Cloud solutions & PCI DSS Compliance
Businesses are increasing its dependence on cloud computing solutions. PCI DSS compliance is often a concern for many organizations when considering cloud or virtualized solutions. As mentioned in one of my earlier post, If you do not store cardholder data in public cloud, then it is possible to reach compliance with PCI DSS.. It is possible for an organization to build a private cloud or virtualized which is PCI Compliant.
Before we get into the compliance aspects of public cloud, let us see which entities are in the scope: PCI DSS compliance includes merchants and service providers who accept, capture, store,transmit or process credit and debit card data. PCI DSS guidance also defines what is .credit and debit card data. exactly. PAN, CVV, etc represent examples of cardholder data while (for example) the name only does not.
A key step in PCI DSS implementation is Scoping and Scope Reduction where the card holder environment is segmented to reduce the control implementation scope. In reality, .Without adequate network segmentation the entire network is in scope of the PCI DSS assessment, as per PCI DSS 2.0.. So what would be the case with cloud computing?. By the above definition, Cloud Computing could be considered as a Flat Network or un-segmented network.
These 5 Essential Cloud Characteristics are a good test of whether a particular service provider is indeed a cloud provider.
Broad network access
Resource pooling (Location independence)
Essentially, cloud-based is not the same as simply web-based. Let us look at use case, if a stand alone web server is hacked does it impact you if it does not belong to you? In the case of a cloud based solution, if one webserver in the cloud which shares the resources is compromised, it is highly likely that the associated services are vulnerable and thus the risk status is high.
Now let us review some of the controls which are more relevant in terms cloud computing:
As referenced in Requirement 12.8, all service providers with access to cardholder data (including shared hosting providers) must adhere to the PCI DSS. In addition, Requirement 2.4 states that shared hosting providers must protect each entity.s hosted environment and data. Therefore, shared hosting providers must additionally comply with the requirements in this Appendix. .
Requirement A.1: .Shared hosting providers must protect the cardholder data environment
If the merchant shares cardholder data with a service provider, the merchant must ensure that there is an agreement with that service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the provider’s compliance with PCI DSS via other means, such as via a letter of attestation.. Source: CSA Alliance
Some challenges as outlined in the PCI SSC virtualization guidance:
In addition to the challenges of defining scope and assigning responsibilities across a shared infrastructure, the inherent characteristics of many cloud environments present additional barriers to achieving PCI DSS compliance. Some of these characteristics include:
- The distributed architectures of cloud environments add layers of technology and complexity to the environment.
- Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet.
- The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid.
- The hosted entity has limited or no visibility into the underlying infrastructure and related security controls.
- The hosted entity has limited or no oversight or control over cardholder data storage.
- The hosted entity has no knowledge of ?who they are sharing resources with, or the potential risks their hosted neighbours may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment.
In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment. More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity.s CDE.
These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls.
As with all hosted services in scope for PCI DSS, the hosted entity should request sufficient assurance from their cloud provider that the scope of the provider.s PCI DSS review is sufficient, and that all controls relevant to the hosted entity.s environment have been assessed and determined to be PCI DSS compliant. The cloud provider should be prepared to provide their hosted customers with evidence that clearly indicates what was included in the scope of their PCI DSS assessment as well as what was not in scope; details of controls that were not covered and are therefore the customer.s responsibility to cover in their own PCI DSS assessment; details of which PCI DSS requirements were reviewed and considered to be ?in place? and ?not in place; and confirmation of when the assessment was conducted.
Any aspects of the cloud-based service not covered by the cloud provider.s PCI DSS review should be identified and documented in a written agreement. The hosted entity should be fully aware of any and all aspects of the cloud service, including specific system components and security controls, which are not covered by the provider and are therefore the entity.s responsibility to manage and assess
- CSA Alliance presentations
- PCI SSC virtualization guidance