Although a recent report on PCI DSS offering guidance on cloud computing has received some criticism, some experts...
say it clarifies cloud computing security risks and responsibilities, and could spur cloud adoption.
Opinions on the viability of achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) in cloud computing scenarios are mixed; however, Chris Brenton, director of security for CloudPassage and a member of the PCI Security Standards Council (PCI SSC) special interest group (SIG), said it's possible -- but not easy -- with due diligence.
[The report] actually helps put an exclamation point on some critical areas for businesses and IT departments to consider when picking a cloud provider or cloud broker.
CEO, 2nd Watch
Brenton's not only a participant in the SIG, he's also a cloud computing client. His company, which manages system security and administration for customers, runs on Amazon Web Service's (AWS) Infrastructure as a Service (IaaS). And since its software agents for monitoring and configuring devices like firewalls on customers' servers may come in contact with PCI data, CloudPassage's servers could also be considered in-scope under PCI DSS.
"To me, this is a godsend, because I get to go back to my QSA [qualified security assessor] and say, 'Here's what you need to worry about with me; here's what Amazon's doing; and here's their attestation saying they've got their stuff lined up,'" Brenton said.
Other cloud computing experts agreed the report may ease some concerns about moving to a cloud infrastructure.
"[The report] actually helps put an exclamation point on some critical areas for businesses and IT departments to consider when picking a cloud provider or cloud broker," said Kris Bliesner, CEO of 2nd Watch, a cloud computing consultancy and systems integrator in Liberty Lake, Wash.
As for the sentiment that it's easier just to not put data in the cloud, some readers of the report agree, but don't believe it's an overall recommendation to stay away from cloud entirely.
"I think [the PCI Security Council's] statement is just the reality of the situation, and not necessarily a viewpoint on cloud adoption," said Sean Perry, CIO for Robert Half International Inc., and an AWS IaaS customer.
But keeping data in an internal data center rather than putting it in the cloud might give users a false sense of security, Perry said. "I'm surprised when I hear statements where people assume their internal environment is more secure than a cloud provider," he said.
Cloud computing providers can dedicate more people to security functions and offer a larger budget as well as a greater infrastructure and monitoring resources than clients do. They can be a bigger target for attacks, but they also are focused on the protection of a single primary architecture. By contrast, most organizations deal with a wider range of hardware, software, vendors and integrations, which creates additional complexity, Perry said.
And while Brenton generally defended the guidance from the PCI SSC, he acknowledged that, for larger organizations, it will probably create headaches. Smaller organizations with fewer ingrained security policies and procedures, as well as less complex infrastructures, won't feel the pain as much.
In the end, Brenton said the main message of the report is that clients can't just put their data in the cloud and call it a day -- proper security protocols must still be followed despite the obvious challenges around lack of visibility and data mobility in a cloud environment.
As far as whether it will hinder cloud adoption by compliance-conscious cloud computing clients, Brenton remains positive: "I'm hoping it has the opposite effect."