Perhaps the largest point of confusion with regards to the Payment Card Industry Data Security Standard (PCI DSS) and cloud computing is the question of upon whose shoulders does compliance fall? In 2011, several cloud providers began asserting that their clouds were validated as PCI DSS compliant. That’s all well and good, but unfortunately this validation does not trickle down to the providers’ customers who deploy servers within the provider’s infrastructure. If your organization wants to migrate PCI DSS in-scope systems to public cloud, there are several things to consider.
First and foremost, a cloud provider’s platform is just that – a platform. Physical servers are not certified PCI compliant by the hardware manufactures; just as operating system vendors are not. The platform and software employed serves as a medium upon which businesses can operate. It should be noted, however, that PCI certification for a provider does not just cover material, but process as well.
So while you cannot certify a hardware provider’s server, you can certify that the provider using that server has locks on the doors, implements segregation of duties and patches as required. Certifying a provider is really about auditing their process rather than their platform. How the customer conducts themselves and their operations, however, ultimately determines if the company is operating within the spirit of the PCI DSS.
Organizations should also be aware of what the cloud providers consider their responsibility. It varies by provider but the PCI Security Standards Council has attempted to illustrate the separation of responsibility between customers and cloud providers. Based on an Information Supplement published in June 2011 entitled PCI DSS Virtualization Guidelines, the council claims that, in an Infrastructure-as-a-Service (IaaS) deployment, users should consider the data, software, user applications, operating systems, databases and the virtual infrastructure as their responsibility with regards to compliance – even though most public cloud IaaS providers tend to obfuscate their virtualization underpinnings from clients.
To err on the side of caution, it might be prudent to consider the virtualization infrastructure beyond your scope of control. That being said, one area where a cloud provider can help with regards to PCI DSS is the segmentation of shared data across multiple entities. Since physical isolation cannot be enforced in a virtual world the cloud provider must be able to prove the effectiveness of its logical segmentation — especially as it relates to PCI.
What about traditional technical controls that have been vetted to help organizations attain a measurable level of compliance? Well, unfortunately, those tools were vetted as controls for relatively static environments and platforms (i.e. on-premises servers). Cloud environments introduce certain nuances, such as dynamic IP addressing of servers, cloud bursting, rapid deployment and equally rapid tearing down of servers that many of these tools were not designed to account for.
Auditing and assessment of deployed servers is another challenge presented by cloud environments. If we educate ourselves to think of our servers as semi-static entities deployed on a dynamic architecture, we will be better prepared to help educate internal stakeholders, partners and assessors on the aforementioned cloud nuances – and how your organization has implemented safeguards to ensure adherence to PCI DSS.
The PCI SSC understands that its current guidance on securing servers in cloud environments is lacking – in fact, current guidance tends to lean more towards virtualization and not cloud specifically. As such, the PCI SSC has sponsored the creation of a cloud special interest group (SIG) to examine the use of cloud technologies and provide guidance on considerations for PCI DSS requirements in cloud environments. In the interim, it would be prudent for organizations to begin mapping out their specific organizational requirements and challenges as they relate to public cloud. With this information in hand, the evaluation of current and future tools becomes a much more attainable task and the adoption plan for embracing cloud computing, more clear.
When evaluating new tools for this new architecture, don’t be afraid to reach out to your assessors to have them lend their voice to your selection process. They should be able to offer advice on the tools you are looking at in addition to any concerns that they may have with regards to their adherence to the tenets of the PCI DSS. Similarly, talk with peers that have recently experienced an assessment of their cloud servers. From these conversations you should be able to distill any shortcomings of your peer’s compliance program and employed tools — and take the necessary steps to ensure that your organization doesn’t fall into the same trap.
Go Back to Top. Skip To: Start of Article.