« Cross-Device-Type Log Management vs Device-Specific Log Management | Main | Logging Poll #8 Analysis: Essential Log Context »

A PCI-Data Security Standard for Cloud Computing?

 

What happens when sensitive data is processed and archived outside the enterprise, in the cloud, by non-employees, perhaps off-shore? Does it mean that the risk of compromising or securing this data goes up? Perhaps not, but the stakes are certainly higher. Imagine Salesforce.com hitting the front page of the Wall Street Journal because its employees have compromised or leaked customer data? That would hurt their business (understatement) even more than it would their clients. Perhaps the cloud computing industry should come up with a data protection standard like Visa and Mastercard did for the credit card industry? Some best practices every on demand vendor should consider when it comes to protecting customer data:

 

Privileged User Access

Companies should hold their outsourcer to the same high standards for internal control as they apply in-house. It starts with accountability – if you monitor the actions of privileged users they are less likely to transgress. And if they do, the outsourcer can take immediate action. It is no wonder that the credit card companies have made access to credit card holder data a cornerstone of their standard. Perhaps outsourcers should do the same when it comes to access to customer data?

Investigative Support

What happens when an employee leaves the company and you expect he may have downloaded some customer data onto his private laptop before you de-provisioned him from the on demand sales management system? Can you call your provider and ask for the audit trail that proves or disproves his (or her) transgression? It certainly is a fair question to ask of your outsourced provider and the answer may surprise you. Shared services can be difficult to investigate, because in some cases logging and data may be stored on shared servers.

Availability

Reliability and 24/7 uptime are cornerstones of outsourced services. Customers should demand service-level agreement guarantees and on demand providers should put in place scalable and repeatable models to ensure they meet these service-level agreements. The requirements for pro-active monitoring of performance bottlenecks and speedy recovery if availability is at stake are mission critical. Putting log data in the hands of front-line service desk employees can dramatically speed up this process.

Compliance

At the end of the day, customers should demand to know what risk mitigation their cloud providers is putting in place to protect data, support investigations and maintain service level agreements. It is no more than reasonable for customers to demand monthly reports that demonstrate control and accountability on the part of the service provider. Wouldn’t it be cool to see a report on who accessed your most critical data each month and to know that a service provider employee has reviewed this report on a daily basis? For cloud service providers executive reporting on security and availability risk mitigation could be an important differentiation.

Posted June 05, 2008 in | Permalink

---

Visit loglogic.com

Subscribe to this blog’s feed

• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• The Merc
• CRN
• IT Architect
• The Reg
• Security Focus
• Slashdot
• TechWeb
• SANS
• C/Net
• CIO Insight
• InformationWeek
• Jamie Lewis - Burton Group
• eWeek
• IT Manager's Journal
• MIT Magazine
• VNU