There is a dilemma for all tenants of a public or private cloud: Scope. Tenants want everything to be in scope. Cloud Service Providers (CSP) want to limit scope to the bare minimum. What does it mean for a Cloud to be ‘PCI Compliant’, and why is this a requirement for some tenants? The real issue is, what is in scope for PCI-DSS while your data is in the cloud, and how can you as the tenant meet those requirements? Remember, in the cloud, scope becomes a huge issue and a dilemma for the tenant, mainly because they may not know the scope of the cloud provider’s audit and may never find it out. So what is this scope issue and can it be fixed?
Articles Tagged with PCI Compliance
I have written about the Public Cloud Reality and the need to bring your own security, monitoring, support. This was reinforced by Dave Asprey of Trend Micro at the last Cloud Security Alliance Summit held at this years RSA Conference. The gist of Dave Asprey’s talk was that YOU are responsible for the security of your data, not the cloud service provider. Unfortunately, this sort of discussion often devolves into one of shared vs tenant responsibility, the type of data, etc. It will also devolve into a legal discussion just as quickly. Unfortunately, all this does is point fingers. The long and the short of this discussion is about two items often mixed as one.