PCI compliance in cloud services

With all the hype surrounding the delivery of services through cloud providers, it is little wonder that some enterprises may be wary of stepping into the new realm of business opportunities unprepared.

In essence, external providers are taking the information and operations outside of the physical premises controlled by the firm in question – leading to questions about how safe and secure the systems really are.

This is especially true for businesses that are aware of their obligations with regard to potentially sensitive information collected from clients and stakeholders.

Because these details are given to the enterprise with the understanding that they will be kept safe from misappropriation or theft, security is often a prime concern for the staff members in charge of information storage.

When it comes to the payment card industry (PCI), there are strict guidelines that govern how client information is to be processed and archived.

With new technologies such as cloud storage, the same requirements would apply to these solutions as with in-house systems – requiring the assistance of qualified PCI compliance testers.

These experienced professionals will be able to ascertain if an external provider is suited to the task of storing or processing sensitive card payment information – as well as providing additional advice on how to improve existing frameworks.

Dr David Ross delivered a presentation to the attendants of AusCERT 2012 convention, stating that while extra care was needed, it could be possible to make use of these systems while maintaining PCI compliance.

According to an article published by ZDNet on May 17, Dr Ross said that while cloud providers can offer compliant products and services, the onus still lies with the primary company.

Some of the products mentioned by the presenter were known to also provide in-depth guides that help clients to deliver services that are in line with the data security standards laid out by the payment card industry, but he was quick to warn that this still did not automatically make the solutions certifiably compliant.

While the shared nature of some cloud services makes it difficult to get a clear picture of just what information is visible to third parties, a team of qualified assessors can provide managers with an in-depth review of the pros and cons of a particular service.

This allows decision makers to make informed choices based on the particular details provided by a neutral third party – removing issues of bias and proprietary control issues from the equation.

Cloud for disaster recovery

Comprehensive security systems are essential to protect sensitive business information in the event of a disaster – and businesses of all sizes should ensure they make adequate preparations.

This is the message conveyed by Symantec in a recent survey, which showed that businesses of all sizes are increasingly looking to new technologies – including cloud computing and virtualisation – when creating their disaster recovery plans.

Information protection is particularly important. Symantec recommends utilising comprehensive backup and security solutions to offer protection for your mobile, virtual and physical systems.

Small businesses should start creating a disaster preparedness plan immediately if they do not already have one in place, Symantec asserts.

Emergencies – which can range from large-scale natural disasters to the loss or theft of laptops and mobile devices – are often when businesses are at their most vulnerable, which is why planning ahead is so crucial.

Businesses of all sizes who are considering new technologies as part of a disaster recovery plan may find that penetration testing proactively alerts you to any potential vulnerabilities – allowing you to take action to prevent a serious security breach.

“Technologies such as virtualization, cloud computing, and mobility, combined with a sound plan and comprehensive security and data protection solutions, enable SMBs to better prepare for and quickly recover from potential disasters,” said Steve Cullen of Symantec.

He added that small businesses in particular “cannot afford lengthy downtimes”.

Security audits for mobility and business intelligence operations

Australian firms are focusing more on mobility and business intelligence than ever before, according to a recent report.

The Chief Information Officer Agenda survey performed by Gartner as part of its Executive Programs 2012 initiative covered over 2,000 CIOs around the world – 132 of which were in Australia.

Researchers found that the main drive for these professionals for projects in 2012 was related to extracting value from mobile technologies and business intelligence (BI) operations.

While areas such as cloud services and virtualisation were still ranking well in terms of future planning, the survey found that the increase in adoption rates for smartphones and personal tablets made them less of an immediate priority.

Vice-president of Gartner Andy Rowsell-Jones explained that the new ranking was something of an anomaly for researchers to find.

He asserted: "BI has had a chequered history in Gartner's annual CIO survey. Is it new ideas, new tools, or the triumph of hope over experience that has propelled BI back into the limelight? We will find out over the course of the year."

However, the added amount of information collected and stored by businesses involved in data mining and mobile access also necessitates an increase in security audits and compliance certification, as the value generated by the collection of client details is also widely recognised by malicious online parties.

What Changed Laws will mean to IT Scrutiny from the board – SMH Article

Recent changes to corporations legislation and an increased focus on director due diligence and the importance at the board level on the development and oversight of the IT risk and security culture and management of an organisation.

In a recent article in the Sydney Morning Herald, Drazen Drazic, Securus Global Managing Director commented about what should be considered prudent risk management in IT and cloud security considerations and the importance of a strong board and director focus on IT Security Management.

Here is a a Overview of the article .

Prudent risk management should include IT and cloud security considerations.

Recent changes to the Corporations Act 2001 means that board members will increasingly scrutinise the IT risk and security culture of an organisation, which will impact CIOs in a number of ways, including the need to do due diligence when handing over sensitive corporate data to cloud service providers

Late last year a raft of regulations were pushed through to foster greater accountability among board members, according to SecurusGlobal founder Drazen Drazic, who said this was in response to the lack of corporate oversight that triggered the events leading up to the global financial crisis.

Security Due Diligence Assessments

Secure Audits for Third-Party Providers

When firms sign up to a cloud service provider, the decision is usually in terms of utility versus cost – as external providers can usually supply better software and applications than are available to a firm using their own in-house assets, but without the initial purchase cost.

Of course, these transactions are only entered into with the understanding that the external partner will do their best to ensure the safety and security of their client's data.

However, the concentrated nature of the details stored by specialist service providers often make them a prime target for malicious parties, with the proprietary nature of the data making it highly valuable.

While the provider may assert that they are on top of their game in terms of online protection, due diligence demands that responsible firms have a clear picture of the measures currently in place.

A professional security audit from an external provider can deliver a clear report into the depth and breadth of a firm's digital capacities – providing an unbiased review of the promises made during the primary sales contact.

Everything from encryption standards, storage methods and transmission protocols can be covered – providing managers with peace of mind that their partnership is secure before they sign on the dotted line.