Last day to save $500 for SANS San Diego 2013

Cloud Security Blog

07 Mar 2013

Oh where oh where has Chris gone?

0 comments Posted by Chris Brenton
Filed under Compliance

I first want to apologize to my friends and followers for seemingly falling off the face of the earth. While I would love to say it is because I've been sitting on a beach in some exotic location, the truth is I've been living in compliance hell. Think guiding a startup through IS0 27001 and a PCI DSS audit is difficult? Try doing it in an environment where 100% of your data center is located in public cloud. Then add in a SOC 2 type 2 and SOC 3 compliance check... just because you're a glutton for punishment. While I'm a firm believer that that public cloud can be just as secure as a private environment, the technology is still cutting edge so compliance is still playing catch up.

However there is light at the end of the tunnel, and I honestly don't think its a train. I was fortunate enough to take part in the PCI Council's Cloud Special Interest Group. This has resulted in a new 50+ page guidance document on deploying and auditing PCI DSS v2 in a cloud environment. And yes, the guidance does include many cool pointers on how to achieve compliance in public cloud, not just private.

However don't exhale that sign of relief just yet. Check out this interesting article where I'm sandwiched between a rock and a hard place. The "rock" is a current QSA auditor implying that you can't achieve PCI compliance in public space, even though the article is specifically about the PCI cloud guidance that explains how to achieve compliance in public space. The "hard place" is some unnamed "retail security executive" who spews complete FUD about introspection and obviously does not even have a remedial understanding of the technology. Don't get me wrong, I'm on record as saying that introspection has serious problems in public space that can potentially prohibit its use, but what's needed is dialog and fresh ideas to solve real operational problems, not FUD that does little more than muddy the issue.

So I would love to turn my pain into your gain. As I spin this blog back up, expect lots of tasty nuggets on my compliance journey. Hopefully I can help you avoid some of the same pitfalls I've already had to navigate. To quote one of the great sages of our age: "There's a difference between knowing the path, and walking the path".

--Chris Brenton

Permalink | Comments RSS Feed - Post a comment | Trackback URL

Post a Comment






* Indicates a required field.

RSS

Search Blog:

Links

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Last 25 Papers »

Latest Tweets @SANSInstitute

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU