The table below is the latest research I have done into vendor claims around compliance.
As it seems is always the case with Technology, the devil is in the details. If you have ever worked with PCI compliance you know that Infrastructure is just a piece of the puzzle. Vendors like Amazon and Microsoft can and do meet infrastructure requirements for PCI compliance. Does this mean that if I host my e-commerce site on Amazon's EC2 Cloud Service I'm suddenly PCI compliant? Not by Amazon alone. You have solved some of the puzzle but you still have to deal with data storage, encryption, etc. These are application level issues and things that Amazon's EC2 does not address (by design).
It doesn't mean Public Cloud Providers are not serious about security or compliance (quite the opposite actually). It simply means Cloud providers are not silver bullets in the security or compliance category and you still need to engineer an appropriate solution to meet any security or compliance requirements you have. Public cloud providers can still be used to achieve compliance across a number of initiatives.
Cloud providers add some impressive tools to your toolbox - use them wisely.
-Kris
No comments:
Post a Comment