This week, VPN Haus continues its conversation with Branden Williams, a seasoned information security specialist, about PCI and the cloud.
VPN Haus: Because of PCI 2.0’s lack of clarity on the cloud, do you think most merchants will only move non-PCI related data to the cloud – until they get more guidance from the Council?
Branden Williams: Frankly, I don’t think the virtualization bit should have been added into PCI DSS 2.0. That’s a training issue. But since they did add it in, I bet merchants and service providers will look to the Council to provide guidance on cloud. Companies should approach cloud from a security and data perspective. Regulated data should probably not be put into a public cloud, but catalogue or other public data could certainly be. It’s not an all or nothing approach. Savvy IT and IS managers will look at the spread of options and implement what makes most sense for each type of service. Companies waiting for the Council to tell them what to do will be missing out on one of the biggest economic shifts in IT services of our generation. Their competitors will pass them by.
VPN Haus: You’ve compared physical security with network security. What are some lessons learned from physical security that IT administrators can use? Obviously you can’t use someone’s body language to determine intent with network security…or can you?
Williams: Interesting concept, could you use body language to determine intent? I think it depends on the distance we are talking about. If you can physically observe the body language of the individual, you may be able to determine intent. But if you cannot see the individual, you can use analytics of their activities to determine intent. Most companies avoid this activity because they struggle with justifying the cost versus the risk. The cost gets a bit out of control when you have multiple entry points with multiple applications and business lines. It would be pretty easy to do this for a small company with only one corporate location and a website with a single function. Attackers get crafty and disguise their gentle testing of the environment, and without context or other types of fingerprinting, it’s difficult to track one individual over a period of time. If you assume people are already in the network or always knocking on your door, you create a layered approach to security just like you would in the physical world (supply closets, data centers, and other sensitive areas often require additional badge access).