Cloud computing security and PCI
November 3rd, 2008 by admin Posted in Compliance, PCI DSSA few days ago I began a conversation with a friend about cloud computing security, because I wanted to know the answers to some pressing questions. What I learned from this conversation is that (1) cloud computing is still in its infancy, and (2) people are still confused about regulatory compliance issues. (Damon at StartupSecurity.info has a great site I recommend you check out.)
First, let me say again, as I always do, that regulatory compliance and PCI are NOT technology issues, but risk management issues. Second, please stop begging that PCI compliance address your new technology!
Technology vs Compliance
Let me explain this by telling a little story. I routinely ask people if they can be PCI compliant by using a firewall. They look at me strangely and then consider how a firewall could be used to segment a network and reply with, “Yes.” I then tell them “No” and they are further confused. It’s only when I clarify my response and their understanding by saying, “No, only with a properly configured firewall”. You see, compliance of any type does not hinge on one specific technology. I ignore the ideological wars about Firewall vs. VLAN/ACLs because technology does not matter to me - only properly configured technology matters.
So that brings us back to the question asked earlier, if a company that uses cloud computing can be PCI compliant. To explain this we first must explore the historical context of the question. Last year people cried the same question, asking if virtualization could be considered compliant. Unfortunately, some people replied saying that according to the “only one primary function per server” this was not possible. This requirement turned out to be the most abused requirement in the standard as people interpreted it to mean whatever they wanted to. The reality is that virtualization can be compliant as long as it’s properly configured and managed.
Today people are saying that cloud computing cannot be used because of a requirement for third party contracts, which they claim will never be achieved with large companies. The claim is thus, “if they won’t allow a PCI clause in the contract, you’re not compliant. Period, end of story. You’re not compliant with 12.8, therefore you’re not compliant.”
Hmm… are you seeing a pattern? Do you notice that with each new year a new technology raises issues about compliance? Compliance people claim it cannot be used and technology people claim they want more attention paid to them. Sigh. Expect this to occur out into the future.
PCI DSS Compliance with Cloud
But we cannot ignore this, because as CloudSecurity.org points out, a recent survey shows that, almost 50% of respondents feel “regulatory requirement prohibit cloud”. I find this an interesting myth, but one we can hopefully debunk.
In the original question, Chris qualifies his usage of cloud computing by saying: “All my infrastructure is in the cloud. It’s all virtualized. It runs on Amazon’s EC2. All my data is hosted outside of my direct stewardship. I don’t own anything.” The key point here is that the data is running on servers the company does not own. Not a problem for answering his question about compliance with the PCI DSS 12 Requirements, especially if the company in question enables you to build your own server. This means you can … wait for it … properly configure your own servers to meet the PCI DSS requirements. Don’t have a firewall? I’m sure your provider is willing to sell/rent you one that … here we go again … you can define a PCI compliant rule set for.
PCI DSS Requirement 12.8
Ok, so now we dispatched any issue relating to the PCI DSS requirements. Now let’s attack the bigger issue of third-party contracts. Requirement 12.8 really has to do with the “List of service providers and other entities with which the company shares cardholder data”. Ok, well with cloud computing we are not really giving out cardholder data as much as we are potentially giving access to cardholder data. (With PCI DSS v1.2 the old 12.10 is rolled into 12.8 to create one big requirement for a third-part contract and vendor management program.) The requirement everyone is clinging to says, “Maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service providers possess.” It does not require the letters P-C-I be included in any contract (though that would be nice). It does state that companies must have a contract that passes along responsibility to the third-party, but only as far as that third-party provides a service to the company. For example, if large-cloud-provider manages the hardware and remote admin access, the contract may include reference to both physical security and remote access security. But does the default contract already reference this? Perhaps.
If contracts do not yet exist to address this, I imagine cloud computing platforms will evolve, much like the web hosting providers did, to offer a PCI compliant cloud computing platform. It would come with pre-configured servers, proper contracts, etc. all at a premium price.
Cloud Computing Gotchas’
A few things not yet being discussed about cloud computing with respect to regulatory compliance are: forensics and audit logging. Several articles claim that cloud computing makes forensic investigations easier, but again only if used properly.
You see being able to spin up serves on a whim is nice when you want to respond quickly to an incident, but you can just as easily spin down compromised servers improperly. Let’s say it’s busy season at my e-commerce company so I spin up a few servers. These servers get hacked. I spin them down and decommission them. Where should the forensic teams look for evidence of a compromise? The servers you spun down no longer exist, so now forensic investigations are more reliant on attacks being identified as they occur and not months or years later.
Another connected issue is that of audit logging. A PCI DSS requirement states one must, “Promptly back up audit trail files to a centralized log server or media that is difficult to alter.” Assuming companies that spin up servers have them logging to the centralized log server, you will retain those audit logs. But if you spin down a server or decommission it and have not backed up all audit logs (system, application, database) then you could lose that data.
Still another issue is that of shared resources, such as databases. Right now we think of cloud computing as a collection of virtualized servers you can start and stop as your business requires. Some services even allow you to throttle the virtual machine’s cost based on usage. But imagine when virtual machines are shared such as current shared-web hosting and shared-database usage. I think that more and more we are going to see cloud computing platforms move to offering a regulatory compliant configuration as we reach critical mass for this service offering.
Conclusion
We have to start thinking in terms of shared resources and shared hosting. More and more we are going to see PCI DSS requirement 2.4 increase in usage, which demands “shared hosting providers must protect each entity’s hosted environment and data.” Please remember that compliance is not a technology issue and does not need to pander to it. It’s in mitigating risk that we see the forest through the trees and can achieve our goal of compliance.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
14 Responses to “Cloud computing security and PCI”
By Ryan McDermott on Nov 4, 2008
For those looking for a cloud computing platform that will allow them to gain PCI compliance; The Enterprise Cloud product by Terremark is built on a time tested virtualized architecture that has allowed a number of customers to gain PCI compliance.
If you would like to check it out, visit the site http://www.theenterprisecloud.com and engage our sales staff on chat for a live demo.
-Ryan McDermott
Technology Evangelist
Terremark
By Eric Novikoff on Nov 4, 2008
Thank you for this article - it is a reminder that the business processes and procedures are the key to PCI compliance, not the merely the technology which serves them. With a nod to our competitor Terremark who is clearly focused on delivering the right kind of technology, it is nevertheless irresponsible for vendors to claim that they can ensure PCI compliance with their technology unless they are also prepared to take on developing and managing processes and procedures that deploy that technology to ensure PCI compliance. At ENKI, what we’ve seen is that over 90% of downtime and security issues are due to the software systems architecture and procedures our customers use when deploying an application to the cloud. As a result, we offer a managed cloud service that includes best-practice operations services because we feel that our customers cannot succeed without it.
By Michael Dahn on Nov 4, 2008
I’ll let you two dual it out regarding any specific product or service offering.
By Ryan McDermott on Dec 15, 2008
I agree that many times clients of hosting providers require more assistance and guidance than they can obtain from a cloud solution. I recommend choosing a provider that can do the whole stack from cloud to managed hosting to managed security. This way anything that falls outside of the skillset on staff can be provided through additional services and capabilities.
-Ryan McDermott
Technology Evangelist
Terremark
By Peter Collins on Jan 20, 2009
Eric, does ENKI have any PCI-certified clients in your system? You would need to be pci-certified in order for your clients to be. I used the search tool on your website to look for “pci” but nothing came up.
By Cloud Computing News on Aug 19, 2009
Thanks for the information. Big news in Australia for cloud computing is Telstra have just announced a $500m investment into cloud services. Great news for the local industry.