This is the first post by Eric Irvin, the newest blogger on Secure Cloud Review:
David Ottenheimer, over at The Flying Penguin, wrote an interesting piece on what he calls, “The Future-Past of Cloud Security”. David makes the point that “data is not in the big bad amorphous cloud” but rather, it is actually in a very finite and specific location.
Therefore, in the scope of PCI, any location that could possibly used by someone’s cloud, is under scope for audit and compliance. He then furthers this by suggesting that some hosting providers have skirted this, by providing a physical section of their COLO for the company, while still storing data in the cloud.
I think David hit the nail on the head, for scoping PCI in the cloud.
This doesn’t mean game-over for cloud-providers. The answer, while not simple, is really in the hands of the providers. By auditing their cloud-infrastructure, as well as all of their data centers, and achieving certification by the PCI Council, the cloud providers could then, in theory, offer their Report on Compliance to their customers, and help satisfy the requirements.
Is this realistic? What are your thoughts?
