This content is part of the Essential Guide: Enterprise cloud security best practices for locking down your cloud
News Stay informed about the latest enterprise technology news and product updates.

PCI report clarifies cloud computing security risks, responsibilities

The Payment Card Industry Security Standards Council's guidance for cloud computing won't discourage cloud adoption, proponents say.

Although a recent report on PCI DSS offering guidance on cloud computing has received some criticism, some experts say it clarifies cloud computing security risks and responsibilities, and could spur cloud adoption.

Opinions on the viability of achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) in cloud computing scenarios are mixed; however, Chris Brenton, director of security for CloudPassage and a member of the PCI Security Standards Council (PCI SSC) special interest group (SIG), said it's possible -- but not easy -- with due diligence.

[The report] actually helps put an exclamation point on some critical areas for businesses and IT departments to consider when picking a cloud provider or cloud broker.

Kris Bliesner,
CEO, 2nd Watch

Brenton's not only a participant in the SIG, he's also a cloud computing client. His company, which manages system security and administration for customers, runs on Amazon Web Service's (AWS) Infrastructure as a Service (IaaS). And since its software agents for monitoring and configuring devices like firewalls on customers' servers may come in contact with PCI data, CloudPassage's servers could also be considered in-scope under PCI DSS.

"To me, this is a godsend, because I get to go back to my QSA [qualified security assessor] and say, 'Here's what you need to worry about with me; here's what Amazon's doing; and here's their attestation saying they've got their stuff lined up,'" Brenton said.

Other cloud computing experts agreed the report may ease some concerns about moving to a cloud infrastructure.

"[The report] actually helps put an exclamation point on some critical areas for businesses and IT departments to consider when picking a cloud provider or cloud broker," said Kris Bliesner, CEO of 2nd Watch, a cloud computing consultancy and systems integrator in Liberty Lake, Wash.

As for the sentiment that it's easier just to not put data in the cloud, some readers of the report agree, but don't believe it's an overall recommendation to stay away from cloud entirely.

"I think [the PCI Security Council's] statement is just the reality of the situation, and not necessarily a viewpoint on cloud adoption," said Sean Perry, CIO for Robert Half International Inc., and an AWS IaaS customer.

But keeping data in an internal data center rather than putting it in the cloud might give users a false sense of security, Perry said. "I'm surprised when I hear statements where people assume their internal environment is more secure than a cloud provider," he said.

Cloud computing providers can dedicate more people to security functions and offer a larger budget as well as a greater infrastructure and monitoring resources than clients do. They can be a bigger target for attacks, but they also are focused on the protection of a single primary architecture. By contrast, most organizations deal with a wider range of hardware, software, vendors and integrations, which creates additional complexity, Perry said.

And while Brenton generally defended the guidance from the PCI SSC, he acknowledged that, for larger organizations, it will probably create headaches. Smaller organizations with fewer ingrained security policies and procedures, as well as less complex infrastructures, won't feel the pain as much.

In the end, Brenton said the main message of the report is that clients can't just put their data in the cloud and call it a day -- proper security protocols must still be followed despite the obvious challenges around lack of visibility and data mobility in a cloud environment.

As far as whether it will hinder cloud adoption by compliance-conscious cloud computing clients, Brenton remains positive: "I'm hoping it has the opposite effect."

Beth Pariseau is a senior news writer for and Write to her at or follow @PariseauTT on Twitter.

Dig Deeper on Cloud computing security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Is the PCI guidance report helpful?
Succinct and useful information
My pci not fixing skype please help me any other fixing & with skype
It needs to have a single simple summary of what is/isn't required to be PCI compliant in the cloud and who is responsible for each part
provides very useful help and guidance to those who are contemplating using the cloud
What about confidentiality, integrity of data, and many other aspects ??? This report is ridiculously limited to infrastructure aspects...
Most companies don't understand what is needed for PCI compliance even when it's not on the cloud.
Any guidance is helpful and as one person says in the article, it gives Cloud based businesses an opportunity to show they have their ducks in order.
Security in the cloud is more often than not the catchall scapegoat for organizations seeking a reason not to move to the cloud. Unfortunately this report can be read in much the same way, giving reasons to those who seek them for not making the move. Regrettably, business units at these very organizations are secretly signing contracts with cloud providers in order to innovate faster and capitalize on the shorter time to market cloud providers bring – in direct contrast to the service they receive from their own IT organization. When read correctly, this report offers hope for IT organizations who are interested in regaining control, bringing development under the IT umbrella by accelerating application development and deployment processes through cloud-based DevOps. In the process, the business gains governance, agility AND faster time to market for increased competitiveness. For further discussion on this topic see:
-- Shawn Douglas, CTO ServiceMesh