Security: Safety First
"We won't be involving our security team in this project until the last possible moment, because the answer will be 'no.'" That from a VP at one of the largest retailers in the world. He's evaluating a cloud-centric initiative that could dramatically improve the company's operations, and he went on to say that bringing the CISO in without building the entire plan beforehand is a death knell for any project.
Think this isn't going on in your shop? Keep sipping the happy juice. This VP guaranteed that end runs are standard practice among his peers. And the standard mantra of "it's against compliance rules" won't only make you seem out of touch--you may well be wrong. PCI 2.0, the rules that govern the security of credit and debit card data, was just released and has little specific guidance for cloud computing per se, but it does lay out clearer rules relating to off-premises transactions. In addition, Amazon recently announced that its Elastic Compute Cloud is certified for conducting Level 1 transactions; the company will begin offering that service this year. The next official PCI standard will likely have in-depth rules for cloud computing, but it won't be released until 2013.
Security teams take note: There's a new set of guidelines, and a major cloud vendor has a platform certified for some level of transactions that are subject to PCI rules. If you think saying "wait until 2013" is a good move for your business, consider polishing up your resume.
The better answer is providing forward-thinking security and connectivity guidelines that people outside IT can understand and use. Make sure your guide covers all the policies you've established and explains the outside compliance areas you're forced to adhere to. We discuss the seven key areas that must be included in a cloud policy in our full Analytics Report.
Connectivity: The Right Connections
Just 29 percent of those using or planning to use a cloud service have scoped out the architectural impact on their Internet infrastructures. You should be running these numbers before engaging any cloud provider.