Re: Cloud Computing and PCI Compliance
Re: Cloud Computing and PCI Compliance
- Subject: Re: Cloud Computing and PCI Compliance
- From: "Tom M. Blenko" <email@hidden>
- Date: Sat, 21 Aug 2010 19:21:25 -0700
I've gone through a couple of what seemed to me like serious security
audits (PCI compliance was not mentioned but a bank doing the audit
using their internal standards). Two of the major areas were physical
security of the systems and security checks on personnel with access
to the systems and their data. I have asked someone in the cloud
business how I could satisfy these requirements in a cloud and the
upshot was that he didn't know of a way.
On the other hand, some of those questions have a very vague
interpretation, and others are just plain stupid (like asking if
you have an anti-virus installed on all your company computers,
or asking if you have a proper configured firewall, whatever that
means). I'm not defending PCI here, just saying you can get burned.
That's what the compensating controls section is for. The
questions have an underlying risk that they try to protect
against. In the case of antivirus software, it is to prevent the
surreptitious installation of malicious or otherwise unauthorised
software on your systems. If you can provide this security by
other means then you detail it as a compensating control.
That may be true for the anti-virus thing, but what about the
Firewall? What's a correctly configured firewall? In what way the
firewall prevents an attack using HTTP by exploiting a non-obvious
bug in my app?
Some of those questions seem irrelevant or misleading to me. It
looks like some kind of "one size fits all" kind of certification
which ends up being pointless. I would rather have people who can
THINK writing the code where my credit card goes trough, than a
firewall.
I think this is a misunderstanding. One purpose of the questions is
to provide a way for you to systematicly review your security. I
don't think anyone expects a one-size-fits all solution for, e.g.,
the firewall configuration for all sites. I suppose that some of the
people who put this together have orders of magnitude more experience
with security and breaches and credit card data theft than I so
there's value in seeing what they think is important. I don't need to
argue with whomever tried to come up with the firewall question, I
need to look at my setup and figure out what firewall configuration,
for me/my customers, prevents breaches from occurring.
To make the point more tangible, my understanding is that some credit
card processors write into the contract that you or your employer or
your customer is at risk for any breaches due to PCI non-compliance.
Compliance, then, isn't a form-filling-out exercise, it's the
definition of where the responsiblity lies if a breach occurs. It
doesn't matter if you answered "Yes" to the question, it matters
whether an incident occurs in which, it can be shown, failure to
configure a firewall was a contributing factor.
Tom
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden