Weekly Industry Round-up, Week of 5/24
Posted by hyperguard on May 28, 2010
Cloud Computing Basics: Planning and Understanding a Cloud Strategy
This article by John Weathington says there’s still a lot of confusion around what the cloud is and there shouldn’t be. For midmarket companies, cloud services are simply a way to outsource issues to a third party on a pay-as-you-use engagement model. However, companies are concerned about cloud security because anytime you trust a third party, you run risks. And there will be some cases, particularly when data privacy is a concern, where the risks may outweigh potential benefits. John suggests looking at some low-risk/high-value cloud plays like collaboration as a starting point, and building from there. Once you understand how to make your cloud strategy work for you, you might actually find you’re a cloud computing enthusiast.
Anti-Clickjacking Defenses ‘Busted’ In Top Websites
New research from Stanford University and Carnegie Mellon University’s Silicon Valley campus found that frame-busting, a popular technique that basically stops a website from operating when it’s loaded inside a frame, does not prevent clickjacking. Clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user’s Web session. The researchers used a security feature in Internet Explorer and Google Chrome browsers to demonstrate clickjacking attacks against the websites’ frame-busting methods. The cross-site scripting (XSS) filter in the browsers basically tricked the browser into seeing frame-busting as an XSS attack: you tack it onto the URL and the browser says it looks like a URL appearing in a Web page and attempts to block it, so it blocks the frame-busting script from executing.
PCI Tokenization Guidance Could Benefit Payment Processors
The Payment Card Industry Security Standards Council (PCI SSC) is expected to release guidance later this year on the use of tokens to replace credit card data. This move could benefit some payment processors that sell technologies using encryption and tokenization to eliminate sensitive card information from merchant systems. According to Bob Russo, general manager of the PCI SSC, there won’t be any major changes to the data security standards (PCI DSS), but guidance documents are being developed to help merchants decide whether investing in encryption or PCI tokenization technologies is a good move.