How to secure your cloud database in an insecure world

FacebookStumbleUponGoogle BuzzGoogle ReaderLinkedInOrkutShare

There is a division of responsibility when you put your database to work in the cloud. An infrastructure as a service (IaaS) provider, such as IBM SoftLayer, secures the physical components while responsibility to secure information rests with the application developer. Of course, the software as a service (SaaS) vendor must provide the developers and technology to secure the application, and the service must run on a platform that supports security as a fully integrated stack and not as an add-on layer. IBM Bluemix is a platform as a service (PaaS) that provides functional, infrastructure, operational, network and physical security for the core platform.

By default, a database uses unencrypted connections between the client and the server. This means that someone with access to the network could watch all your traffic and look at the data being sent or received. They could even change the data while it is in transit between the client and the server.

When you need to move information over a network in a secure fashion, an unencrypted connection is unacceptable. Encryption is necessary to make any kind of data unreadable. Encryption algorithms must include security elements to resist many kinds of known attacks, such as attempts to change the order of encrypted messages or replay data twice.

The IBM Analytics Warehouse for Bluemix is already configured for a secure connection using a Secure Sockets Layer (SSL) certificate. SSL is a protocol that uses different encryption algorithms to ensure that data received over a public network can be trusted. It has mechanisms to detect any data change, loss or replay. SSL also incorporates algorithms that provide identity verification using the X509 standard. X509 makes it possible to identify someone on the Internet. It is most commonly used in e-commerce applications.

In basic terms, there should be a certificate authority (or CA) that assigns electronic certificates to anyone who needs them. Certificates rely on asymmetric encryption algorithms that have two encryption keys, a public key and a secret key that is held by the owner. A certificate owner can show the certificate to another party as proof of identity. Any data encrypted with the public key can be decrypted only by using the corresponding secret key.

In Bluemix, the Analytics Warehouse service provides a rich set of built-in security capabilities to help clients meet their security, privacy and compliance needs. They include:

• Encryption for data at rest: By default, the Analytics Warehouse service in Bluemix uses an encrypted database. The encryption uses Advanced Encryption Standard (AES) in cipher block chaining (CBC) mode with a 256 bit key. Encryption and key management are totally transparent to applications and schemas. Additionally, the service administrator manages the master key rotation period. Database and tablespace backup images are automatically compressed and encrypted. As with online data, backup images are also encrypted using AES in CBC mode with 256 bit keys. Data is compressed first and then encrypted.

• Encryption for data in transit: SSL is supported for safeguarding both the database traffic as well as the web console traffic.

• Trusted contexts: This feature allows clients to further restrict when a user can exercise a particular privilege. For example, a client can easily implement a rule that permits connecting to the database only from a given IP address. Additionally, for three-tiered applications, trusted contexts allow the mid-tier application to assert the end user identity to the database for access control and auditing purposes.

The Analytics Warehouse service is primarily used in two different ways.

• Application developers and data scientists launch the web-based console to develop a statistical and predictive analytic application using built-in R and R-studio features.

• Application developers and data scientists use their own machine learning algorithm to develop an application in the language of their choice and then use the Analytics Warehouse database to push that application to Bluemix

SecureBLU is an application hosted on Bluemix that demonstrates the approaches an application developer can take to secure an application while accessing a database in the cloud.


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>