Cloud computing takes PCI compliance into unfamiliar territory, but PCI auditors should make an effort to understand the technology, experts said during a panel discussion Wednesday at the RSA Conference 2010 in San Francisco.
“Auditors have to get used to it,” said Liam Lynch, chief security strategist at eBay. “They need to understand the technology.”
“It’s incumbent on you to avail yourself to understand the cloud environment,” Jim Reavis, executive director of the Cloud Security Alliance, told an attendee who identified himself as an auditor who wanted help in auditing an application in the cloud.
Reavis said CSA earlier this week pre-announced the availability of its Cloud Controls Matrix, a toolset of cloud security controls that map to industry regulations such as PCI and HIPAA. When the CSA releases the full toolkit, there will be 50 controls related to PCI, he said (a CSA press release said the release is scheduled for April).
“We’ll see education of QSAs [Qualified Security Assessors] regarding where standards apply to the cloud model,” he said.
Reavis also said the industry needs SAS-70s that “are scoped properly for cloud environments.”
eBay is both a consumer and producer of cloud services, and is a Tier 1 PCI compliant company, Lynch said. Regulations are important, he said, but added, “from an eBay perspective, I worry more about criminals than auditors.”
Ward Spangenberg, director of PCI and compliance at security-services firm IOActive, said one of the first things a company needs to do before moving into the cloud is to make sure the cloud provider understands its compliance requirements. A company also needs to know what data is important in their environment before moving to a cloud service, he said.