PCI DSS cloud computing guidelines strike discord among would-be adopters

Beth Pariseau, Senior News Writer

Although some experts think a recent report on cloud computing security compliance helps clarify how data can safely live in the cloud, others say it could confuse or even scare off cloud computing adopters.

The report on PCI DSS cloud computing security, written by the Payment Card Industry (PCI) Security Standards Council, could influence adopters already stymied by confusion about compliance.

There is no standard yet, and you're basically led to believe that going to the cloud is fraught with danger.

Chris Steffen,
principal technical architect, Kroll Factual Data

"Cloud computing is a form of distributed computing that has yet to be standardized," the report states in its executive summary. One expert said the report sets a dark tone from the start. "There is no standard yet, and you're basically led to believe that going to the cloud is fraught with danger," said Chris Steffen, principal technical architect at Kroll Factual Data and a Microsoft MVP on cloud and data center management.

The report also suggests that keeping credit card holder data out of the cloud completely is the most effective way to keep a cloud environment out of scope. These statements could have some inexperienced cloud computing clients and their auditors running scared, Steffen said, and might lead auditors to hatch up draconian interpretations.

"If you want a truly secure computer, take it off the network, encrypt everything, make sure you have quadruple-factor authentication to get into the thing, and then you're still only as secure as the person using it," Steffen said. Users need to balance usability with reason when it comes to computer security, he added.

The report offers matrices for delineating responsibility for elements of the PCI Data Security Standard (DSS) between cloud computing clients and cloud service providers. Even so, there still are ambiguities that will create confusion, said Carl Brooks, an analyst at Boston-based 451 Research.

For instance, Requirement 9 under PCI DSS requires that clients restrict physical access to cardholder data, "a basic PCI requirement since dinosaur times," Brooks said. The guidance simply states that the cloud service provider manages this requirement, but it depends on the particular CSP as well as the distribution of data across different locations.

"What does that actually, practically mean?" Brooks questioned. "Who is getting sued and/or arrested when cardholder data gets loose?"

Read PCI proponents' defense of the report in part two.

Beth Pariseau is a senior news writer for SearchCloudComputing.com and SearchServerVirtualization.com. Write to her at bpariseau@techtarget.com or follow @PariseauTT on Twitter.

Other Essential Guides Related to This Topic

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest