About a month ago, the PCI Security Standards Council released the PCI DSS 2.0 Cloud Computing Guidelines. The document, that can be found here, tries to show that companies can in fact be PCI-compliant even if they rely on public cloud services, and outlines how one would have to go about achieving compliance in such a scenario. I had the opportunity to not only go over the entire document, but also to talk about it with Chris Brenton, who is director of security at CloudPassage, and was an integral member of the team that developed this guidance.
Regardless of its PCI-related themes, the document is worth reading due to the excellent job it does of discussing general security, responsibility, and control issues that come up on different cloud scenarios. Many of the explanations offered and diagrams presented can be useful in any situation where we want to look at things that are shared between clients and service providers on the cloud. That said, the main focus of the document is PCI compliance on the public cloud, and I’ll outline below the key points from it.
Why should I care
PCI-DSS stands for Payment Card Industry Data Security Standard. It’s a standard that applies to everyone (merchants, service providers, financial institutions) who at some point touches cardholder data, in this case, defined as the credit card number, the expiration date and the cardholder’s name. Today, when most companies have some kind of web-facing store that allows customers to purchase their products or services directly, this means almost every company out there.
Even if your company doesn’t handle this kind of data, however, the PCI standard can be interesting because it’s much more precise in its definitions than other security standards. As Chris told me, while some security standards will simply state “you need to use strong passwords”, the PCI determines exactly what constitutes a strong password in terms of number of regular and special characters, how often they need to be changed, and so on; the same goes for many other security elements.
Compliance on the public cloud
The big issue with respect to achieving PCI Compliance when relying on public cloud services is the sharing of responsibility. Let’s take, for example, a virtual machine hosted on a public cloud service. Who is responsible for installing and maintaining firewalls? The answer, as it will be for most of the PCI Requirements, is that the responsibility is shared: the service provider is responsible for ensuring that firewalls on the overall infrastructure and on its internal networks are in place, while the client is responsible for everything inside its environment is safe.
The sharing of responsibility is the key: in a public cloud environment, there are many elements which fall under the purview of both the service provider and the client, and any compliance evaluation has to take this into account, looking at elements from both sides in order to assess the whole. In a sense, this makes achieving compliance much harder, because instead of being solely responsible for all elements that need to be checked and audited, a company needs to engage its service providers in the process, so that elements that fall under their responsibility can be properly evaluated.
As Chris reminded me, however, the shared responsibility model can also make achieving PCI compliance easier. If I rely on cloud service providers that are themselves PCI compliant, many requirements may already be fulfilled by them, meaning that I don’t have to worry about them at all. To make this even better, many of the top tier cloud providers, such as Amazon and Rackspace, are already PCI compliant, which means that their clients are already partly compliant, even if they aren’t aware of this fact.
Ultimately, the ease of achieving PCI compliance on the public cloud comes down to a few things: what requirements fall under whose responsibility, if your cloud service provider is already compliant or not, and your ability to engage the provider during the process. While being compliant with this security standard might seem a pointless waste of time for companies that don’t handle cardholder data, caring about it displays a concern with security that is very important to reduce all the security-related worries that people have when considering cloud services.