Episode Summary

iland Cloud Technologist Brian Knudtson is joined by guests Trevor Pott and Christopher Kusek for a conversation about how customers should assess the compliance cloud providers provide. They discuss compliance badges, transparency, going above and beyond, and how the bad guys are always ahead of legislation.

Panel

Cloud Conversations

Topic 1

[02:05] Trust is obviously a huge component of moving data operations into the cloud. Does having a wide range of compliance badges automatically engender trust in a provider?

Topic 2

[11:40] How transparent should a provider be in their compliance approaches? Should a customer dig into the details of how compliance is achieved, and if so how should they go about doing it?

Topic 3

[25:23] If you’re having to approach a new compliance measure, it can force you to look at how you’re managing and operating things. Do you see that as essentially a kick to push organizations into doing that revaluation?

Cloud Bites

[01:36] “Compliance is a nice start, but it’s only a start.” – Trevor Pott

[03:00] “More often than not, when people talk about compliance, they’re not talking about security or privacy, they’re talking about compliance: the ability to ensure they don’t get fined by not being compliant.” – Christopher Kusek

[10:09] “Compliance means nothing unless there is enforcement. You need transparency, you need regular auditing, and you need enforcement.” – Trevor Pott

[12:12] “Make sure that you are confident in your own ability to secure everything.” – Trevor Pott

[14:21] “You trust it, I believe in you absolutely. Verify that.” – Christopher Kusek

[18:12] “Compliance is only preparing you for the problems we knew existed awhile ago and have made their way through a legislative process. Bad guys are faster than that.” – Trevor Pott

[20:51] “But then they’ll have the rest of their organization that may not need to be ‘PCI Compliant’ yet is filled with decades old vulnerabilities ready to bring the infrastructure down.” – Christopher Kusek

[27:34] “The interesting point, and the quandary that we’ve faced numerous times, which has been responsibility versus accountability.” – Christopher Kusek

[29:36] “That human contact and that human oversight does make a difference. The experience of people as opposed to just blindly pushing a button and trusting it knows what it’s going to do.” – Trevor Pott

[31:30] “Unless you’re paying for backup, they’re not backing it up.” – Christopher Kusek

[32:10] “Just because the cloud provider can give you compliance within certain areas – PCI, ISO, all these different areas it says ‘hey, we’re compliant here’ – that doesn’t make you compliant. You still have to do your part.” – Christopher Kusek

[33:06] “You’re offloading or outsourcing the effort, but you’re not necessarily (rarely are) outsourcing the responsibility.” – Brian Knudtson