|By Lori MacVittie||
|August 18, 2009 06:15 PM EDT||
The recent admission / announcement that “Amazon EC2 is not PCI compliant” (this is not exactly true, but we’ll get to that later) has set off a rush of blogs, articles, and tweets that say, in effect, EC2 is no longer “safe”. But a lack of compliance does not make Amazon any more less safe than achieving PCI compliance makes a site more safe.
Ladies and gentlemen of the Internet, I submit as proof the admission of Heartland CEO Robert Carr that even though their “site” and “systems” were designated as PCI compliant, still they were attacked, breached, and the subject of ridicule and scorn for months in the press and security-focused blogosphere.
“PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions.” – Heartland CEO Robert Carr in an interview with Bill Brenner, Senior Editor, CSO Online.
PCI compliance doesn’t automatically make a site safe. Lack of PCI compliance doesn’t make EC2 unsafe, either. It means it isn’t compliant with the policies designated by the PCI council for handling credit card transactions and sensitive data. And, if we look past the hand-waving, we’ll find that Amazon admits you can’t build a PCI Level 1 compliant application using EC2 and S3, but you can build a PCI Level 2 compliant application.
“It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance.”
So how does this statement translate into “OMG! Amazon is unsafe!”? This is clearly about what the customer can and cannot do, not an admission of the security status of Amazon’s underlying infrastructure.
Amazon clearly states you cannot be level 1 compliant because it requires on-site auditing that they simply can’t (or won’t) allow. The inability to meet a requirement because of logistics (level 1 requires an on-site audit which Amazon states is not possible) is hardly the same as failing to meet the requirement for a firewall, or default password use. The inability to meet that one requirement is hardly reason for condemnation of Amazon’s overall security posture. Its inability for you to meet PCI compliance does not automatically mean its systems and environment are “unsafe”. Amazon points to the “on-site audit” requirement as a reason why you cannot achieve PCI Level 1 compliance. For all we know Amazon meets or exceeds every other requirement for PCI level 1 compliance that is required of a service-provider. Inferring anything about the security posture of Amazon’s internal systems from one message in a forum is simply not possible.
Furthermore, Amazon says YOU cannot build a PCI Level 1 compliant application. In other words, its announcement wasn’t an observation about the security of its systems, it was an observation regarding what you, the customer, can and cannot achieve using its systems.
In fact, in that same forum message that set off this Chicken Little episode, the Amazon representative clearly states Amazon does, in fact, meet PCI compliance standards elsewhere:
Our payment system is PCI compliant and it is an “alternative payment processing service” meaning your users re-direct to our platform to conduct the payment event using their credit cards or bank accounts. [emphasis added]
Nothing in Amazon’s “confession” implies anything about its security posture; if anything its note that its payment systems are PCI compliant means its underlying systems are as secure as any other meeting PCI compliance. Therefore there is no reason to believe that Amazon is any less safe than it was last week. In fact, the statement that you can achieve level 2 compliance means Amazon has, in fact, checked over its systems and that they will meet the requirements required for much of the PCI standard – probably the pieces that are important to assuring the security of systems.
PCI compliance is not a rubber stamp of safety. Achieving PCI compliance does not automatically confer some special safety status upon an organization. Neither does the reverse hold true; organizations that do not fall under PCI and therefore need not worry themselves about compliance with its standards are not necessarily “unsafe”.
This entire situation is a raw deal for Amazon. EC2 and S3 are no more – or less – secure than they were before this unsurprising announcement regarding PCI compliance and applications built atop its systems. The misinterpretation of its admission and its viral-like spread is little more than FUD that does more harm than good – both to Amazon and cloud computing in general.
Related blogs & articles:
- Heartland CEO on Data Breach: QSAs Let Us Down
- An Open Letter to Robert Carr, CEO of Heartland Payment Systems
- PCI Compliance in the Cloud: Get it in writing!
- Amazon Web Services Developer Community: Does Amazon EC2 meet PCI Compliance
- WILS: InfoSec Needs to Focus on Access not Protection
- Cloud Changes Cost of Attacks
- An Unhackable Server is Still Vulnerable
SYS-CON Events announced today that IceWarp will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IceWarp, the leader of cloud and on-premise messaging, delivers secured email, chat, documents, conferencing and collaboration to today's mobile workforce, all in one unified interface
Sep. 1, 2015 03:00 PM EDT Reads: 442
In his session at @ThingsExpo, Lee Williams, a producer of the first smartphones and tablets, will talk about how he is now applying his experience in mobile technology to the design and development of the next generation of Environmental and Sustainability Services at ETwater. He will explain how M2M controllers work through wirelessly connected remote controls; and specifically delve into a retrofit option that reverse-engineers control codes of existing conventional controller systems so they don't have to be replaced and are instantly converted to become smart, connected devices.
Sep. 1, 2015 02:45 PM EDT Reads: 139
The Internet of Things is in the early stages of mainstream deployment but it promises to unlock value and rapidly transform how organizations manage, operationalize, and monetize their assets. IoT is a complex structure of hardware, sensors, applications, analytics and devices that need to be able to communicate geographically and across all functions. Once the data is collected from numerous endpoints, the challenge then becomes converting it into actionable insight.
Sep. 1, 2015 01:00 PM EDT
With the proliferation of connected devices underpinning new Internet of Things systems, Brandon Schulz, Director of Luxoft IoT – Retail, will be looking at the transformation of the retail customer experience in brick and mortar stores in his session at @ThingsExpo. Questions he will address include: Will beacons drop to the wayside like QR codes, or be a proximity-based profit driver? How will the customer experience change in stores of all types when everything can be instrumented and analyzed? As an area of investment, how might a retail company move towards an innovation methodolo...
Sep. 1, 2015 12:45 PM EDT Reads: 477
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
Sep. 1, 2015 12:30 PM EDT Reads: 909
Consumer IoT applications provide data about the user that just doesn’t exist in traditional PC or mobile web applications. This rich data, or “context,” enables the highly personalized consumer experiences that characterize many consumer IoT apps. This same data is also providing brands with unprecedented insight into how their connected products are being used, while, at the same time, powering highly targeted engagement and marketing opportunities. In his session at @ThingsExpo, Nathan Treloar, President and COO of Bebaio, will explore examples of brands transforming their businesses by t...
Sep. 1, 2015 12:15 PM EDT Reads: 252
Through WebRTC, audio and video communications are being embedded more easily than ever into applications, helping carriers, enterprises and independent software vendors deliver greater functionality to their end users. With today’s business world increasingly focused on outcomes, users’ growing calls for ease of use, and businesses craving smarter, tighter integration, what’s the next step in delivering a richer, more immersive experience? That richer, more fully integrated experience comes about through a Communications Platform as a Service which allows for messaging, screen sharing, video...
Sep. 1, 2015 11:45 AM EDT Reads: 676
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advanced analytics, and DevOps to advance innovation and increase agility. Specializing in designing, imple...
Sep. 1, 2015 11:45 AM EDT Reads: 324
As more and more data is generated from a variety of connected devices, the need to get insights from this data and predict future behavior and trends is increasingly essential for businesses. Real-time stream processing is needed in a variety of different industries such as Manufacturing, Oil and Gas, Automobile, Finance, Online Retail, Smart Grids, and Healthcare. Azure Stream Analytics is a fully managed distributed stream computation service that provides low latency, scalable processing of streaming data in the cloud with an enterprise grade SLA. It features built-in integration with Azur...
Sep. 1, 2015 11:15 AM EDT Reads: 232
SYS-CON Events announced today that Micron Technology, Inc., a global leader in advanced semiconductor systems, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Micron’s broad portfolio of high-performance memory technologies – including DRAM, NAND and NOR Flash – is the basis for solid state drives, modules, multichip packages and other system solutions. Backed by more than 35 years of technology leadership, Micron's memory solutions enable the world's most innovative computing, consumer,...
Sep. 1, 2015 09:45 AM EDT Reads: 245
Contrary to mainstream media attention, the multiple possibilities of how consumer IoT will transform our everyday lives aren’t the only angle of this headline-gaining trend. There’s a huge opportunity for “industrial IoT” and “Smart Cities” to impact the world in the same capacity – especially during critical situations. For example, a community water dam that needs to release water can leverage embedded critical communications logic to alert the appropriate individuals, on the right device, as soon as they are needed to take action.
Sep. 1, 2015 09:00 AM EDT
With the Apple Watch making its way onto wrists all over the world, it’s only a matter of time before it becomes a staple in the workplace. In fact, Forrester reported that 68 percent of technology and business decision-makers characterize wearables as a top priority for 2015. Recognizing their business value early on, FinancialForce.com was the first to bring ERP to wearables, helping streamline communication across front and back office functions. In his session at @ThingsExpo, Kevin Roberts, GM of Platform at FinancialForce.com, will discuss the value of business applications on wearable ...
Sep. 1, 2015 08:00 AM EDT
As more intelligent IoT applications shift into gear, they’re merging into the ever-increasing traffic flow of the Internet. It won’t be long before we experience bottlenecks, as IoT traffic peaks during rush hours. Organizations that are unprepared will find themselves by the side of the road unable to cross back into the fast lane. As billions of new devices begin to communicate and exchange data – will your infrastructure be scalable enough to handle this new interconnected world?
Sep. 1, 2015 08:00 AM EDT Reads: 171
While many app developers are comfortable building apps for the smartphone, there is a whole new world out there. In his session at @ThingsExpo, Narayan Sainaney, Co-founder and CTO of Mojio, will discuss how the business case for connected car apps is growing and, with open platform companies having already done the heavy lifting, there really is no barrier to entry.
Sep. 1, 2015 08:00 AM EDT Reads: 150
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
Sep. 1, 2015 03:00 AM EDT Reads: 469
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Aug. 31, 2015 09:00 PM EDT Reads: 384
The Internet of Things (IoT) is about the digitization of physical assets including sensors, devices, machines, gateways, and the network. It creates possibilities for significant value creation and new revenue generating business models via data democratization and ubiquitous analytics across IoT networks. The explosion of data in all forms in IoT requires a more robust and broader lens in order to enable smarter timely actions and better outcomes. Business operations become the key driver of IoT applications and projects. Business operations, IT, and data scientists need advanced analytics t...
Aug. 31, 2015 02:30 PM EDT Reads: 430
Akana has announced the availability of the new Akana Healthcare Solution. The API-driven solution helps healthcare organizations accelerate their transition to being secure, digitally interoperable businesses. It leverages the Health Level Seven International Fast Healthcare Interoperability Resources (HL7 FHIR) standard to enable broader business use of medical data. Akana developed the Healthcare Solution in response to healthcare businesses that want to increase electronic, multi-device access to health records while reducing operating costs and complying with government regulations.
Aug. 26, 2015 07:00 AM EDT Reads: 203
For IoT to grow as quickly as analyst firms’ project, a lot is going to fall on developers to quickly bring applications to market. But the lack of a standard development platform threatens to slow growth and make application development more time consuming and costly, much like we’ve seen in the mobile space. In his session at @ThingsExpo, Mike Weiner, Product Manager of the Omega DevCloud with KORE Telematics Inc., discussed the evolving requirements for developers as IoT matures and conducted a live demonstration of how quickly application development can happen when the need to comply wit...
Aug. 2, 2015 11:15 AM EDT Reads: 563
The Internet of Everything (IoE) brings together people, process, data and things to make networked connections more relevant and valuable than ever before – transforming information into knowledge and knowledge into wisdom. IoE creates new capabilities, richer experiences, and unprecedented opportunities to improve business and government operations, decision making and mission support capabilities.
Aug. 1, 2015 10:00 AM EDT Reads: 495