Google have announced general availability of their Cloud SQL service. At launch the service comes with automatic encryption of customer data, a 99.95% uptime SLA and support for databases up to 500GB in size.
Cloud SQL is an instance based service similar to Amazon’s Relational Database Service (RDS). The smallest D0 instance has 0.125GB RAM and is billed at $0.025/hr, matching the entry price of RDS for MySQL. The largest D32 instance has 16GB RAM and costs $3.08/hr. In common with their Compute Engine pricing model instance charges exclude storage and network charges. At $0.24/GB/month storage is 6x more expensive than Compute Engine, but it also doesn’t come with the same size/performance trade off that can lead to I/O starvation of smaller units of storage. A package based on the D0 instance that includes 0.5GB storage and 200K of I/O is offered at $0.36/day. Google claims that:
For developers with lightweight applications, we offer a flexible "per-use" pricing scheme. You pay only for the time you access your data. Get started with a cloud-hosted MySQL database for around $1 per month.
Automatic encryption using AES-128 symmetric keys is applied to all database tables and temporary files, meaning that all data at rest in Google’s storage system is secured. Google also encrypt all Cloud SQL traffic on their internal networks, and allow the use of SSL for external connections to provide security of data in motion. Key management is fully transparent and automated, which is something of a double edged sword in terms of security and compliance. The data is encrypted at rest box can be checked, but the data is not protected from unauthorised access by the service provider (Google) or any state agencies that are able to compel the service provider. Such systems also do little to protect against application level attacks - a table of passwords might be encrypted on the underlying storage, but will still be in plain text for anybody able to subvert the application.
"There are many ways to use encryption, and some of them are more effective than others," said Wendy Nather, research director of the enterprise security practice at 451 Research. "Encrypting data at rest sounds nice, but if it's never really at rest, how secure is it? There will always be users or applications opening the safe, and attackers will just go for an authorized route through the same open door."
Google protects the availability of data by offering replication at no extra charge. Synchronous and asynchronous options are available giving different trade offs between write performance and data integrity in the event of failure. When replication is enabled it takes place to multiple locations within a geographic region (US or EU). This is a far more cost effective option than Amazon’s RDS Multi-AZ Deployments, which doubles the per hour instance charges.
Prior to general availability the size limit for Cloud SQL databases was 100GB. This has now be raised to 250GB for all users, and 500Gb for customers with a silver support contract. Storage is billed as it is consumed, and there is no requirement for pre allocation of storage.