PCI DSS compliance in the cloud is still not a realistic possibility, according to the PCI Security Standards Council, but steps have been taken in that direction. Explicit mention of the use of virtualization and multi-tenant systems, key elements of a cloud service, are included in the Payment Card Industry Data Security Standard 2.0. This means that auditors now have a straw to grasp when examining enterprises for compliance.
Compliance is like trying to correct astigmatism.
Scott Crawford, research director on IT security for Enterprise Management Associates,
But that doesn't include cloud computing, either public cloud services like Amazon Web Services (AWS) or private cloud deployments, which mimic the online, self-service, automated IT infrastructure delivery model. According to Hemma Prafullchandra, a member of the Council's Virtualization Special Interest Group (SIG) and chief security architect for HyTrust, getting PCI compliant on AWS or another public cloud provider is technically possible but difficult in practice.
"If you're a large merchant, you can't," she said. "If you are a small merchant, you can, but you'll have to build out a lot of things like an encryption solution and tools."
PCI DSS requires stronger compliance from merchants with large amounts of cardholder information, she added, and cloud providers simply don't make the cut for the highest levels. According to the rules, cardholder information has to be strictly segregated and accounted for, which is impossible to do when you share online storage with thousands of others.
Prafullchandra said that providers like AWS had pieces of the PCI puzzle, such as accounting for physical security through SAS 70 certification, but it wasn't enough. A PCI DSS compliant service, like an e-commerce site or an online banking service, would have to be a hybrid solution, possibly by transacting within a secured application and then storing data outside the cloud.
"Amazon actually advertises they do support -- I'm paraphrasing -- that they do have controls that they would be willing to share, like a SAS 70 report, with a PCI provider," she said. "But now the burden is shared, because the PCI provider would have to prove out that the data is safe before you put it in the cloud."
Prafullchandra said the impulse is there. Payment services providers, the middlemen between retail operations and the banks that do the vast majority of transaction processing, are desperate to start doing data center consolidation and virtualization and drive out costs. They've been left behind over the last few years as virtualization has taken off, and cloud is following right behind.
Vendor group takes the PCI DSS plunge
However, the new guidance is a pittance of what's needed. A vendor group including HyTrust has announced a viable reference architecture for a private cloud environment that can be certified PCI DSS, but experts say it's more concept car than production vehicle.
HyTrust, Cisco, VMware, Savvis and auditing firm Coalfire all say that with the proper expertise, an enterprise can run a cloud and document everything well enough to qualify for PCI DSS. Passing an audit seems to largely hinge on hiring an auditing firm with a special expertise in virtualization and virtualization management products. Coalfire VP Tom McAndrews said in a Web seminar this week that his firm has worked out its auditing metrics by fiat.
"There aren't specific tracks from qualified security assessors (QSAs) to follow for cloud and virtualization…what we have done is elect specific technologies that we can say, here's a concrete example [of compliant systems]," he said. He added that beyond documenting procedures, some compliance might rest on using management systems to deliver information and reports, or screenshots, to demonstrate that everything was working as advertised.
Rick Shaw, CEO of IT security and compliance consultancy Awareity, said what they've put together is decent. The challenge, though, is that not everyone's going to have HyTrust, Cisco and Savvis.
Shaw said that the complexity of the architecture was an accurate rendition of the problems facing compliance and security in the cloud: As so many things became automated and obscured, the ability to document and put into place reliable and compliant processes got that much more intricate. He said the real issue facing compliant enterprises was making sure processes got followed, let alone mixing in new technology.
Compliance in the cloud is complicated
"Compliance is like trying to correct astigmatism; you turn it one direction, you're going to get a really clear picture all of a sudden, but turn it the other direction, and suddenly things get really blurry," said Scott Crawford, research director on IT security for Enterprise Management Associates. Crawford said the basic conundrum was that cloud providers were going to have trouble offering the visibility into their architecture that PCI required.
If you're a large merchant, you can't.
Hemma Prafullchandra, chief security architect for HyTrust, on achieving PCI DSS compliance on Amazon Web Services,
Crawford thinks the slowness of the PCI Security Standards Council is due to the heterogeneity of virtualization products and tools. It would be easy to designate standards for specific vendors, but technology changes much faster than standards bodies can keep up with. And for PCI to mean anything, it had to be broad. Crawford said that with enough push from enterprises and service providers in an accelerating market, solutions might begin to appear.
He pointed to Intel's long-suffering Trusted Compute Platform, which has flopped as endpoint security but could work very nicely as a "trust anchor" in the cloud data center with a little development.
"I have been amazed that it's taken Intel (and, by extension, AMD) this long to get something like this in the server market," he said.
One thing is for sure: PCI DSS (unless you buy it from Savvis) is not in the cloud right now. Hemma Prafullchandra said that the Council should be commended for having taken a stand in virtualization, but there was more to be done. She said the perimeter security model that PCI was in large part based on (knowing where your stuff is and how it's locked up) needs to shift to a virtual-friendly, machine-based model (know what your stuff can and can't do) before the cloud can comply.
Carl Brooks is the Technology Writer for SearchCloudComputing.com. Contact him at firstname.lastname@example.org.