Re: Cloud Computing and PCI Compliance
Re: Cloud Computing and PCI Compliance
- Subject: Re: Cloud Computing and PCI Compliance
- From: Miguel Arroz <email@hidden>
- Date: Sun, 22 Aug 2010 02:05:29 +0100
Hi!
On 2010/08/22, at 01:02, Q wrote:
> It doesn't. But it is about identifying potential risk, both present and future. In the case of a firewall you should be considering allowing only access to the required services and denying all else. If you do this you protect your future self from the risk of having software that doesn't need public access being used as an attack vector, even though you might not be even using that software yet.
Yes, I'm not saying one should not have a firewall. What I'm saying is that a firewall by itself offers little security. Yes, it prevents apps you don't even know are there to accept connections from the outside world, by try to administer a server with popular PHP CMSs and you can have all the firewalls you want: if you have port 80 open, you will be hacked. :)
Also, having a firewall is very vague, and that's one thing that irritated me regarding PCI. What is having a firewall? Having ipfw running on the server? Having a dedicated box to firewalling and all the servers on a sub-network behind the firewall?
> If you approach the PCI guidelines as "what's the minimum I need to do to be compliant" you have failed the exercise. If you instead see it as "what are the risks I need to consider based on these requirements and how do I protect against them" and adapt them to your environment you are off to a much better start.
The problem is that I see PCI guidelines (as most ISO stuff) as bureaucracy and blind certifications and not something that actually brings you any kind of guarantee. Or course, if you know what you are doing, you know you should have a firewall as restrictive as possible, use complex passwords or key-pairs when possible, turn off all service you don't use, yadda yadda yadda. But you don't need PCI for that, you need to be competent.
Now put yourself on a client shoes. You see some company is PCI certified. What does that mean? Regarding to a firewall, for instance, it may simply mean the guy has ipfw running with one rule: allow all from any to any. That would be enough to answer Yes if you do a strict interpretation of the question. Or the guy may have Wordpress running on a server where he also runs an WO app that has the password or key to access the credit-card database on a properties file. That is not covered by PCI at all! :)
I've had many discussions about stuff like this with people who believe implementing ISO-stuff actually makes the quality of your products go higher. I'm a very strong disbeliever. Yes, you can get some good ideas and checklists from that stuff (on the ISO case, if you pay for it, which is... weird, to say the least). But actually TRUST them? I see so many crap in Portugal done by ISO-certified companies that is more than enough to prove is means nothing, and I assume there (and on any other country) is the same. And the fact that becoming ISO-whatever or PCI certified (specially the top level) costs money (in some cases like ISO the specs themselves are paid, and in both you have to write down methodology, documentation, and a lot of other stuff that consumes work hours) means usually small companies founded by competent and dedicated people can't get those certifications, while huge consultants can. That is unfair because I'm absolutely convinced that many small companies could do a much, much better job than the huge consultants with their code-monkeys.
Bottom-line, I trust competent people, not certifications. :)
Regards,
Miguel Arroz
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden