In my previous article about my two failed business ideas I cited compliance as one of the reasons the idea failed. The problem was that the transfer of data from the plant into the cloud over the internet was deemed insecure. To this day, in the aluminum industry, process data mostly remains on-premises (i.e. within the plant’s own computer network). Over the years, I’ve heard many objections against transferring this data to the cloud: “we’ve always done it this way!” and “nothing is safe on the internet!”. But is this really the case? This post explores the road travelled by the data from its on-premises database in the plant to a remote database in the cloud and the various security risks along the way.
Home is no guarantee of safety
Just because the data resides within your own network does not mean it’s safe. In 2014, an (undisclosed) German steel mill was hacked. The attack caused “massive”, though unspecified, damage to a blast furnace because it could not be shot down properly. This goes to show that any infrastructure is vulnerable to attack. The success of any attack will depend on the strength of its on-premises cyber security measures.
Encryption in transit
The process data of our plant is about to leave the on-premises database and start its journey over the internet to a database in the cloud. The major risk is that an attacker intercepts this data as it travels. Examples are man-in-the-middle attacks and eavesdropping. One solution is to make the data unreadable so that it’s useless if intercepted. Only the sender and intended receiver would know how to make it readable again. This process is called encryption. Encryption switches the characters in your data to random characters, making it look like gibberish. Converting the switched characters back to their original ones requires a key. This key is only known to the sender and receiver and is never shared. As long as the key is kept secret, the data is safe: without the key an attacker would never be able to decrypt the data and read it. This technology is called Secure Sockets Layer (SSL) and Transport Layer Security (TLS) and is also used in your web browser whenever you enter data on a site whose address begins with
As an additional layer of security, we can reinforce the connection between our on-premises database and the internet. This is achieved by connecting to the internet through a Virtual Private Network or VPN. If you worked from home during the pandemic you may be familiar with this technology. VPN hides your identity and activity from your internet service provider (ISP) or any other third party that wants to track this information. Instead of entering the internet through the front door, you enter the internet through a hidden tunnel without anyone noticing, so to speak.
Encryption at rest
Our process data completed its journey over the internet and arrived safely in the cloud. The encryption key on the receiver end is used to decrypt the data back into plain text. The readable data is ready to be saved on a disk in the cloud database. But how secure is this database in the cloud? At this point, the security of the data is no longer in our hands. Again, we could save this data in an encrypted form (using a different key this second time). This way, even if someone unauthorized gets access to the database, the data would be unreadable. This is called encryption at rest (because the data “rests” in an encrypted form). SQL Databases on the Microsoft Azure cloud encrypt data at rest by default.
Leave security to the professionals
It may seem counter-intuitive, but your data is safer in the hands of others. Cloud providers like Microsoft, Google and Amazon have a wealth of experience dealing with all kinds of viruses and attackers. The infrastructure on which their cloud services like SQL databases are much more secure than the infrastructure of your plant - because it’s their core business! As long as we, the cloud users, follow proper security protocols and properly encrypt our data in transit, the cloud provider takes care of the rest.