015 4:30 PM To: ozDotNet Subject: Re: Azure and security trust One alternative that I haven't looked into much at all, so take this with a grain of salt - is to have anything identifying on a local network, firewalled, and accessible via a site-to-site VPN connection to an Azure hosted server. Like I said, I haven't looked at what an implementation would take, but if you could create a firewalled, safe, tunnel to your data hosted on prem, and other data in the cloud - then it's an option? http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-site-to-site-cross-premises-connectivity/ On Wed, Feb 25, 2015 at 2:28 PM, Greg Keogh <[email protected]<mailto:[email protected]>> wrote: Folks, I have a demo SQL database in Azure and it's working nicely, but now we have to consider how to get it into production use. My demo DB doesn't contain any real names and addresses, but the live DB will have information about hospital patients, and you can imagine how confidential that is! I'm told they will demand the DB be stored on hospital managed servers, which is a damn nuisance in reality as I'm sure many of you know how tedious it can be trying to break through walls of bureaucracy around IT departments in places like hospitals and the government. This opens up the whole issues of "trust and the cloud". Since the Snowden revelations, I don't know how anyone with confidential data can trust cloud storage. Even I don't trust it and all of my backups in Rackspace and Azure blobs are pkzipc AES encrypted. So how on earth could a hospital be convinced that cloud store is an attractive option? I just remembered that Amazon has a special area that is certified secure so they can get government contracts. I haven't seen anything like that in Azure. Despite that, it doesn't make me feel much better, as we now know the NSA was intercepting hardware and bugging it, and coercing huge telcos to put splitters in the backbones, and using secret FISA orders to threaten other even huger companies to secretly hand over their records. So who the hell can trust anyone in the cloud?! Is anyone dealing in this sort of cloud/trust business at the moment? What's the state of play? is there any hope? Am I just paranoid? (who's monitoring this email?) Greg K
