On this blog, the author posts a reply from Amazon about the level of PCI Security of EC2 and Amazone Web Services.
As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes.
What strikes me as funny is that PCI Compliance is confusing enough without adding the cloud to it. Also, data security is almost a misnomer with the number of breaches that professional cyber-criminals perpetrate almost weekly. Cloud or no cloud, security is breached.
I guess its like spam: we'll always have it. And unlike PGP encryption: hardly used at all.
As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes.
What strikes me as funny is that PCI Compliance is confusing enough without adding the cloud to it. Also, data security is almost a misnomer with the number of breaches that professional cyber-criminals perpetrate almost weekly. Cloud or no cloud, security is breached.
I guess its like spam: we'll always have it. And unlike PGP encryption: hardly used at all.
Technorati
Del.icio.us
Slashdot
Digg
twitter
What some companies are doing now is proactively offering to pay for data breach fines should (when) a breach occur. Heartland and Mercury Systems just announced it in Security Management. Other companies are putting a breach mitigation plan in place before a breach occurs so they can quickly respond.