PCI DSS Requirement 9: MSPs Must Trust, and Verify
… several customer businesses and make the service providers’ future untenable as word spreads. Add to this that there are a fair number of companies in the granular security PCI compliance space already, and it’s not an easy topic to settle.
Theoretically, since customer data is on containers or VMs that are above the hardware, systems access to racks shouldn’t pose a particular threat unless the user has access to login credentials for the VM/container. But we all know that, in the end, the data is stored on physical disks that the admin does have access to if they are logged into the hardware. Hence the reason physical access control of one kind or another is still required.
If your organization hasn’t considered the options in a while, it is well worth having the discussion. I’m not here to give you answers, only to suggest you consider it (or possibly reconsider it), and decide what makes the most sense for your organization.
Don MacVittie is the founder of Ingrained Technology, and has worked in every facet of IT from entry-level programmer to CIO, from network operations to storage and database analysis. He currently works in DevOps while running a successful technical evangelism consultancy. Don has contributed to projects his company worked on for organizations in DevOps, DevOps leadership, data protection, network security, global file systems and non-IP communications spaces, along with several international publications and PR firms. His MSSP background is in communications and utilities. Follow him on LinkedIn or Twitter @dmacvittie.
- Page 1
- Page 2