This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
3. - The importance of locking down your cloud: Read more in this section
- Healthcare orgs turn to Amazon as a HIPAA cloud provider
- Regulating cloud governance across international borders
- PRISM scandal serves as mother of invention for cloud privacy industry
- Security challenges remain for large-scale AWS users
- Private PaaS eases enterprise cloud governance, security issues
- IT pros hold responsibility for cloud data security
- Debate continues over PCI DSS cloud guidelines
- PCI report clarifies cloud computing security risks
- A look at the U.S. cloud market in a post-PRISM world
- Put on your tinfoil hats; most governments are looking in your clouds
Explore other sections in this guide:
- 1. - Follow #reInvent on Twitter
- 2. - Where are enterprises in cloud computing adoption?
- 4. - 'Hidden' costs, pricing confusion shroud true cost benefits of cloud
Although some experts think a recent report on cloud computing security compliance helps clarify how data can safely live in the cloud, others say it could confuse or even scare off cloud computing adopters.
There is no standard yet, and you're basically led to believe that going to the cloud is fraught with danger.
principal technical architect, Kroll Factual Data
"Cloud computing is a form of distributed computing that has yet to be standardized," the report states in its executive summary. One expert said the report sets a dark tone from the start. "There is no standard yet, and you're basically led to believe that going to the cloud is fraught with danger," said Chris Steffen, principal technical architect at Kroll Factual Data and a Microsoft MVP on cloud and data center management.
The report also suggests that keeping credit card holder data out of the cloud completely is the most effective way to keep a cloud environment out of scope. These statements could have some inexperienced cloud computing clients and their auditors running scared, Steffen said, and might lead auditors to hatch up draconian interpretations.
"If you want a truly secure computer, take it off the network, encrypt everything, make sure you have quadruple-factor authentication to get into the thing, and then you're still only as secure as the person using it," Steffen said. Users need to balance usability with reason when it comes to computer security, he added.
The report offers matrices for delineating responsibility for elements of the PCI Data Security Standard (DSS) between cloud computing clients and cloud service providers. Even so, there still are ambiguities that will create confusion, said Carl Brooks, an analyst at Boston-based 451 Research.
For instance, Requirement 9 under PCI DSS requires that clients restrict physical access to cardholder data, "a basic PCI requirement since dinosaur times," Brooks said. The guidance simply states that the cloud service provider manages this requirement, but it depends on the particular CSP as well as the distribution of data across different locations.
"What does that actually, practically mean?" Brooks questioned. "Who is getting sued and/or arrested when cardholder data gets loose?"
Read PCI proponents' defense of the report in part two.