SearchCompliance.com has posted an article detailing important regulatory compliance trends that will affect IT in 2010. The trends that were listed include:

• Automation of compliance processes
• More regulation en route
• FISMA compliance reform
• More enforcement for noncompliance
• Federal data breach and privacy laws emerge
• Cloud computing complicates compliance
• SOX compliance for small companies
• Migration to risk management

I was quoted in a couple parts of the article with my visions of the future related to FISMA and risk management. It’s worth a read and a comment if you think they missed anything, or if my predictions are way off!

It’s been talked about in the past about how important it is to become PCI DSS compliant. For some industries it’s an absolute must. Without it, they can’t conduct business. We’ve covered some of the latest updates to PCI as well. One of the most overlooked aspects of becoming PCI DSS compliant though is actually maintaining compliance. Instead, most simply rush out to meet the requirements in order to meet the auditor deadline. Instead, we should be looking at what needs to be done on a continual basis. It’s the down time after the audit where most data breaches occur. The following list, which was put together by Dr. Anton Chuvakin, will outline the areas that require some form of upkeep.

Read the rest of this entry »

As a recent slashdot article points out, Amazon has honestly admitted that it is impossible to attain PCI Level 1 compliance on an application built on their EC2 (computing) and S3 (storage) services.

It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers.

We wrote a short whitepaper covering a brief security overview of cloud computing, and this is one of the topics we have been concerned about.  I’m currently en route to perform an on-site assessment of a service provider for a customer of ours.  This type of assessment provides my customer a great deal of confidence that they can trust their business partner.  If the provider of cloud services either won’t let you (or your auditor) visit their data centers, or can’t tell you which one to visit (because your data is unpredictably stored in many different locations), then it is impossible to get the same level of confidence that your data is being stored and protected.

Cloud computing isn’t for everything. It’s not going to be a good fit when you need compliance with PCI or similar standards, or your security policies require on-site assessments. Kudos to Amazon for admitting that.