PCI Compliance in the Cloud
If you store, process, or transmit card account data, you need to be in compliance with the PCI data security standard. We explore the basics, including why DevOps teams needs to be compliant, with Andrew Hay, chief evangelist for CloudPassage, a company that provides server security products for public and hybrid cloud hosting environments.
Enterprise Strategies: At a high level, what is PCI DSS?
Andrew Hay: The PCI Data Security Standard (PCI DSS), established by the Payment Card Industry (PCI) Security Standards Council (SSC), was invented by five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. as the basis for the technical requirements of each of their respective data security compliance programs. In the most simple of terms, PCI DSS provides prescriptive guidance on implementing both technical and nontechnical compensating controls to add some measure of security for organizations responsible for processing, storing, or transmitting payment card account data.
Why is it necessary for DevOps to know about PCI DSS compliance?
DevOps teams are on the front lines of IaaS cloud deployments. As such, they need to consider the risk of deploying servers that may fall within the scope of PCI. Many companies also consider PCI a de facto standard, even if they're not required to submit to PCI audits.
Just because development, test, and production systems are being migrated to cloud environments faster than ever before does not mean that security concerns need not be considered and compliance mandates need not be adhered to. Failing to secure your cloud servers, especially those that fall within the scope of PCI, has the potential to lead to data compromise.
As we've seen in some of the high-profile breaches over the past several years, this may result in a loss of sales and customers, irreparable damage to your organization's brand, and possible lawsuits. There are also the more tangible losses in the form of fines from both the payment card issuers and even the government that must be considered.
How is PCI compliance different in the cloud?
Perhaps the biggest challenge with regards to PCI compliance in the cloud is the lack of concrete guidance from the PCI SSC. There is a PCI special interest group (SIG) currently researching how to better define and measure compliance within cloud environments, but there has yet to be anything delivered and anointed by the PCI SSC for public consumption. As it stands right now, it is up to the business to prove to its qualified security assessor (QSA) that its controls protecting cloud servers, applications, and data provide (at a minimum) the same level of protection as previously assessed on-premises solutions.
Which cloud servers fall into the scope of PCI?
Organizations with servers in cloud environments that transmit, process, or store payment card information are deemed "in-scope" and are assessed by independent assessors that validate the organization's adherence to the PCI DSS. These assessors also certify that the company is either operating within the bounds of the standard or provide a list of items that must be addressed to be deemed compliant.
What are the unique security challenges involved with PCI compliance in the cloud?
The lack of a traditional perimeter under control of the enterprise makes securing cloud servers, applications, and data a seemingly insurmountable task. The organization can no longer rely on inline network-based firewalls, intrusion systems and logical segmentation using routers and switches because (especially in public cloud environments) your server is adjacent to the Internet. There is no longer an "enterprise network." The buffer of network-based technical controls disappears. The servers are directly connected to the Internet.
With the cloud edge being the new network perimeter, host-based technical controls have seen a resurgence -- especially in IaaS environments where users have full control over their servers. Organizations are, once again, relying on host-based controls to allow them to segment their servers from the world in a secure and compliant manner. One problem, however, is that traditional host-based controls are not always up to the task.
Cloud computing brings certain benefits that prove tricky to traditional security controls and the business. Cloud bursting between private, public, and hybrid clouds (or some combination of the three) throws many of the rigid change-control requirements found within on-premises data centers out the window. Dynamic changes to disk volumes may also prove challenging to security-monitoring controls designed to operate within static environment constraints. The potential for changing IP addresses also causes a problem with host-based firewalls, especially for asset inventory, application access, and remote administrative access.
One major problem is that the prescriptive guidance offered by the regulatory bodies (e.g., the PCI SSC and its PCI DSS) has not yet sanctioned many of the new host-based controls in cloud environments, leaving QSAs to guess whether the control is sufficient. Failing to achieve compliance does not necessarily mean that your organization isn't secure. Conversely, having an organization that is secure does not necessarily mean that the control objectives of PCI are addressed and satisfied.
If your IaaS provider's platform has been validated as PCI DSS compliant, does that mean you're covered?
A provider that claims their cloud is PCI compliant has undergone independent testing and assessment to verify that their infrastructure is built and operated in a manner that adheres to the tenets of the PCI Data Security Standard (PCI DSS). What does this attestation of compliance mean for end-customers PCI compliance? Not a lot, actually.
I recently asked a friend -- Chris Nickerson, a well-known penetration tester and founder of Lares Consulting -- what he thinks of the term "PCI compliant cloud." His response was not that shocking: "A PCI compliant cloud is like a rental car," he says. "The car isn't yours but you're still responsible for driving it."
Said another way, the provider may be compliant but that compliance in no way cascades to encompass their customer's cloud servers. Essentially, a compliant provider has, to the best of its ability, ensured that its infrastructure will not introduce anything that might jeopardize a customer's own PCI compliance aspirations.
You recommend a prioritized approach to achieving PCI compliance. What does that entail?
The most effective approach to PCI compliance, as with information security, is to first define the policies, procedures, guidelines, and standards needed to address organizational concerns. Without a plan clarifying business objectives, the organization is doing itself and its staff a disservice -- one that may result in a kneejerk or stopgap policy and control implementation without long-term strategic goals being defined.
Once the business has its road map in hand, it can began prioritizing the application of technical and procedural controls required to satisfy the organization's objectives. The business can identify its cloud servers that fall within the bounds of PCI compliance and tune the existing controls, or, in some cases, implement additional controls to meet or exceed the prescribed standards.
Why does PCI need to be looked at as a process, not a project?
Compliance, just like security processes and controls, does not have a finish line. In-scope systems must be constantly monitored and tested to ensure that they do not fall out of compliance or, more important, become susceptible to an attack.
Achieving a stamp of approval from your QSA does not mean that you are done worrying about PCI compliance. All that attestation means is that your organization has succeeded in satisfying the minimum requirements of the PCI DSS. The company now has the privilege of maintaining those controls to remain compliant and, ideally, refine their processes and procedures to exceed the minimums.
There may not be a finish line, but there are likely "bonus points" for your customers and organization for putting in the extra effort to exceed the minimums.
James E. Powell is the former editorial director of Enterprise Strategies (esj.com).