Over the past few days my inbox has been filled with security alert emails caused by the MongoHQ database hack. I’m impressed by the number of customers MongoHQ was able to sign up - they spanned the gamut from sites that I don’t even recall signing up for to startups that have been getting significant buzz.
If a database as a service company is able to get hacked it doesn’t leave me optimistic about the way other companies are securing our data. As much as these “as a service” products make our lives easier they bring an increased risk to our business and more importantly our customers. Sure their security will be better than someone who’s setting up a MongoDB instance for the first time but that has to be balanced against the fact that a hosting site offers a much higher reward for a hacking attempt. Access to the infrastructure provides a lot more information than hacking an individual site.
I used to believe that doing security internally was dumb but now I’m not so sure. No one will care about hacking a small site and if it turns out that the site is becoming successful you can dedicate the resources to properly secure it. At the same time, with so many people sharing passwords across multiple accounts it only takes one careless site to undermine the efforts of all the others.
Some of the security alerts I’ve received have mentioned that they plan on managing their database internally rather than relying on a third party; I wonder if this is the start of a trend.