Latest in PCI
Key Takeaway: Starting this past month, the PCI Security Standards Council introduced P2PE Version 2.0, which is the latest step by the PCI towards expanding point-to-point encryption. By drafting more flexible P2PE implementation standards, the PCI aims to facilitate the adoption of this technology by merchants. P2PE enables merchants to encrypt cardholder data at the point of sale, which is vital for protection against hackers.
Key Takeaway: This past month, FedRAMP released the “FedRAMP Penetration Test Guidance.” This document lays out the rigorous testing that cloud service providers must go through before being approved for government use. A focal point of this assessment is testing the vulnerability of “attack vectors,” which are areas of potential security weakness when using cloud services. Furthermore, the document specifies the different testing procedures depending on the cloud service: either software-as-a-service, platform-as-a-service or infrastructure-as-a-service. This assessment is just one, mandatory component of the FedRAMP authorization process, which has additional steps.
Key Takeaway: FedRAMP is a standard, risk-based security framework used to authorize cloud services providers handling federal agency data. Recently, however, there has been serious interest in expanding the FedRAMP standards beyond federal agencies, leveraging them in other international governments, as well as in the public sector. Private-sector cloud-service providers, as well as the GSA, are asserting that FedRAMP would have similar benefits at the state and local levels. Matt Goodrich, the GSA’s FedRAMP director expressed that the GSA, “believes that state and local governments can leverage this security standard for comparable needs at the local level.”
Key Takeaway: Companies and government agencies are quickly realizing that legacy systems are far too cumbersome and outdated to keep up with the modern-day needs of security and compliance, especially as many of these organizations transition to the cloud. Furthermore, maintaining legacy systems is an incredibly costly endeavor and these costs are only expected to increase. “The OPM itself said last year that maintaining its legacy systems could cost 10-15 percent more a year as people with the right kind of expertise retire. And throughout government, legacy systems account for over two-thirds of the annual IT spend.” Unfortunately, these same entities also seem to be stuck with their legacy systems because a transition to more dynamic solutions is even more costly and time-consuming.
Don’t let outdated legacy systems destroy your legacy…. Rethink compliance with ZenGRC!
Photo Credit: Mike Behnken