Security Bytes

Mar 4 2010   4:55AM GMT

RSA panel weighs PCI implications of cloud computing

Marcia Savage Marcia Savage Profile: Marcia Savage

Cloud computing takes PCI compliance into unfamiliar territory, but PCI auditors should make an effort to understand the technology, experts said during a panel discussion Wednesday at the RSA Conference 2010 in San Francisco.

“Auditors have to get used to it,” said Liam Lynch, chief security strategist at eBay. “They need to understand the technology.”

“It’s incumbent on you to avail yourself to understand the cloud environment,” Jim Reavis, executive director of the Cloud Security Alliance, told an attendee who identified himself as an auditor who wanted help in auditing an application in the cloud.

Reavis said CSA earlier this week pre-announced the availability of its Cloud Controls Matrix, a toolset of cloud security controls that map to industry regulations such as PCI and HIPAA. When the CSA releases the full toolkit, there will be 50 controls related to PCI, he said (a CSA press release said the release is scheduled for April).

“We’ll see education of QSAs [Qualified Security Assessors] regarding where standards apply to the cloud model,” he said.

Reavis also said the industry needs SAS-70s that “are scoped properly for cloud environments.”

eBay is both a consumer and producer of cloud services, and is a Tier 1 PCI compliant company, Lynch said.  Regulations are important, he said, but added, “from an eBay perspective, I worry more about criminals than auditors.”

Ward Spangenberg, director of PCI and compliance at security-services firm IOActive, said one of the first things a company needs to do before moving into the cloud is to make sure the cloud provider understands its compliance requirements. A company also needs to know what data is important in their environment before moving to a cloud service, he said.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: