iland Cloud Technologist Brian Knudtson is joined by guests Trevor Pott and Christopher Kusek for a conversation about how customers should assess the compliance cloud providers provide. They discuss compliance badges, transparency, going above and beyond, and how the bad guys are always ahead of legislation.
[02:05] Trust is obviously a huge component of moving data operations into the cloud. Does having a wide range of compliance badges automatically engender trust in a provider?
[11:40] How transparent should a provider be in their compliance approaches? Should a customer dig into the details of how compliance is achieved, and if so how should they go about doing it?
[25:23] If you’re having to approach a new compliance measure, it can force you to look at how you’re managing and operating things. Do you see that as essentially a kick to push organizations into doing that revaluation?
[01:36] “Compliance is a nice start, but it’s only a start.” – Trevor Pott
[03:00] “More often than not, when people talk about compliance, they’re not talking about security or privacy, they’re talking about compliance: the ability to ensure they don’t get fined by not being compliant.” – Christopher Kusek
[10:09] “Compliance means nothing unless there is enforcement. You need transparency, you need regular auditing, and you need enforcement.” – Trevor Pott
[12:12] “Make sure that you are confident in your own ability to secure everything.” – Trevor Pott
[14:21] “You trust it, I believe in you absolutely. Verify that.” – Christopher Kusek
[18:12] “Compliance is only preparing you for the problems we knew existed awhile ago and have made their way through a legislative process. Bad guys are faster than that.” – Trevor Pott
[20:51] “But then they’ll have the rest of their organization that may not need to be ‘PCI Compliant’ yet is filled with decades old vulnerabilities ready to bring the infrastructure down.” – Christopher Kusek
[27:34] “The interesting point, and the quandary that we’ve faced numerous times, which has been responsibility versus accountability.” – Christopher Kusek
[29:36] “That human contact and that human oversight does make a difference. The experience of people as opposed to just blindly pushing a button and trusting it knows what it’s going to do.” – Trevor Pott
[31:30] “Unless you’re paying for backup, they’re not backing it up.” – Christopher Kusek
[32:10] “Just because the cloud provider can give you compliance within certain areas – PCI, ISO, all these different areas it says ‘hey, we’re compliant here’ – that doesn’t make you compliant. You still have to do your part.” – Christopher Kusek
[33:06] “You’re offloading or outsourcing the effort, but you’re not necessarily (rarely are) outsourcing the responsibility.” – Brian Knudtson
“That human contact and that human oversight does make a difference. The experience of people as opposed to just blindly pushing a button and trusting it knows what it’s going to do.”
PRODUCT MARKETING DIRECTOR, JUNIPER NETWORKS
How do you know you are doing the right thing to protect your organization? How do you verify that you are following the best practices around security and data protection? Many times, Security and Compliance are lumped together but they do have slight differences that work together to form the overall picture.
When it comes to cloud, compliance can get a little muddy because you never really know what’s your responsibility and what the cloud is doing. Do you bring your own tools and certifications? Do you have visibility into the reports you need for auditing? Do they even know how your regulated industry treats the various compliance requirements? That’s where we come in to help.