Essential Guide

Enterprise cloud security best practices for locking down your cloud

A comprehensive collection of articles, videos and more, hand-picked by our editors

PCI DSS cloud computing guidelines strike discord among would-be adopters

If cloud security has worried you, the Payment Card Industry Security Standards Council report with PCI DSS cloud guidance might add to the confusion.

Although some experts think a recent report on cloud computing security compliance helps clarify how data can safely live in the cloud, others say it could confuse or even scare off cloud computing adopters.

The report on PCI DSS cloud computing security, written by the Payment Card Industry (PCI) Security Standards Council, could influence adopters already stymied by confusion about compliance.

There is no standard yet, and you're basically led to believe that going to the cloud is fraught with danger.

Chris Steffen,
principal technical architect, Kroll Factual Data

"Cloud computing is a form of distributed computing that has yet to be standardized," the report states in its executive summary. One expert said the report sets a dark tone from the start. "There is no standard yet, and you're basically led to believe that going to the cloud is fraught with danger," said Chris Steffen, principal technical architect at Kroll Factual Data and a Microsoft MVP on cloud and data center management.

The report also suggests that keeping credit card holder data out of the cloud completely is the most effective way to keep a cloud environment out of scope. These statements could have some inexperienced cloud computing clients and their auditors running scared, Steffen said, and might lead auditors to hatch up draconian interpretations.

"If you want a truly secure computer, take it off the network, encrypt everything, make sure you have quadruple-factor authentication to get into the thing, and then you're still only as secure as the person using it," Steffen said. Users need to balance usability with reason when it comes to computer security, he added.

The report offers matrices for delineating responsibility for elements of the PCI Data Security Standard (DSS) between cloud computing clients and cloud service providers. Even so, there still are ambiguities that will create confusion, said Carl Brooks, an analyst at Boston-based 451 Research.

For instance, Requirement 9 under PCI DSS requires that clients restrict physical access to cardholder data, "a basic PCI requirement since dinosaur times," Brooks said. The guidance simply states that the cloud service provider manages this requirement, but it depends on the particular CSP as well as the distribution of data across different locations.

"What does that actually, practically mean?" Brooks questioned. "Who is getting sued and/or arrested when cardholder data gets loose?"

Read PCI proponents' defense of the report in part two.

Beth Pariseau is a senior news writer for SearchCloudComputing.com and SearchServerVirtualization.com. Write to her at bpariseau@techtarget.com or follow @PariseauTT on Twitter.

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Essential Guide

Enterprise cloud security best practices for locking down your cloud
Related Discussions

Beth Pariseau, Senior News Writer asks:

Do you find the Security Standards Council report with PCI DSS cloud guidance helpful?

0  Responses So Far

Join the Discussion

4 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchVMware

SearchVirtualDesktop

SearchAWS

SearchDataCenter

SearchWindowsServer

SearchSOA

SearchCRM

Close