Archive for July, 2010

Auditors View of OpenStack & CloudAudit Update

Posted by Douglas Barbin
July 23rd, 2010

Cloud computing has seen some exciting announcements over the past few weeks so here is the Pragmatic Auditor’s perspective.

This week, OpenStack was launched.  OpenStack is a new collaborative effort to an open source cloud computing platform to the market.  Spearheaded by Rackspace and NASA, OpenStack provides open source distributions for file storage and provisioning.   So with open source alternatives to VMWare  on or Microsft’s Azure, as well as Amazon’s Web Services, the expectations are that OpenStack will provide a much lower barrier of entry to new cloud and service providers.

So I’ll leave the market / revolution discussion to my MBA classmate Dave Rosenberg (Editor at Software Interrupted CNET) and focus on the audit and compliance considerations:

  • With an increased number of providers not to mention open source itself, the need for transparency of controls is even greater.
  • A by-product of OpenStack will be the increase of service provider to sub-service provider relationships (e.g. a SaaS company hosts at an IaaS co-lo and has their systems maintained by a managed service provider.   The most important thing for cloud providers is to be able to map out all their customers’ control and compliance requirements ensuring there are no “gaps” where on provider thinks the other is doing (and vice versa).
  • Service providers need to carefully evaluate what assurance and compliance tools suit their customers best.  This involves doing a requirements and cost-benefit analysis of SAS 70 / SSAE 16 audits and assessments, PCI DSS validation, SysTrust, ISO 27001 certification, or any combination of those and more.

I saw the earnings release yesteday and Amazon is not about to go out of business.    I believe we will see more providers players and the need for new players to substantiate that they can provide a service that is as reliable and secure as AWS.

CloudAudit Update

Along these lines, another recent update is that the Cloud Audit group recently published version 1.0 of the cloudaudit specification to the IETF.  I am active member in CloudAudit and this is very exciting.  The goal of CloudAudit is not to develop a new standard, but develop a new mechanisms for sharing control information.  Version 1 draft  laid out the framework for a directory structured that includes the ability for a service provider to post data that can be queried directly or through API for technologies like GRC.

I will provide more updates in the coming weeks.  We will soon be releasing the first set of “compliance paks”  which utilize the Cloud Security Alliance Cloud Controls Matrix as the initial set of controls that are leveraged in CloudAudit API.

That’s all for now.  Time to leave the cloud and head back down to earth for more IT audits!

SocialTwist Tell-a-Friend

Tags: , , , , ,
Posted in Cloud Audit, Cloud Computing | 1 Comment »

Doug Barbin Interviewed About Cloud Computing Audits

Posted by Douglas Barbin
July 9th, 2010

The following interview was filmed at the Cloud Computing Expo in New York City back in April.  In it, Doug Barbin discusses audits, compliance, and information security for cloud providers as well as the the changing landscape of standards (including the shift from SAS 70 to SSAE 16 and ISAE 3402.)
Source: http://cloudcomputing.sys-con.com/node/1453886

SocialTwist Tell-a-Friend

Tags: , ,
Posted in Cloud Computing, ISO 27001 / 27002, SAS 70, SSAE 16 / ISAE 3402, Uncategorized | No Comments »

PCI Compliant Payment Applications – No Longer Optional!

Posted by Debbie Zaller
July 2nd, 2010

While the change announced years ago, the deadline is now here and using a payment application that has been validated compliant with the PCI Payment Application Data Security Standard (PA-DSS) is no longer optional.

Effective July, 1, 2010 – “Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications.” (Source: Visa Website)

What does this mean for Service Providers?

  • The PA-DSS is only for standard alone software products that are commercially available off the shelf (COTS).
  • If you develop your own payment application, offered as a service (i.e. SaaS model), you do NOT have to comply with the PA-DSS.
  • You still have to undergo validation by a QSA for the regular PCI DSS requirements.   These requirements include controls for application security as well.

What does this mean for Merchants

  • If you utilize a third-party payment application, you must only be using those applications that have been validated.  A list can be found here.
  • If you outsource to a service provider, a PCI DSS validation is sufficient if they have developed their own platform and offer it as-a-service.

As always, check with your QSA to determine what your responsibilities are with respect to payment applications.  Feel free to contact one of our QSAs if you would like to discuss further.

SocialTwist Tell-a-Friend

Posted in Payment Card Industry (PCI) Data Security | No Comments »

PCI Resource Center Now Available

Posted by Douglas Barbin
July 1st, 2010

SAS 70 Solutions has released a new resource center on our website for PCI information.  Content includes preparedness tools, terms, FAQs, and more.  Visit the PCI resource center here.

SocialTwist Tell-a-Friend

Posted in News | No Comments »