By Jeff Reich, Chief Risk Officer, Layered Tech
In parts one and two of this blog series, we’ve examined how community clouds are viable environments for PCI compliance, and in this segment we will explore how security is instrumental in guarding against data breaches.
Make security a priority in your community cloud
Many believe that PCI compliance alone will keep mission-critical data safe, but that is actually not the case. Almost every credit card data breach in the last five years has occurred in a PCI-compliant environment. This powerful statistic reinforces the fact that although compliance is required for success, it is “table stakes” as opposed to effectiveness. The data in your community cloud is only as protected as the amount of security you apply to it, so it is critical that businesses invest heavily in security.
This doesn’t mean that PCI compliance should be ignored. Rather, security measures should work in tandem with compliance efforts, and in all actuality, PCI compliance should be considered as a subset of security. Keeping that in mind, organizations must make risk-based decisions that embrace compliance while also addressing practicalities and technical capabilities in order to establish a secure community cloud.
In addition to assessing the practicalities of achieving compliance, organizations must acknowledge that compliance is maintained by viewing it as a necessary, daily process, not as an annual project that must be completed to pass an audit or test. Doing so will defeat the purpose of attaining compliance in the first place, and it will open up your business to a variety of security threats. To “raise the bar” beyond simply establishing compliance, companies should consider several security components, including social engineering, patching, system interfaces and the scope of administration rights, as well as routinely identify system vulnerabilities to ensure a fully secure environment. Some of these components can be addressed with automated security checks, while others require human interaction, which is why good security is part art and part science.
Security and compliance are no more difficult in the community cloud
The security concepts mentioned above are vital elements that help determine whether a company chooses to leverage the community cloud or a different hosting environment. Despite common misperceptions, it is no more difficult to be secure or PCI-compliant in the cloud than it is in a dedicated hosting environment. The essence of any security plan is in taking the necessary precautions to make sure that data is kept under strict control. The 2011 Verizon Data Breach Investigations Report states that the cloud does not really factor into many of the breaches they investigate because they have yet to encounter a breach involving a successful exploit of a hypervisor allowing an attacker to jump across VMs.
In terms of PCI compliant hosting, not all cloud providers are created equal. Some hosting providers offer cloud environments with all the tools needed to secure a company’s data but leave the management of incident response to the customer. This opens the door for important security measures, precautions and standards to go unnoticed or overlooked, increasing the risk of a security breach. To avoid this danger, businesses should confirm that their third-party cloud vendor will go beyond simply ensuring PCI compliance by conducting regular checks to safeguard critical data.
Layered Tech handles all of the IT controls (about 80 percent of the total criteria) associated with PCI compliance, and our dedicated security experts know how to achieve the utmost security for any environment. By working with an established, global provider of compliant managed hosting services like Layered Tech, companies can offload complex compliance requirements, avoid potential risks associated with non-compliance and most important, focus on their business rather than their cloud infrastructure. To learn more about Layered Tech’s services, please visit our website or send us an email.
About the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO, +Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.