Author Archive: emilyjohnson
In a lot of ways, 2013 has been a pivotal year for PCI compliance in the cloud. As recently as a few years ago answers to compliance questions for cloud environments were more than a little murky, typically regressing into endless debates on how to define “cloud” in the first place. Compared to where we were as an industry then, 2013 has ushered in the age enlightenment.
In February, PCI Council finally pushed guidance for ensuring compliance in several types of cloud environments. At nearly 50 pages it’s more of a self-published novella than clarification, but it’s a major milestone nevertheless. The biggest question – “Can you be PCI compliant in the cloud” – has been answered. Yes, you can.
Businesses unwilling to wait for the PCI council to catch up with the real world have been finding their own way for years of course, but now the uncertainty of picking just the right QSA or a cloud provider that understood security have been greatly reduced. Take a random walk through a set of cloud providers – Rackspace, Peak 10, Amazon for instance – and you find a lot of PCI resources that provide common sense answers, and in some cases a set of services to handle most of the heavy lifting.
Things are notably better, but ask anyone going beyond merely replicating their deployment in a legacy data center and you won’t hear about the “age of enlightenment” for PCI compliance. A more accurate assessment of our current state is just beyond the point where you get deer in the headlights looks when the topic comes up.
What will be the next pressure point? Heady topics like auto-scaling, deployment automation and usage based billing. Security has been largely exempt from dealing with these issues, in no small part because uncertainty of compliance in the cloud provided a convenient cover, but expect that ability to deal with elastic environments becomes a major issue in 2014.
Challenge here is much more technological than an issue of governance, and its exactly the area where security people will have a difficult time meeting business demands. After all, computing, storage and networking have been disrupted to the core by “software defined” movements, while security industry has escaped largely unscathed. What happens when your newly PCI compliant cloud deployment auto-scales to meet surging customer demand, leaving your security infrastructure in the dust?
We’ll be discussing cloud, security, compliance and more at Cloud Connect in Chicago on October 21-23rd.
Misha Govshteyn is the Vice President of Emerging Products at Alert Logic and will be a featured speaker during the Cloud Security and Risk Summit at Cloud Connect Chicago.
Gartner predicts that from 2013 to 2016, $677 billion will be spent by cloud customers to create cloud advertising and other business services. This estimate does not even include the billions of dollars of private cloud infrastructure investment. So when a modern bank robber is asked why he is targeting cloud services, he will most likely answer, “Because now that’s where the data is” — so that’s where the money is.
What are today’s bank robbers attempting to do? Some are using cloud services to run their Zeus botnets and other hacking infrastructures. Other risks include hacktivists who target your service provider with DDoS attacks, rendering your business service unavailable for hours or days because the cloud provider didn’t have the bandwidth or controls in place to contend with the attack.
So what are obvious considerations to protect against these emerging threats?
1. Know what data your company is storing in the cloud.
– Don’t find out after someone else publishes it on the Web or sells it to a crime syndicate.
– Be aware what types of data your business is producing or holding during the initial stages of the project.
2. If you are storing any confidential data in the cloud, encrypt it.
– Assume the data is going to be attacked and potentially leaked in the future.
– Encryption increases the costs for hackers to gain access to your data and may thwart their efforts.
3. Have a Plan B for critical business services.
– Assume that your cloud provider is going to have a disruption in the future.
– Determine how much downtime you can handle and still remain profitable and consider designing redundant services between multiple providers.
4. Choose a cloud provider that is aligned with your risk tolerance.
– Assess various cloud service providers and choose that one that best fits your budget and risk tolerance.
– Don’t bargain-hunt for a cloud provider — you may one day wish you had chosen a provider with stronger security.
Robert Malmrose is Chief Security Officer at Quantitative Risk Management and a featured speaker in the Cloud Security and Risk Summit at Cloud Connect Chicago 2013. This post is a summary of Robert’s article that was published in InformationWeek.
By Emily Johnson
Cloud Connect Chicago 2013 is taking a new approach to the program this year. The focus is on the top cloud computing infrastructure management platforms including: OpenStack, CloudStack, Eucalyptus and VMware and the full-fledged stack wars that are currently playing out in the media.
We had an opportunity to sit down with Randy Bias, Cloudscaling’s CEO & CTO and Director of the OpenStack Foundation who organized the Cloud Connect OpenStack track and Boot Camp and he shared his thoughts on how his program is coming together and what he thinks attendees will gain from it. Continue Reading »
The weather is an integral part of our lives. Most of us check it every morning before we get dressed and note the forecast for the coming days. We prepare our wardrobes, plan “sick days” around serendipitous sunshine, and buy umbrellas all based on our very basic analysis of the information we receive. And when it comes to the weather, nobody likes getting caught off guard especially the enterprise.
This year at Cloud Connect Chicago we’re excited to welcome Paul Walsh, VP of Weather Analytics and Meteorologist of The Weather Company and former U.S. Air Force meteorologist to the keynote stage. Paul will provide attendees with an overview of how to use big data analysis to predict weather patterns in order to help drive important businesses decisions. A few notable organizations that Paul has worked with in the past include Wal-Mart, The Home Depot, Citibank and numerous hedge funds.
A couple of interesting facts about Paul:
- As U.S. Air Force meteorologist, Walsh provided intelligence support for missions and served as chief of weather operations for the Army’s elite 101st Airborne during Desert Storm.
- Walsh has over 15 years of experience analyzing weather patterns
- You can follow Paul on tumblr at Rethinking Weather or on Twitter @PaulEWalsh
Be sure to attend Cloud Connect Chicago October 21-23, 2013 at McCormick Place to hear Paul provide the forecast for your business strategy. Register early to lock in Early Bird rates and save up to $500 on Conference Passes!
We’ve had time to collect all of the evaluation data and now have a conclusive top 10 ranked speakers from Cloud Connect Silicon Valley 2013.
We had loads of great content this year and want to say thanks again to all you who presented and contributed to a great event.
Join us in congratulating these speakers by giving them a tweet—don’t forget to include #ccevent!
- Jeremy Edberg, Reliability Architect, Netflix
Congratulate Jeremy @jedberg
Congratulate Adrian @adrianco
Congratulate Jinesh @jinma
Congratulate Barb @barbgoldworm
Congratulate Thomas @tsbarton
Congratulate Toby @TobyDOwen
Congratulate William @ayewill
Congratulate Alistair @acroll
Congratulate Bernard @bernardgolden
Congratulate Neal @nsample
If you’re interested in speaking at our Chicago event held from October 21-24 at McCormick Place we’re still accepting submissions through April 29.
I am the Programs Specialist for Cloud Connect and work directly with our General Manager, Steve Wylie to manage the conference agenda and speaker recruitment. Many of you may recognize my name from our correspondence around the call for submissions; yes, I’m the one you’re trying to finagle that extension with. Continue Reading »