Cloud Security According to Dr. Seuss
Credit and props to Graham Thompson, CCSK, CISSP (www.intrinsec.ca)
The budget was tight.
For hardware we could not pay.
So we sat around thinking
All that cold, cold, wet day.
I sat there with Sally
We sat there, we two.
And I said “How I wish
we had an Internet e-commerce server or two!”
An idea I had, that would be really far out
Something that would really fit the bill
But we continued to dream because
A server room we could not fill
So all we could do was to
And we did not like it.
Not one little bit.
And then we saw the ad.
It said if you are too busy for IT,
You want cloud without a doubt!
So we went to the site,
To see what it was about.
We called in a hurry
Excited to hear some more.
The salesman seemed nice and said
You are exactly who we made cloud for!
No stacking or racking, no effort or pain!
Up in 5 minutes, he would proudly state.
And our business would be live, that very same day -
And best of all, there’s no employees to pay!
We know how IT is done
Any issues would go far, far away.
And more great news!
We can give you free apps, only if you sign up today.
What about credit cards I asked
How do we accept pay?
He said PCI is automatically met
If you follow our way.
Our dreams of world domination
Would come true this rainy day
So in a big rush, we whipped out our card
We signed up so fast without much regard.
We entered the numbers so fast
On the keyboard just then
We made a mistake or two
And entered them again
Just click these few buttons.
You will see something new.
Two things. And I call them
Instance One and Instance Two.
Our screens lit up
It was so nifty!
We were entering data
All this for just a buck fifty
One year later audit came calling.
The PCI auditor came to see what we were doing
After saying hello he said
Show me the logs of the system I am reviewing
We were at a loss
We had no idea of what to say
The salesman told us no PCI problems
If we ran it this way
The auditor said “No! No!”
Tell that salesman to go away!
You are not compliant
Running your system this way.
The problem is not that it’s cloud,
But you must maintain compliance.
You still have things to do.
This isn’t rocket science.
SaaS, PaaS, IaaS,
It matters not which you do.
You’ll always be responsible for client data
And accountable too
Where’s your PAN encryption?
Where are your logs and other audit data?
When real information is used
You need to show me, even if in beta!
I have to fail you.
Process more you will not.
Your credit privileges are revoked,
“What now?” I immediately thought.
Now in a panic
I have no clue who to call
I went to the site and an email is all
Why can’t I call, oh who can I call?
I post on the forum and a fellow replies
He says RTFM and then says Good Bye.
Now what am I to do?
There is my story
When you enter the cloud
About things that go wrong
when you leave governance in a shroud.
Should we tell clients about it?
Now, what should we do?
What would you do
If your client asked you?