This week, VPN Haus catches up with Branden Williams, a seasoned information security specialist, about PCI and the cloud.
VPN Haus: You’ve blogged about the fact that cloud isn’t overtly mentioned in PCI 2.0. Can you provide some examples of common problems merchants/service providers considering cloud solutions might come up against when dealing with QSAs who don’t have cloud experience?
Branden Williams: Merchants and service providers considering cloud solutions should absolutely read and understand the impact the fine print of their contracts with the cloud provider has to their security and compliance initiatives. In many cases, the most economical options are the least security and compliance friendly. Once a suitable contract that meets requirement 12.8 (at a minimum) is executed, you may need to train your QSA on how the solution works. In many cases, the QSA will not understand how to assess a cloud environment, but it should not be assessed with any different requirements than a physical environment. QSAs must spend some time learning how your particular solution works before they can make a judgment call on compliance. This may extend the duration and increase the cost of your assessment.
VPN Haus: In the blog post, you recommend folks using the cloud map their data, yet many companies don’t do this. What’s the major challenge to mapping data?
Williams: Mapping data and data flows is an immense task. Most companies don’t have singular systems or flows, and data sprawls everywhere. Moreover, to truly discover and map this data, you need tools. Some of these tools can be pricey and impact operations, which forces companies to reconsider their deployment. Add to that a heterogeneous IT deployment that includes various flavors of Windows, UNIX, Mid-Tier, and Mainframe computing, and it’s easier to give up than to actually map things. Another problem companies face is that once the initial process is done, how do you keep it up to date? By the time the first pass is done, you can almost guarantee that something minor has changed. In order to do it well, you need tools to help you do this.
Stay tuned, next week VPN Haus talks to Williams about comparisons between physical security and the cloud.