Credit card numbers compromised in an attack against Web hosting provider Network Solutions exposes one of the security problems faced by cloud computing.
The company says its infrastructure complied with payment card industry (PCI) standards when the data was possibly stolen via software installed on is servers.
The standards are designed specifically to protect this type of data by specifying in great detail how data should be handled and stored, who should be allowed access and how that access is enforced.
The problem is whether PCI-compliant networks stay compliant once they get approval. The PCI council claims that no breaches have been successful against networks that were fully PCI compliant at the time of the breaches.
Presumably the businesses supporting PCI are highly motivated because the standards protect billions of dollars of transactions and the potential loss of billions in liabilities if personal data is stolen and exploited.
The cloud computing community has no such standards, although it is working hard to come up with some. As the PCI experience has shown, having standards and even complying with them is no guarantee that breaches won’t occur. What is in compliance today could fall out of compliance tomorrow.
That’s a fact that won’t change, and it is just as true that data exposed to the Internet - no matter who owns the infrastructure - may fall prey to attacks. So the answer may be to keep the most critical data under direct corporate control, assuming the corporate security structure is better than that of a cloud provider.
The flip side is that from a strictly financial point of view, it may make more sense to entrust data to the cloud but only with SLAs that impose penalties severe enough to recoup losses should breaches occur anyway.