RE: Azure and security trust
Putting data “into the cloud” isn’t just about theft of data (that’s obviously one very important part of information security). Information Security Management includes, at the very least: a) Ensuring that non-authorized parties don’t get access (so theft of online data via application vulnerabilities, vulnerabilities in the provider’s infrastructure, theft of data at rest, theft of data in transit) b) Ensuring that authorized parties do have access (e.g. ensuring that denial-of-service attacks against the application, authentication services, utility services can be mitigated, and when the sh*t does hit the fan, you don’t get finger pointing between suppliers) c) Ensuring information assurance: the data is valid and accurate (i.e. not corrupt or tampered with) and that the data can be restored to known good values (if required), and that there is adequate audit logs of access and potentially changes) Aside from information management, there’s the whole other realm of how a business extends their other services (request, release, change, incident/problem etc. management) into a different environment. Do you have the skills, processes and appropriate technology (including license agreements etc.) to adequately manage and monitor this environment to your necessary regulatory and service level requirements? For small(er) orgs this is generally not really too much of an issue. But as the org, tech footprint and regulatory burden gets more complex, it rapidly becomes a nightmare. For large orgs, especially in regulated environments, there are reams and reams of requirements, and getting this all squared up in a new environment (external or otherwise) is quite cumbersome. From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Greg Keogh Sent: Thursday, 26 February 2015 6:18 PM To: ozDotNet Subject: Re: Azure and security trust (resend due to forgetting to remove the quoted content and thereby blowing the post size limit) Chaps, thanks for the great comments on this. I've forwarded a paste-up of the important parts to the person I'm working with on the hospital data. Next time I talk to someone who manages web servers or an IT department and I get the old argument that they don't trust putting data in the cloud, I'm gong to ask them to explain to me what their policies are regarding backups, security defense, threat models, intrusion detection, etc, and what skills they have. When I get a confused and indignant reply I can take the high ground in the argument and borrow some points from what Greg L said. Now that we know that major governments and security services are spying on us by devious means, I guess there's nothing you can do against that (or a court order) without politicians getting involved. However, that's not a typical threat to a business application containing personal information. Hospitals aren't worried about ASIO stealing their databases, they're worried about complying with state and federal laws, and from what I've read so far, Azure management seem to be working hard to build trust in this area. I'm certainly feeling much more confident about Azure security after what I've read in the last couple of days. I'm going to continue to develop the demo in Azure anyway, as it's really convenient. Greg K
Re: Azure and security trust
Please trim messages on this thread. They're over a meg each and everything is going in to my moderation queue which holds up the conversation for everyone.
Re: Azure and security trust
+1 for Greg. This reminds me of a time we pranked the *head security guy* at a company I worked for and easily convinced him to give us some private details like his home address, car rego and so on. On Wed, Feb 25, 2015 at 8:32 PM, Greg Low (博士低格雷格) g...@greglow.com wrote: I do find it amusing when I hear these stories though, where companies think the data is safer or more secure or more private on premises than somewhere like Azure. On their worst day the Azure guys will do a better job of this stuff than any company I’ve walked in to, and I’ve been to a lot. I see what people do in the real world and it isn’t pretty. But even in terms of intrusion, does anyone really think the company that they work for will do a better job of detecting intrusion than one of these datacentres? Or alternately, they are assuming that their own datacentres will be more bullet-proof when it comes to intruders. Lots of luck with that. In the future, I suspect that the tables will turn completely. The required standards for privacy and security will likely be raised significantly, and these datacentres will be the first places to meet the requirements. Regards, Greg Dr Greg Low 1300SQLSQL (1300 775 775) office | +61 419201410 mobile│ +61 3 8676 4913 fax SQL Down Under | Web: www.sqldownunder.com *From:* ozdotnet-boun...@ozdotnet.com [mailto: ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Andrew Tobin *Sent:* Wednesday, 25 February 2015 4:30 PM *To:* ozDotNet *Subject:* Re: Azure and security trust One alternative that I haven't looked into much at all, so take this with a grain of salt - is to have anything identifying on a local network, firewalled, and accessible via a site-to-site VPN connection to an Azure hosted server. Like I said, I haven't looked at what an implementation would take, but if you could create a firewalled, safe, tunnel to your data hosted on prem, and other data in the cloud - then it's an option? http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-site-to-site-cross-premises-connectivity/ On Wed, Feb 25, 2015 at 2:28 PM, Greg Keogh g...@mira.net wrote: Folks, I have a demo SQL database in Azure and it's working nicely, but now we have to consider how to get it into production use. My demo DB doesn't contain any real names and addresses, but the live DB will have information about hospital patients, and you can imagine how confidential that is! I'm told they will demand the DB be stored on hospital managed servers, which is a damn nuisance in reality as I'm sure many of you know how tedious it can be trying to break through walls of bureaucracy around IT departments in places like hospitals and the government. This opens up the whole issues of trust and the cloud. Since the Snowden revelations, I don't know how anyone with confidential data can trust cloud storage. Even I don't trust it and all of my backups in Rackspace and Azure blobs are pkzipc AES encrypted. So how on earth could a hospital be convinced that cloud store is an attractive option? I just remembered that Amazon has a special area that is certified secure so they can get government contracts. I haven't seen anything like that in Azure. Despite that, it doesn't make me feel much better, as we now know the NSA was intercepting hardware and bugging it, and coercing huge telcos to put splitters in the backbones, and using secret FISA orders to threaten other even huger companies to secretly hand over their records. So who the hell can trust anyone in the cloud?! Is anyone dealing in this sort of cloud/trust business at the moment? What's the state of play? is there any hope? Am I just paranoid? (who's monitoring this email?) *Greg K*
Re: Azure and security trust
Yes, it is like the easiest way to get someones password is to just ask them for it. Surprising how many people will give it to you once you have their trust. On Thu, Feb 26, 2015 at 8:57 AM, Tom Rutter therut...@gmail.com wrote: +1 for Greg. This reminds me of a time we pranked the *head security guy* at a company I worked for and easily convinced him to give us some private details like his home address, car rego and so on. On Wed, Feb 25, 2015 at 8:32 PM, Greg Low (博士低格雷格) g...@greglow.com wrote: I do find it amusing when I hear these stories though, where companies think the data is safer or more secure or more private on premises than somewhere like Azure. On their worst day the Azure guys will do a better job of this stuff than any company I’ve walked in to, and I’ve been to a lot. I see what people do in the real world and it isn’t pretty. But even in terms of intrusion, does anyone really think the company that they work for will do a better job of detecting intrusion than one of these datacentres? Or alternately, they are assuming that their own datacentres will be more bullet-proof when it comes to intruders. Lots of luck with that. In the future, I suspect that the tables will turn completely. The required standards for privacy and security will likely be raised significantly, and these datacentres will be the first places to meet the requirements. Regards, Greg Dr Greg Low 1300SQLSQL (1300 775 775) office | +61 419201410 mobile│ +61 3 8676 4913 fax SQL Down Under | Web: www.sqldownunder.com *From:* ozdotnet-boun...@ozdotnet.com [mailto: ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Andrew Tobin *Sent:* Wednesday, 25 February 2015 4:30 PM *To:* ozDotNet *Subject:* Re: Azure and security trust One alternative that I haven't looked into much at all, so take this with a grain of salt - is to have anything identifying on a local network, firewalled, and accessible via a site-to-site VPN connection to an Azure hosted server. Like I said, I haven't looked at what an implementation would take, but if you could create a firewalled, safe, tunnel to your data hosted on prem, and other data in the cloud - then it's an option? http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-site-to-site-cross-premises-connectivity/ On Wed, Feb 25, 2015 at 2:28 PM, Greg Keogh g...@mira.net wrote: Folks, I have a demo SQL database in Azure and it's working nicely, but now we have to consider how to get it into production use. My demo DB doesn't contain any real names and addresses, but the live DB will have information about hospital patients, and you can imagine how confidential that is! I'm told they will demand the DB be stored on hospital managed servers, which is a damn nuisance in reality as I'm sure many of you know how tedious it can be trying to break through walls of bureaucracy around IT departments in places like hospitals and the government. This opens up the whole issues of trust and the cloud. Since the Snowden revelations, I don't know how anyone with confidential data can trust cloud storage. Even I don't trust it and all of my backups in Rackspace and Azure blobs are pkzipc AES encrypted. So how on earth could a hospital be convinced that cloud store is an attractive option? I just remembered that Amazon has a special area that is certified secure so they can get government contracts. I haven't seen anything like that in Azure. Despite that, it doesn't make me feel much better, as we now know the NSA was intercepting hardware and bugging it, and coercing huge telcos to put splitters in the backbones, and using secret FISA orders to threaten other even huger companies to secretly hand over their records. So who the hell can trust anyone in the cloud?! Is anyone dealing in this sort of cloud/trust business at the moment? What's the state of play? is there any hope? Am I just paranoid? (who's monitoring this email?) *Greg K*
RE: Azure and security trust
A site I was working at last week required us all to take a security class to help keep their systems secure. The class was the usual mind-numbing stuff. In the class, it told us how important it was to use special characters in passwords. The beautiful part of that was that to register for the class, you had to create a password, and it specified that you couldn’t use special characters. Also in the class, it was discussing social engineering issues like telling people your password. Yet at the same site, every time they have to set up a new system for me to work with, they ask me for my username/password while they’re doing setup. Etc. etc. Regards, Greg Dr Greg Low 1300SQLSQL (1300 775 775) office | +61 419201410 mobile│ +61 3 8676 4913 fax SQL Down Under | Web: www.sqldownunder.comhttp://www.sqldownunder.com/ From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Tom Rutter Sent: Thursday, 26 February 2015 8:58 AM To: ozDotNet Subject: Re: Azure and security trust +1 for Greg. This reminds me of a time we pranked the *head security guy* at a company I worked for and easily convinced him to give us some private details like his home address, car rego and so on. On Wed, Feb 25, 2015 at 8:32 PM, Greg Low (博士低格雷格) g...@greglow.commailto:g...@greglow.com wrote: I do find it amusing when I hear these stories though, where companies think the data is safer or more secure or more private on premises than somewhere like Azure. On their worst day the Azure guys will do a better job of this stuff than any company I’ve walked in to, and I’ve been to a lot. I see what people do in the real world and it isn’t pretty. But even in terms of intrusion, does anyone really think the company that they work for will do a better job of detecting intrusion than one of these datacentres? Or alternately, they are assuming that their own datacentres will be more bullet-proof when it comes to intruders. Lots of luck with that. In the future, I suspect that the tables will turn completely. The required standards for privacy and security will likely be raised significantly, and these datacentres will be the first places to meet the requirements. Regards, Greg Dr Greg Low 1300SQLSQL (1300 775 775) office | +61 419201410tel:%2B61%20419201410 mobile│ +61 3 8676 4913tel:%2B61%203%208676%204913 fax SQL Down Under | Web: www.sqldownunder.comhttp://www.sqldownunder.com/ From: ozdotnet-boun...@ozdotnet.commailto:ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.commailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Andrew Tobin Sent: Wednesday, 25 February 2015 4:30 PM To: ozDotNet Subject: Re: Azure and security trust One alternative that I haven't looked into much at all, so take this with a grain of salt - is to have anything identifying on a local network, firewalled, and accessible via a site-to-site VPN connection to an Azure hosted server. Like I said, I haven't looked at what an implementation would take, but if you could create a firewalled, safe, tunnel to your data hosted on prem, and other data in the cloud - then it's an option? http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-site-to-site-cross-premises-connectivity/ On Wed, Feb 25, 2015 at 2:28 PM, Greg Keogh g...@mira.netmailto:g...@mira.net wrote: Folks, I have a demo SQL database in Azure and it's working nicely, but now we have to consider how to get it into production use. My demo DB doesn't contain any real names and addresses, but the live DB will have information about hospital patients, and you can imagine how confidential that is! I'm told they will demand the DB be stored on hospital managed servers, which is a damn nuisance in reality as I'm sure many of you know how tedious it can be trying to break through walls of bureaucracy around IT departments in places like hospitals and the government. This opens up the whole issues of trust and the cloud. Since the Snowden revelations, I don't know how anyone with confidential data can trust cloud storage. Even I don't trust it and all of my backups in Rackspace and Azure blobs are pkzipc AES encrypted. So how on earth could a hospital be convinced that cloud store is an attractive option? I just remembered that Amazon has a special area that is certified secure so they can get government contracts. I haven't seen anything like that in Azure. Despite that, it doesn't make me feel much better, as we now know the NSA was intercepting hardware and bugging it, and coercing huge telcos to put splitters in the backbones, and using secret FISA orders to threaten other even huger companies to secretly hand over their records. So who the hell can trust anyone in the cloud?! Is anyone dealing in this sort of cloud/trust business at the moment? What's the state of play? is there any hope? Am I just paranoid? (who's monitoring this email?) Greg K
Re: Azure and security trust
Wow, so much irony it alters the earth's magnetic field. Getting carried away with password requirements is quite annoying though. One site I've used had such ridiculous requirements it took me half an hour to come up with an acceptable password. For this reason I get the browser to remember it so make of that what you will. Going back to the original topic a bit, the only issue I recall coming up has been concerns of being subject to the laws of where the data is stored. Customers have never been comfortable about having it overseas. If you're using an Australian located server, does that guarantee your data stays in Australia? What about backups? Do you get the option of saying your data can't be sent OS? David If we can hit that bullseye, the rest of the dominoes will fall like a house of cards... checkmate! -Zapp Brannigan, Futurama On 26 February 2015 at 11:05, Greg Low (博士低格雷格) g...@greglow.com wrote: A site I was working at last week required us all to take a security class to help keep their systems secure. The class was the usual mind-numbing stuff. In the class, it told us how important it was to use special characters in passwords. The beautiful part of that was that to register for the class, you had to create a password, and it specified that you couldn’t use special characters. Also in the class, it was discussing social engineering issues like telling people your password. Yet at the same site, every time they have to set up a new system for me to work with, they ask me for my username/password while they’re doing setup. Etc. etc. Regards, Greg Dr Greg Low
Re: Azure and security trust
*(resend due to forgetting to remove the quoted content and thereby blowing the post size limit)* Chaps, thanks for the great comments on this. I've forwarded a paste-up of the important parts to the person I'm working with on the hospital data. Next time I talk to someone who manages web servers or an IT department and I get the old argument that they don't trust putting data in the cloud, I'm gong to ask them to explain to me what their policies are regarding backups, security defense, threat models, intrusion detection, etc, and what skills they have. When I get a confused and indignant reply I can take the high ground in the argument and borrow some points from what Greg L said. Now that we know that major governments and security services are spying on us by devious means, I guess there's nothing you can do against that (or a court order) without politicians getting involved. However, that's not a typical threat to a business application containing personal information. Hospitals aren't worried about ASIO stealing their databases, they're worried about complying with state and federal laws, and from what I've read so far, Azure management seem to be working hard to build trust in this area. I'm certainly feeling much more confident about Azure security after what I've read in the last couple of days. I'm going to continue to develop the demo in Azure anyway, as it's really convenient. *Greg K*
Re: Azure and security trust
It may not be the state of play right now, but I suspect that in the not too distant future, it will be *compulsory* to store data in Azure, AWS or their like, because of the reasons that Greg L mentions above. They'll simply be able to do a better job at securing the data than overworked in-house IT departments that are expected to deliver the world with a budget that wouldn't buy an atlas. I have several clients whose data involves healthcare information for clients. It is all stored on the Amazon cloud and the client has had no issues with this whatsoever (in one case, we are expanding their cloud infrastructure). If the government wants to look at your data, there's nothing much you can do to stop them irrespective of where it's hosted. They'll either come in through the front door (via something like a court order), or the back door (using a guy wearing a dark coloured hat), but they'll get at it one way or another. On 25 February 2015 at 13:28, Greg Keogh g...@mira.net wrote: Folks, I have a demo SQL database in Azure and it's working nicely, but now we have to consider how to get it into production use. My demo DB doesn't contain any real names and addresses, but the live DB will have information about hospital patients, and you can imagine how confidential that is! I'm told they will demand the DB be stored on hospital managed servers, which is a damn nuisance in reality as I'm sure many of you know how tedious it can be trying to break through walls of bureaucracy around IT departments in places like hospitals and the government. This opens up the whole issues of trust and the cloud. Since the Snowden revelations, I don't know how anyone with confidential data can trust cloud storage. Even I don't trust it and all of my backups in Rackspace and Azure blobs are pkzipc AES encrypted. So how on earth could a hospital be convinced that cloud store is an attractive option? I just remembered that Amazon has a special area that is certified secure so they can get government contracts. I haven't seen anything like that in Azure. Despite that, it doesn't make me feel much better, as we now know the NSA was intercepting hardware and bugging it, and coercing huge telcos to put splitters in the backbones, and using secret FISA orders to threaten other even huger companies to secretly hand over their records. So who the hell can trust anyone in the cloud?! Is anyone dealing in this sort of cloud/trust business at the moment? What's the state of play? is there any hope? Am I just paranoid? (who's monitoring this email?) *Greg K*
Re: Azure and security trust
Sorry, to clarify - when I say compulsory I mean that clients will most likely demand it, not compulsory from a legal standpoint :) On 25 February 2015 at 20:18, Grant Maw grant@gmail.com wrote: It may not be the state of play right now, but I suspect that in the not too distant future, it will be *compulsory* to store data in Azure, AWS or their like, because of the reasons that Greg L mentions above. They'll simply be able to do a better job at securing the data than overworked in-house IT departments that are expected to deliver the world with a budget that wouldn't buy an atlas. I have several clients whose data involves healthcare information for clients. It is all stored on the Amazon cloud and the client has had no issues with this whatsoever (in one case, we are expanding their cloud infrastructure). If the government wants to look at your data, there's nothing much you can do to stop them irrespective of where it's hosted. They'll either come in through the front door (via something like a court order), or the back door (using a guy wearing a dark coloured hat), but they'll get at it one way or another. On 25 February 2015 at 13:28, Greg Keogh g...@mira.net wrote: Folks, I have a demo SQL database in Azure and it's working nicely, but now we have to consider how to get it into production use. My demo DB doesn't contain any real names and addresses, but the live DB will have information about hospital patients, and you can imagine how confidential that is! I'm told they will demand the DB be stored on hospital managed servers, which is a damn nuisance in reality as I'm sure many of you know how tedious it can be trying to break through walls of bureaucracy around IT departments in places like hospitals and the government. This opens up the whole issues of trust and the cloud. Since the Snowden revelations, I don't know how anyone with confidential data can trust cloud storage. Even I don't trust it and all of my backups in Rackspace and Azure blobs are pkzipc AES encrypted. So how on earth could a hospital be convinced that cloud store is an attractive option? I just remembered that Amazon has a special area that is certified secure so they can get government contracts. I haven't seen anything like that in Azure. Despite that, it doesn't make me feel much better, as we now know the NSA was intercepting hardware and bugging it, and coercing huge telcos to put splitters in the backbones, and using secret FISA orders to threaten other even huger companies to secretly hand over their records. So who the hell can trust anyone in the cloud?! Is anyone dealing in this sort of cloud/trust business at the moment? What's the state of play? is there any hope? Am I just paranoid? (who's monitoring this email?) *Greg K*
RE: Azure and security trust
I do find it amusing when I hear these stories though, where companies think the data is safer or more secure or more private on premises than somewhere like Azure. On their worst day the Azure guys will do a better job of this stuff than any company I’ve walked in to, and I’ve been to a lot. I see what people do in the real world and it isn’t pretty. But even in terms of intrusion, does anyone really think the company that they work for will do a better job of detecting intrusion than one of these datacentres? Or alternately, they are assuming that their own datacentres will be more bullet-proof when it comes to intruders. Lots of luck with that. In the future, I suspect that the tables will turn completely. The required standards for privacy and security will likely be raised significantly, and these datacentres will be the first places to meet the requirements. Regards, Greg Dr Greg Low 1300SQLSQL (1300 775 775) office | +61 419201410 mobile│ +61 3 8676 4913 fax SQL Down Under | Web: www.sqldownunder.comhttp://www.sqldownunder.com/ From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Andrew Tobin Sent: Wednesday, 25 February 2015 4:30 PM To: ozDotNet Subject: Re: Azure and security trust One alternative that I haven't looked into much at all, so take this with a grain of salt - is to have anything identifying on a local network, firewalled, and accessible via a site-to-site VPN connection to an Azure hosted server. Like I said, I haven't looked at what an implementation would take, but if you could create a firewalled, safe, tunnel to your data hosted on prem, and other data in the cloud - then it's an option? http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-site-to-site-cross-premises-connectivity/ On Wed, Feb 25, 2015 at 2:28 PM, Greg Keogh g...@mira.netmailto:g...@mira.net wrote: Folks, I have a demo SQL database in Azure and it's working nicely, but now we have to consider how to get it into production use. My demo DB doesn't contain any real names and addresses, but the live DB will have information about hospital patients, and you can imagine how confidential that is! I'm told they will demand the DB be stored on hospital managed servers, which is a damn nuisance in reality as I'm sure many of you know how tedious it can be trying to break through walls of bureaucracy around IT departments in places like hospitals and the government. This opens up the whole issues of trust and the cloud. Since the Snowden revelations, I don't know how anyone with confidential data can trust cloud storage. Even I don't trust it and all of my backups in Rackspace and Azure blobs are pkzipc AES encrypted. So how on earth could a hospital be convinced that cloud store is an attractive option? I just remembered that Amazon has a special area that is certified secure so they can get government contracts. I haven't seen anything like that in Azure. Despite that, it doesn't make me feel much better, as we now know the NSA was intercepting hardware and bugging it, and coercing huge telcos to put splitters in the backbones, and using secret FISA orders to threaten other even huger companies to secretly hand over their records. So who the hell can trust anyone in the cloud?! Is anyone dealing in this sort of cloud/trust business at the moment? What's the state of play? is there any hope? Am I just paranoid? (who's monitoring this email?) Greg K
Azure and security trust
Folks, I have a demo SQL database in Azure and it's working nicely, but now we have to consider how to get it into production use. My demo DB doesn't contain any real names and addresses, but the live DB will have information about hospital patients, and you can imagine how confidential that is! I'm told they will demand the DB be stored on hospital managed servers, which is a damn nuisance in reality as I'm sure many of you know how tedious it can be trying to break through walls of bureaucracy around IT departments in places like hospitals and the government. This opens up the whole issues of trust and the cloud. Since the Snowden revelations, I don't know how anyone with confidential data can trust cloud storage. Even I don't trust it and all of my backups in Rackspace and Azure blobs are pkzipc AES encrypted. So how on earth could a hospital be convinced that cloud store is an attractive option? I just remembered that Amazon has a special area that is certified secure so they can get government contracts. I haven't seen anything like that in Azure. Despite that, it doesn't make me feel much better, as we now know the NSA was intercepting hardware and bugging it, and coercing huge telcos to put splitters in the backbones, and using secret FISA orders to threaten other even huger companies to secretly hand over their records. So who the hell can trust anyone in the cloud?! Is anyone dealing in this sort of cloud/trust business at the moment? What's the state of play? is there any hope? Am I just paranoid? (who's monitoring this email?) *Greg K*
Re: Azure and security trust
Did Snowden get his secrets off the cloud? What Snowden shows is that the biggest risk to your data and business is rouge employee's not where your data is stored. For every dollar a business loses due to cloud security issues I would wager they lose 100 due to internal pilfering. Craig On Wed, Feb 25, 2015 at 2:28 PM, Greg Keogh g...@mira.net wrote: Folks, I have a demo SQL database in Azure and it's working nicely, but now we have to consider how to get it into production use. My demo DB doesn't contain any real names and addresses, but the live DB will have information about hospital patients, and you can imagine how confidential that is! I'm told they will demand the DB be stored on hospital managed servers, which is a damn nuisance in reality as I'm sure many of you know how tedious it can be trying to break through walls of bureaucracy around IT departments in places like hospitals and the government. This opens up the whole issues of trust and the cloud. Since the Snowden revelations, I don't know how anyone with confidential data can trust cloud storage. Even I don't trust it and all of my backups in Rackspace and Azure blobs are pkzipc AES encrypted. So how on earth could a hospital be convinced that cloud store is an attractive option? I just remembered that Amazon has a special area that is certified secure so they can get government contracts. I haven't seen anything like that in Azure. Despite that, it doesn't make me feel much better, as we now know the NSA was intercepting hardware and bugging it, and coercing huge telcos to put splitters in the backbones, and using secret FISA orders to threaten other even huger companies to secretly hand over their records. So who the hell can trust anyone in the cloud?! Is anyone dealing in this sort of cloud/trust business at the moment? What's the state of play? is there any hope? Am I just paranoid? (who's monitoring this email?) *Greg K*
RE: Azure and security trust
Mark Azure has an Australian Data Centre (in Sydney and Melbourne I believe) so keeping the data onshore should be a problem. Regards Nathan Fisher
Re: Azure and security trust
One alternative that I haven't looked into much at all, so take this with a grain of salt - is to have anything identifying on a local network, firewalled, and accessible via a site-to-site VPN connection to an Azure hosted server. Like I said, I haven't looked at what an implementation would take, but if you could create a firewalled, safe, tunnel to your data hosted on prem, and other data in the cloud - then it's an option? http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-site-to-site-cross-premises-connectivity/ On Wed, Feb 25, 2015 at 2:28 PM, Greg Keogh g...@mira.net wrote: Folks, I have a demo SQL database in Azure and it's working nicely, but now we have to consider how to get it into production use. My demo DB doesn't contain any real names and addresses, but the live DB will have information about hospital patients, and you can imagine how confidential that is! I'm told they will demand the DB be stored on hospital managed servers, which is a damn nuisance in reality as I'm sure many of you know how tedious it can be trying to break through walls of bureaucracy around IT departments in places like hospitals and the government. This opens up the whole issues of trust and the cloud. Since the Snowden revelations, I don't know how anyone with confidential data can trust cloud storage. Even I don't trust it and all of my backups in Rackspace and Azure blobs are pkzipc AES encrypted. So how on earth could a hospital be convinced that cloud store is an attractive option? I just remembered that Amazon has a special area that is certified secure so they can get government contracts. I haven't seen anything like that in Azure. Despite that, it doesn't make me feel much better, as we now know the NSA was intercepting hardware and bugging it, and coercing huge telcos to put splitters in the backbones, and using secret FISA orders to threaten other even huger companies to secretly hand over their records. So who the hell can trust anyone in the cloud?! Is anyone dealing in this sort of cloud/trust business at the moment? What's the state of play? is there any hope? Am I just paranoid? (who's monitoring this email?) *Greg K*