3

Introduction

My company is currently undergoing ISO27001 compliance. I originally thought that this is a purely technical issue, with the merits of different solutions being weighed up on purely technical grounds. However I am coming to understand that there appears to be a certain bias against certain solutions on non-technical grounds.

For instance, if a file-sharing service is extremely popular and used by the general public, then there seems to be an automatic resistance against it for business use with secure data, even if it has passed a security audit, and even if it is used in conjunction with an additional level of security by a different firm.

Or for instance, there seems to be a perception on behalf of clients, that a server sitting 5000 miles away, is less secure than a server sitting next door, even though on a technical level this would seem to be untrue, and that it all depends on how everything is set up.

Therefore, I would like to posit that "perceived Risk" is a factor in ISO27001 compliance in addition to "technical risk".

It is not that things can't be explained to the Auditors. But I would rather start from a strong position, than from one of having to defend myself.

The reason for this somewhat lengthy introduction is to explain why I am asking a question which could invite "opinions" rather than "facts" (as noted in the comments to my original question)

The Question

Our SQL Server 2012 database currently sits on the same server as the application. It is recommended that the application be completely separate from the database.

I thought that we could move the SQL Server database to the Microsoft SQL Server Azure 2016 platform, which would be substantially cheaper than acquiring and managing a separate server.

I assume that the actual risk (in terms of Information Security) of using the SQL Server Azure 2016 platform is no greater than setting up a separate server. However my manager is concerned about the perceived risk. He feels that having the data far away and "less in our control" might make our clients feel less secure.

Would I be correct in saying that it would be industry-standard practice for large concerns (such as bank) to use such services as SQL Server Azure 2016? Or are they a "no-no"?

gordon613
  • 271
  • 2
  • 7
  • As of the time of this posting, Microsoft claims that 57% of the Fortune 500 use Azure. (That specific number is in a rotating banner on the front page of the Azure website.) It is reasonably safe to assume that many of those are using Azure SQL in some capacity. (And anecdotally, I can tell you for sure that some are. I'm sure others are described in the various white papers on offer.) – Xander Mar 01 '16 at 19:08
  • As this question stands, it's a bit opinion-based. Could you refine the question so it focuses on more of the technical security details of the product? We're not fans of group conjecture :) – Ohnana Mar 01 '16 at 19:42

0 Answers0