Conversation with Branden Williams on PCI and the Cloud, Part 3

VPN Haus continues its conversation with Branden Williams, a seasoned information security specialist. Today we go beyond the cloud and get Branden’s thoughts on other gaps in PCI 2.0, as well as other network security trends. VPN Haus: Other than cloud, what do you think was missing from PCI DSS 2.0? What are the most/least useful updates? Branden Williams: I believe there are still a few things that need to be addressed in PCI DSS. This version introduced language around Virtualization, but completely missed the cloud discussion which as you noted above is more important to fix right now. The Council may get left behind without either appropriate training for QSAs, better Q/A around the process of an assessment with respect to cloud services, or guidance specific to what QSAs should look for in a compliant cloud solution. Sampling is also still a big issue. I believe one of the issues around variance is the fact that there is no standard sampling methodology—it’s up to the QSA to describe their methods and come to some sense of feel-goodery around the population of systems they must assess. A statistically valid sampling methodology would produce more consistent results. Wireless (specifically Wi-Fi) security still falls abysmally short on the detection and protection side. The encryption is where it should be as a baseline, however, companies can easily add additional layers of encryption stronger than the implementations of WPA or 802.11i. VPN Haus: Is there anything else related to network security that you’d like to mention? Williams: Big trends for the next few years until the next revision of PCI DSS include things...

Conversation with Branden Williams on PCI and the Cloud, Part 2

This week, VPN Haus continues its conversation with Branden Williams, a seasoned information security specialist, about PCI and the cloud. VPN Haus: Because of PCI 2.0’s lack of clarity on the cloud, do you think most merchants will only move non-PCI related data to the cloud – until they get more guidance from the Council? Branden Williams: Frankly, I don’t think the virtualization bit should have been added into PCI DSS 2.0. That’s a training issue. But since they did add it in, I bet merchants and service providers will look to the Council to provide guidance on cloud. Companies should approach cloud from a security and data perspective. Regulated data should probably not be put into a public cloud, but catalogue or other public data could certainly be. It’s not an all or nothing approach. Savvy IT and IS managers will look at the spread of options and implement what makes most sense for each type of service. Companies waiting for the Council to tell them what to do will be missing out on one of the biggest economic shifts in IT services of our generation. Their competitors will pass them by. VPN Haus: You’ve compared physical security with network security. What are some lessons learned from physical security that IT administrators can use? Obviously you can’t use someone’s body language to determine intent with network security…or can you? Williams: Interesting concept, could you use body language to determine intent? I think it depends on the distance we are talking about. If you can physically observe the body language of the individual, you may be able to determine...

Conversation with Branden Williams on PCI and the Cloud, Part 1

This week, VPN Haus catches up with Branden Williams, a seasoned information security specialist, about PCI and the cloud. VPN Haus: You’ve blogged about the fact that cloud isn’t overtly mentioned in PCI 2.0. Can you provide some examples of common problems merchants/service providers considering cloud solutions might come up against when dealing with QSAs who don’t have cloud experience? Branden Williams: Merchants and service providers considering cloud solutions should absolutely read and understand the impact the fine print of their contracts with the cloud provider has to their security and compliance initiatives. In many cases, the most economical options are the least security and compliance friendly. Once a suitable contract that meets requirement 12.8 (at a minimum) is executed, you may need to train your QSA on how the solution works. In many cases, the QSA will not understand how to assess a cloud environment, but it should not be assessed with any different requirements than a physical environment. QSAs must spend some time learning how your particular solution works before they can make a judgment call on compliance. This may extend the duration and increase the cost of your assessment. VPN Haus: In the blog post, you recommend folks using the cloud map their data, yet many companies don’t do this. What’s the major challenge to mapping data? Williams: Mapping data and data flows is an immense task. Most companies don’t have singular systems or flows, and data sprawls everywhere. Moreover, to truly discover and map this data, you need tools. Some of these tools can be pricey and impact operations, which forces companies to reconsider their deployment. Add...

What We're Reading, Week of 1/24

Computerworld, Security Manager’s Journal: Lifting Rocks and Seeing What Dangers Lurk Beneath Them Information Magazine, Mobile Device Security Needs New Approach, Experts Say Mobile Enterprise, What to Watch for in Enterprise Mobility Network World, Survey on PCI: How It’s Impacting Network Security Processor, Supporting Mobile...

What We’re Reading, Week of 1/24

Computerworld, Security Manager’s Journal: Lifting Rocks and Seeing What Dangers Lurk Beneath Them Information Magazine, Mobile Device Security Needs New Approach, Experts Say Mobile Enterprise, What to Watch for in Enterprise Mobility Network World, Survey on PCI: How It’s Impacting Network Security Processor, Supporting Mobile...