VPN Haus continues its conversation with Branden Williams, a seasoned information security specialist. Today we go beyond the cloud and get Branden’s thoughts on other gaps in PCI 2.0, as well as other network security trends.
VPN Haus: Other than cloud, what do you think was missing from PCI DSS 2.0? What are the most/least useful updates?
Branden Williams: I believe there are still a few things that need to be addressed in PCI DSS. This version introduced language around Virtualization, but completely missed the cloud discussion which as you noted above is more important to fix right now. The Council may get left behind without either appropriate training for QSAs, better Q/A around the process of an assessment with respect to cloud services, or guidance specific to what QSAs should look for in a compliant cloud solution. Sampling is also still a big issue. I believe one of the issues around variance is the fact that there is no standard sampling methodology—it’s up to the QSA to describe their methods and come to some sense of feel-goodery around the population of systems they must assess. A statistically valid sampling methodology would produce more consistent results. Wireless (specifically Wi-Fi) security still falls abysmally short on the detection and protection side. The encryption is where it should be as a baseline, however, companies can easily add additional layers of encryption stronger than the implementations of WPA or 802.11i.
VPN Haus: Is there anything else related to network security that you’d like to mention?
Williams: Big trends for the next few years until the next revision of PCI DSS include things like a push to cloud/utility computing and cloud-based services, a push to mobile computing where the device is not important (and potentially not even owned by the business, yet allowed to work on business assets), and more inspection of data flows and ownership. For example, with technologies like tokenization making it in the mainstream payment processing environment, merchants may no longer need to be an authoritative source for payment card data, their process would. Companies will look to find providers to own the responsibility of shepherding the data throughout its lifecycle instead of doing it themselves to reduce risk.