A spokesman for security vendor Trend Micro has voiced concerns at an IT convention regarding the security of cloud computing platforms. Dave Rand highlighted the current issues facing cloud computing services and suggested that the solution for improved security would lie in the hands of the cloud clients.

Rand suggested that in the current market, very few cloud computing providers had appropriate online backup contingencies. This results in a system that does not adequately monitor those who are accessing data within the cloud. Rand identified that a centralised security scheme has not been implemented because it would adversely affect the performance of cloud data storage.

The solution suggested by Trend Micro is an increasing emphasis on grass roots data security, using encryption and key management to provide security before data is submitted to the cloud. This would require encryption and decryption by the end user.

Rand accepted that this type of business continuity data protection is far from a perfect solution to the potentially problematic issue of cloud computing security. He highlighted how inevitable instances of lost decryption keys could render encrypted data unreadable. He also alluded to the vulnerability of the data whilst it was in transit to and from the cloud. The key message being conveyed by Trend Micro is that as cloud computing grows in popularity and the exodus from older platforms begins, there are going to be multiple instances of data theft.

An alternative viewpoint was aired by former security advisor to the US Government, Howard Schmidt. Schmidt agrees that data needs to be encrypted and protected whilst it is being transferred and during its time in storage. However, he also suggests that cloud computing companies are taking on board the concerns of the IT industry. The ideal solution to the problem would of course be encryption and decryption built into the cloud environment experienced by the end-user. In reality, it is only through further investment and increased popularity that cloud computing providers are likely to be able to meet the security requirements of their clients.

The Payment Card Industry Security Standards Council has only been a recognised entity for three years. In this short time compliance to its 12 step Data Security Standard model (PCI DSS) has helped improve the integrity of data on a global scale.

The PCI DSS is quite clear as to exactly what kinds of data need to be protected and this simplicity is one of its most powerful aspects. Protection of cardholder data, personal health information and personally identifiable information are of course key to proper data security. However, data protection under the PCI DSS regulations is not solely based on knowing which kinds of data to protect. It is also about accurate data tracking within a business network as a whole.

Dave Mortman, writing for Security Search, stipulates that proper data management in the PCI is far from solely the concern of IT departments. The technology can only go so far to prevent data becoming compromised. To properly comply with the PCI DSS it is necessary to factor in the human element. Electronic storage and security solutions will use data in a predictable and consistent way. Employees on the other hand will often handle and use data in unique and unimaginable ways. As such, a healthy dialogue created via meetings and interviews will construct a better understanding of the data integrity within your own business.

The fact that some, if not all, of the companies involved in this fraud case were PCI DSS compliant before the attacks sparked questions about efficacy of PCI regulations. Steve Dauber, vice president of marketing at RedSeal, noted that PCI audits are only the beginning.

“PCI is actually a pretty reasonable set of basic security recommendations,” he said. “The problem is that businesses mistake passing a PCI audit with being PCI compliant. Audits aren’t comprehensive by nature— they will never catch every potential error in implementation. More importantly, audits occur at a point in time, but your IT infrastructure changes constantly. So even if you do pass your audit, you may fall out of compliance the next week. If you want to benefit from PCI, you need to maintain compliance both comprehensively and continuously”.