Cloud Computing Security Rules Put Responsibility on Users

Grazed from American Banker. Author: Penny Crosman.

The PCI Data Security Standard Cloud Computing Guidelines are detailed and spell out who — client or cloud service provider — has responsibility for what types of security precautions. For instance, installing and maintaining a firewall to protect cardholder data would be a shared responsibility between client and provider under infrastructure-as-a-service and platform-as-a-service cloud configurations. But for software-as-a-service, in which the cloud provider hosts software delivered over the web, the firewall would be the sole responsibility of the provider, the PCI Council has decided.

An overarching theme of the guidelines is that users of cloud services should not lean on their cloud providers for security. "Cloud security is a shared responsibility between the cloud service provider and its clients," the report states. "As they should, the rules put some onus on the cloud service provider and some on the client," observes Anton Chuvakin, research director at Gartner. "In general, a client has more responsibilities and the document reflects that correctly."…

Many companies adopting cloud services have relied on their cloud providers to take care of PCI compliance, notes Pravin Kothari, CEO and founder of CipherCloud, a San Jose company that provides encryption for cloud computing arrangements. "This guidance is an eye opener for these people, because it clearly says that clients cannot blame cloud providers. The client is still responsible for ensuring the cardholder data is secure."…

Read more from the source @ http://www.americanbanker.com/issues/178_29/cloud-computing-data-security-rules-put-responsibility-on-users-1056664-1.html