Cloud Security According to Dr. Seuss

Credit and props to Graham Thompson, CCSK, CISSP (


The budget was tight.

For hardware we could not pay.

So we sat around thinking

All that cold, cold, wet day.


I sat there with Sally

We sat there, we two.

And I said “How I wish

we had an Internet e-commerce server or two!”


An idea I had, that would be really far out

Something that would really fit the bill

But we continued to dream because

A server room we could not fill


So all we could do was to





And we did not like it.

Not one little bit.


And then we saw the ad.

It said if you are too busy for IT,

You want cloud without a doubt!

So we went to the site,

To see what it was about.


We called in a hurry

Excited to hear some more.

The salesman seemed nice and said

You are exactly who we made cloud for!


No stacking or racking, no effort or pain!

Up in 5 minutes, he would proudly state.

And our business would be live, that very same day -

And best of all, there’s no employees to pay!


We know how IT is done

Any issues would go far, far away.

And more great news!

We can give you free apps, only if you sign up today.


What about credit cards I asked

How do we accept pay?

He said PCI is automatically met

If you follow our way.


Our dreams of world domination

Would come true this rainy day

So in a big rush, we whipped out our card

We signed up so fast without much regard.


We entered the numbers so fast

On the keyboard just then

We made a mistake or two

And entered them again


Just click these few buttons.

You will see something new.

Two things.  And I call them

Instance One and Instance Two.


Our screens lit up

It was so nifty!

We were entering data

All this for just a buck fifty


One year later audit came calling.

The PCI auditor came to see what we were doing

After saying hello he said

Show me the logs of the system I am reviewing


We were at a loss

We had no idea of what to say

The salesman told us no PCI problems

If we ran it this way


The auditor said “No! No!”

Tell that salesman to go away!

You are not compliant

Running your system this way.


The problem is not that it’s cloud,

But you must maintain compliance.

You still have things to do.

This isn’t rocket science.


SaaS, PaaS, IaaS,

It matters not which you do.

You’ll always be responsible for client data

And accountable too


Where’s your PAN encryption?

Where are your logs and other audit data?

When real information is used

You need to show me, even if in beta!


I have to fail you.

Process more you will not.

Your credit privileges are revoked,

“What now?” I immediately thought.


Now in a panic

I have no clue who to call

I went to the site and an email is all

Why can’t I call, oh who can I call?


I post on the forum and a fellow replies

He says RTFM and then says Good Bye.

Now what am I to do?

Oh my,

Oh my

Oh my


There is my story

When you enter the cloud

About things that go wrong

when you leave governance in a shroud.


Should we tell clients about it?

Now, what should we do?


What would you do

If your client asked you?