Tags Archivescloud computing

Security as a Service ≠ Securing the Cloud standard

What a week! The 20th RSA Conference is over and it was great to see the masses back out at the Moscone again. I don’t think it’s been this big in a while, but if the parties are any indication, companies are spending money again. I want to say congrats to all the Social Security Blogger Awards nominees and winners! The selection committee did a great job this year selecting a group of absolutely fantastic individuals. Also, thank you to Securosis for putting on the Disaster Recovery Breakfast. That was much needed, and it also was a place for Anton & I to plan out the 3rd edition of our book! Wait until you see what we have in store ...

Continue Reading

Mixed Mode and PCI DSS 2.0 standard

One way to get the spidey sense of a savvy security professional tingling is to mention the use of “Mixed Mode” virtualization in some kind of IT initiative related to compliance. Companies are trying to figure out how to build security into their virtualized environments in a way that will cover themselves from both a security and compliance perspective, and the industry in general is quite divided over this issue. Mixed mode, in the context of this post, is a term used to describe a virtual infrastructure that hosts both guests with PCI DSS data on them, and those without. Before we delve into the issues associated with the security concerns here, let’s levelset. PCI DSS, in it’s purest sense, is ...

Continue Reading

Where is Cloud in PCI DSS 2.0? standard

It doesn’t take a keen observer to notice that the term cloud doesn’t even exist in PCI DSS 2.0. In fact, the “Find” feature will do that for you. Sure, strides were made to include Virtualization into the fold (even in spite of many individuals arguing you don’t need to include it, just apply the standard to it), but that is only the first of many steps on the journey to the cloud. If you are on the very front edge of the cloud transformational wave, you may have had to discuss how you use cloud with your QSA. My bet? It was a painful discussion that left both parties leery of the other. My comments in this month’s Digital ...

Continue Reading

Cloud Ain’t So Scary! standard

After the end of quarter madness calmed down on Friday afternoon, I had a few minutes to reflect on an interesting panel discussion I sat on (to which I was almost late). I was speaking with a group of underwriting and legal professionals about cloud computing and the security and compliance problems it presents. The fear in the room was nearly tangible. As with most issues relating to information security, it all comes back to the data. Cloud services are perfect for some applications, and downright frightening for others. It’s not to say that certain cloud types are inherently more insecure (although in some cases they are), but it’s more about the structure of the cloud services as it relates ...

Continue Reading

Do you know your IT? standard

This post is mostly going to apply to smaller companies as I would HOPE (tongue in cheek a bit here) that larger merchants wouldn’t have this problem. Small- and Medium-sized businesses (SMBs) have more advanced software tools available to them today than ever before. Cloud-based solutions allow for multi-million dollar software packages to be available to SMBs at affordable monthly subscription prices. This level of business analytics, automation, and intelligence can make a big difference in how a business competes.  What once would take dedicated headcount can now be automated and scaled. But with great power, comes great responsibility. SMBs that entrust their business or data to these third parties must invest time and effort to understand not only what ...

Continue Reading

The “Should” Rule of Cloud Computing standard

I’ve been asked over the last few months quite a bit about virtualization and cloud computing.  Virtualization is something most people understand, but cloud computing baffles many professionals because there is often not a clear nomenclature used to describe products and services in the space ((I just saw an ad for a “Dynamic Cloud Server.”  For real.)). In fact, my father in law asked me if I was somehow involved in weather forecasting (jokingly) after looking at what my current employer does. It’s like PCI DSS in the vendor space. “Install my product, and I GUARANTEE you are PCI Compliant!” Except in the cloud world, it goes something like: “I got me some sexy, fluffy cloud stuff JUST FOR YOU!” ...

Continue Reading

Guest Post: The IT forecast – Cloud-y with a 10% Chance of Effective Security standard

The following is a guest post by Fred Langston, Sr. Product Manager for VeriSign’s Global Security Consulting group. With the stampede to the next big thing gaining speed, Cloud Computing and Cloud Services face the standard, yet utterly preventable, horse-before-the-cart security conundrum. Anytime paradigm-shifting technology that saves money and decreases operational costs hits the market, two things are certain – 1) your company, just like 99% of the other companies in your vertical, will be running with the pack straight towards rapid adoption, and 2) security tools, techniques, and control technologies to find and mitigate the huge business risks associated with the new cloud services are: Lacking in essential functionality, scalability, or cloud-wide scope Not based on well-vetted best practice ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!