2

We're looking into the idea of moving an ASP.NET MVC app into Windows Azure, but I'm interested to hear if SQL Azure is safe enough for me to store customer data, such as their home addresses, etc.

We're not storing bank details or anything like that, and are looking to utilise the power of the cloud for scalablity reasons, but didn't want the security factor to be a blocking issue.

Any thoughts? Or should I encrypt ALL personal data and decrypt on-access each time?

Brett Rigby
  • 289
  • 3
  • 12

2 Answers2

3

I strongly encourage to classify the data your are handling (does a customer's name and their home address constitute PII?) and understand relevant state and federal regulations on sending that data to a third party. It's not just "bank details" that are protected.

MA state law may require that the data is encrypted in transit for any resident. See 201 CMR 17.00. NV state law may require some information to be protected for residents as well. See NV SB347. CA SB 1386 imposes certain requirements if resident's data is "reasonably believed to have been [...] acquired by an unauthorized person." If you have unencrypted data out in the cloud, and a provider reports an unspecified breach you might have to notify customers.

This is just a sampling of what's out there. So (1) understand what kind of data you have and (2) understand what your legal and regulatory requirements are to help inform your decision.

For more cloud-specific information, see CSA and the OWASP Cloud Project.

medina
  • 1,970
  • 10
  • 7
  • SQL Azure requires connection-level encryption (TDS over SSL). However, Azure does not support transparent data encryption of the backing data like stand-alone instances of SQL Server do. – Robert Calhoun Sep 20 '12 at 18:38
1

I have been to a small security conference with representatives from Microsoft, Google etc. If you ask them they say its safe and they are probably right.

I dont think their platforms are technically unsufficient when it comes to security but Microsoft do have full access to your data. However, they do have measures that limits how and when their employees can access it.

There are many applications hosted in the cloud, I think its safe to use it if you do not deal with anything particularly secret like medical records for example. Then its probably not even legal in some countries.

In the end its about trusting another company to take care of your data for you.

nenne
  • 189
  • 6