Interesting news on the cloud / virtualization security front. Christofer Hoff over at the Blog Rational Security is reporting that the PCI Security Standards Council will form a Virtualization / Cloud SIG. In case you're not familar with the PCI Security Standards Council, they are an open global forum focused on the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. They are uniquely positioned to address the challenges of both cloud computing and virtual infrastructure security.
In Hoff's post, he outlined an email from Troy Leach, technical director of the PCI Security Standards Council in which he said,
" A SIG for virtualization is coming this year but we don't have any firm dates or objectives as of yet. Only those 500-600 companies (which include Vmware, Microsoft, Dell, etc) that are participating organizations or the 1,800+ security assessors can contribute. As you can imagine with those numbers, we already receive thousands of pages of feedback and are obligated to read all comments and suggestions."
If this is true, it could have some fairly broad implications for the broader cloud computing community. As a number of people have pointed out on the CCIF mailing list, security is one of the leading concerns when dealing with cloud computing. I am looking forward to seeing what emerges out their activities.
Here is the original post