Our inaugural #cloudsec chat aimed to find out what the cloud security world thinks about the recently-released PCI DSS Cloud SIG guidelines (pdf). This is really the first move that the compliance world is making to align more with the use of cloud technologies as they move more into mainstream use. What did people on twitter have to say about it?
The chat went very well, with a lot of good conversation! (So good, in fact, that 30 minutes seemed way too short. We may in the future extend the chat to an hour.) We plan on having similar chats using the #cloudsec hashtag every month or so – hope you can join in the next one!
The general attitude towards the PCI Cloud SIG standards was that they are a good start, but not the end-all of what it takes to secure a cloud environment. Many people highlighted that compliance does not necessarily equal security, and didn’t agree with the premise that the standards would do much to remove roadblocks for companies hesitant to move processes into the cloud. John Strand captured the general sentiment pretty concisely:
We’ve got some highlights down below, but you can search #cloudsec on twitter and see the whole stream.
Question 1: What do you think about the new PCI Cloud SIG Guidance?
andrewsmhay, sec_prof, and johnlkinsella said that they see the new guidance as a good start, but expressed that it doesn’t cover all of the requirements; selenakyle says the principles of good security are larger than the specific architecture:
ken5m1th said that the new guidance does not include any new info for those that already know PCI.
Others like jaysonstreet and jack_daniel pointed out that more compliance policies don’t necessarily make the world a safer place.
carsonsweet, johnlkinsella and iiamit pointed out that even though compliance and security are not equivalent, compliance guidance can help with implementing security on the practical side.
Question 2: Will the guidance remove PCI-related roadblocks for cloud adoption?
sec_prof and jack_daniel expressed little confidence that the new guidelines will remove obstacles for wider cloud adoption, while Shpantzer expressed concern that it would result in some vendors will make unwarranted “cloud ready” claims. On the other hand, andrewsmhay suggested that some organizations have been waiting for something like this to move forward.
Question 3: What would you change, if anything about the guidance?
andrewsmhay pointed out that more collaboration w/ the Cloud Security Alliance could raise the bar, and sec_prof would have liked to see more specifics in the guidelines, but acknowledged the challenges of being both specific and vendor-neutral.