24 Aug INetU: Myths and Realities of PCI DSS Compliance in the Cloud
In this post, we get insights from Eric Naiburg, Director of Marketing at INetU. He will present in Vancouver on 1 Oct. about “Myths and Realities of PCI DSS Compliance in the Cloud.”
1. Can you give us a sneak peek into what your session will be about?
I’ll be talking about what it’s really like to achieve PCI DSS compliance in the cloud. Often there is a misconception that if you can’t see your data or touch your data center, it must not be secure. And what we find as a cloud hosting and security and compliance service provider, is that this is very much a myth.
The fact is that reputable cloud vendors have people in their security operations center whose entire professional life has focused on compliance within data centers. Many organizations – especially smaller businesses – don’t have that expertise and don’t have that time to do it. They’re focused on doing what they do, which is running their business.
“There is a misconception that if you can’t see your data or touch your data center, it must not be secure.”
So having that expertise, knowing how to manage it in a cloud environment, and knowing the ins and outs from our experience seeing all kinds of attacks on different clients, gives cloud service providers even more practical ability to avert those attacks and ensure PCI DSS compliance.
2. How will your session help organizations using cloud providers to achieve PCI DSS compliance?
I’ll talk about the different security tools specified by PCI DSS that need to be put in place by cloud providers and customers to ensure compliance. And then I’ll give real world examples to show what we see with customers and how the tools actually help you protect your data as well.
After my session, attendees will understand how the cloud is secured by service providers and know what security and compliance questions they need to ask their potential cloud vendors when they’re looking at moving to the cloud.
3. From your perspective, how are cloud service providers actually doing on their own PCI DSS compliance?
Most will say they are PCI DSS compliant. But as a shopper, as a potential cloud user, you must dig in and ask the right questions to get the true story on their cloud security and compliance.
There are so many cloud vendors that are popping up. They throw a few servers in a cloud hosting company, or they spin up some servers, some of them literally in a closet! And they say, “We’re now a cloud hosting company.” But do they have the experience to keep your data secure? Are they watching the systems 24/7/365? Do they have people who understand PCI DSS inside and out, including what security means and what to look for? Are they monitoring to see if, all of a sudden bandwidth is going up and up and up at a crazy rate, and you’re probably under a Denial or Service attack? Are they able to respond to that quickly? Are they going to help you respond if there is a breach?
At the end of the day, they don’t have to, but will they and are they willing to take on part of that as a shared responsibility during a breach? Those are the kinds of things people need to really look out for, and not just the rubber stamp of, “Hey, I passed my PCI DSS audit.”
4. How well are security tools keeping up with changes in cloud technology?
The bad guys have actually evolved much more quickly than we have at an industry level across the board, which is what forces us to move more and more quickly.
“We need to do a better job of staying ahead of the bad guys, and putting the right things in place, not taking shortcuts.”
People are putting more and more information in places that it can be accessed. I’ve seen a lot of things lately where people are just assuming they’re going to get breached, that their data’s going to get stolen, and they’ve given up trying. It used to be, “Oh, I’m just not going to put my data on the internet because I don’t trust it.” Now, everybody knows they don’t have a choice. It’s there whether they put it there or not.
We need to do a better job of staying ahead of the bad guys, and putting the right things in place, not taking shortcuts. I think we’ve learned a lot over the last few years with some of the big breaches. We’ll cover some of those lessons in my presentation.
5. What excites you most about this year’s Community Meeting?
I am looking forward to meeting with peers who are interested in PCI and in the PCI Data Security Standard.
The Community Meeting is a great opportunity for really learning from what folks are doing, and how they’re protecting their information, what they’re seeing out in the market, what security solutions they’re using, and the different types of things that they’re doing. It’s a great way to meet people as we grow and as I grow within the PCI community.