This article is intended for software development and IT teams who want to securely build and deploy applications in cloud computing environments, specifically PaaS and IaaS. Cloud computing mostly brings security benefits to applications, but as with most areas of cloud technology, it does require significant changes to existing practices, processes, and technologies that were…
Category: compliance
How Cloud impacts Incident Response
The Incident Response (IR) Lifecycle Preparation: “Establishing an incident response capability so that the organization is ready to respond to incidents.” Process to handle the incidents. Handler communications and facilities. Incident analysis hardware and software. Internal documentation (port lists, asset lists, network diagrams, current baselines of network traffic). Identifying training. Evaluating infrastructure by proactive scanning…
QuickGuide: Cloud Incident Response Recommendations
SLAs and setting expectations around what the customer does versus what the provider does are the most important aspects of incident response for cloud-based resources. Clear communication of roles/responsibilities and practicing the response and hand-offs are critical. Cloud customers must set up proper communication paths with the provider that can be utilized in the event of an incident….
QuickGuide: FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government–wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It is the result of close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, and…
Oracle Data Safe and Consumer Privacy Acts
New consumer data privacy laws are cropping up through out the US. Just like the European Union’s General Data Protection Regulation (GDPR), these Acts force the hand of many (but not all) organizations to protect consumers’ data privacy rights. Privacy Acts aim to safeguard consumer privacy and it doesn’t just mean names and addresses, but also…
QuickGuide: PCI Guidelines at a glance
PCI DSS (Payment Card Industry Data Security Standard) is an industry mandate. If your enterprise accepts credit card payments or handles payment card data, it must comply with PCI DSS. Here are the 12 key requirements set by PCI DSS – Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults…
PCI: Are you a merchant or a service provider or both?
I was recently asked by one of my clients going through a PCI compliance assessment, if they were a merchant or a service provider? Sounds like a simple question. So, let’s dig deeper. The PCI Security Standards Council (SSC) defines a merchant this way: For the purposes of the PCI DSS, a merchant is defined…