Thanks to Tenable and many others for sponsoring the Rhode Island B-Sides this past weekend. I had a chance to reconnect with people I have not seen in years, and the cigar social was just an awesome opportunity to chill and socialize.
I also had a chance to talk about public cloud security. There were many other awesome talks, which have been thankfully archived by Irongeek. Very much worth a look through. Not surprisingly Paul Asadoorian put on a top notch event which I'm hoping he'll repeat for many years to come.
I've spoken with quite a few folks that are having trouble wrapping their brains around how to achieve a PCI compliant environment within a public IaaS cloud. While the process can seem a bit daunting, it is actually not that bad once you understand the process. True the process is different than achieving compliance in a private data center, but with a proper task list you can work through the problem pretty efficiently.
In a private data center, you are 100% responsible for all PCI controls. In a public cloud however, your cloud service provider (CSP) will be responsible for some portion of these controls. Which controls and how many the CSP will be handling will vary by depending on the cloud service model you will be using. Luckily the PCI Cloud Guidance
includes some extremely helpful information. Here's a copy of Figure 3 from that ...
This one goes out to all the auditors out there. ;-)
In the course of getting audited, one of the stumbling blocks I've run into is helping folks wrap their brain around how security works within a public IaaS cloud. One of the particular sticky points is what the word "internal" means in the context of an auditing standard. For example PCI DSS v2, control 11.2 reads:
"Run internal and external network vulnerability scans at least quarterly and after any significant change in the network"
In a Gen2 environment, as shown in Figure 1, this control makes perfect sense. The concept is that Gen2 networks are designed around the premise "We trust ourselves more than the outside world, so a larger amount of uncontrolled access is permitted from the internal network". So the "internal" network probably has access to ports and services on each of the DMZs that the Internet at large does not have. This is the classic "crunchy on the ...
I've got a real treat for you...
At 12:30PM eastern today, Dave Shackleford and myself will be doing a live Webinar on achieving PCI compliance in both public and private cloud. Specifically, we'll be talking about the new PCI Cloud SIG Guidance I was lucky enough to be involved in.
Should be a good time with plenty of Q&A at the end. Feel free to drop by the registration page and sign up. Cost is free (as in beer).
If you miss the live event, a recorded version should be made available via the same link.
I first want to apologize to my friends and followers for seemingly falling off the face of the earth. While I would love to say it is because I've been sitting on a beach in some exotic location, the truth is I've been living in compliance hell. Think guiding a startup through IS0 27001 and a PCI DSS audit is difficult? Try doing it in an environment where 100% of your data center is located in public cloud. Then add in a SOC 2 type 2 and