Skip to main content

A Birthday Tribute to Dr. Seuss

Cloud Security According to Dr. Seuss

Credit and props to Graham Thompson, CCSK, CISSP (www.intrinsec.ca)

 

The budget was tight.

For hardware we could not pay.

So we sat around thinking

All that cold, cold, wet day.

 

I sat there with Sally

We sat there, we two.

And I said “How I wish

we had an Internet e-commerce server or two!”

 

An idea I had, that would be really far out

Something that would really fit the bill

But we continued to dream because

A server room we could not fill

 

So all we could do was to

Sit!

                Sit!

                                Sit!

                                                Sit!

And we did not like it.

Not one little bit.

 

And then we saw the ad.

It said if you are too busy for IT,

You want cloud without a doubt!

So we went to the site,

To see what it was about.

 

We called in a hurry

Excited to hear some more.

The salesman seemed nice and said

You are exactly who we made cloud for!

 

No stacking or racking, no effort or pain!

Up in 5 minutes, he would proudly state.

And our business would be live, that very same day -

And best of all, there’s no employees to pay!

 

We know how IT is done

Any issues would go far, far away.

And more great news!

We can give you free apps, only if you sign up today.

 

What about credit cards I asked

How do we accept pay?

He said PCI is automatically met

If you follow our way.

 

Our dreams of world domination

Would come true this rainy day

So in a big rush, we whipped out our card

We signed up so fast without much regard.

 

We entered the numbers so fast

On the keyboard just then

We made a mistake or two

And entered them again

 

Just click these few buttons.

You will see something new.

Two things.  And I call them

Instance One and Instance Two.

 

Our screens lit up

It was so nifty!

We were entering data

All this for just a buck fifty

 

One year later audit came calling.

The PCI auditor came to see what we were doing

After saying hello he said

Show me the logs of the system I am reviewing

 

We were at a loss

We had no idea of what to say

The salesman told us no PCI problems

If we ran it this way

 

The auditor said “No! No!”

Tell that salesman to go away!

You are not compliant

Running your system this way.

 

The problem is not that it’s cloud,

But you must maintain compliance.

You still have things to do.

This isn’t rocket science.

 

SaaS, PaaS, IaaS,

It matters not which you do.

You’ll always be responsible for client data

And accountable too

 

Where’s your PAN encryption?

Where are your logs and other audit data?

When real information is used

You need to show me, even if in beta!

 

I have to fail you.

Process more you will not.

Your credit privileges are revoked,

“What now?” I immediately thought.

 

Now in a panic

I have no clue who to call

I went to the site and an email is all

Why can’t I call, oh who can I call?

 

I post on the forum and a fellow replies

He says RTFM and then says Good Bye.

Now what am I to do?

Oh my,

Oh my

Oh my

 

There is my story

When you enter the cloud

About things that go wrong

when you leave governance in a shroud.

 

Should we tell clients about it?

Now, what should we do?

Well…

What would you do

If your client asked you?

 

 

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.