PCI in the Cloud: Ready, Willing and Able?

How do customers embrace cloud while simultaneously remaining secure and aligned with the highly prescriptive PCI-DSS? Andrew Hay investigates
How do customers embrace cloud while simultaneously remaining secure and aligned with the highly prescriptive PCI-DSS? Andrew Hay investigates
Andrew Hay, CloudPassage
Andrew Hay, CloudPassage

Adherence to the controls prescribed by the Payment Card Industry Security Standards Council (PCI SSC) is quickly becoming an operational requirement for organizations looking to leverage cloud service providers (CSPs). As organizations look to take advantage of cloud computing to lower costs and dynamically grow their compute power, so too are they looking at ways to protect their sensitive customer payment-related data being stored in public, private and hybrid-cloud architectures.

The tools employed by customers and CSPs are often not built to scale and protect applications, data and servers in cloud environments. The tools were also designed with static or semi-static operating system and computer platform architectures in mind – leaving most customers scratching their heads on how to protect cloud servers, especially those in public cloud, outside of their traditional perimeters and within the scope of the PCI Data Security Standard (PCI-DSS).

Many organizations are looking to their cloud providers – be they IaaS, PaaS or SaaS models in private, public or hybrid cloud architecture – and their existing security vendors for help with their secure migration to the cloud. So how do customers embrace cloud while simultaneously remaining secure and aligned with the highly prescriptive PCI-DSS?

Too Much Risk?

The comfort level of organizations looking to deploy PCI in-scope servers in public cloud environments is still in its infancy – and few, if any, organizations can claim full adherence with all of the tenets of the PCI-DSS.

“I would need to see demonstrated compliance and get a get-out-of-jail-free card from the PCI SSC and my assessors first”, says Martin Fisher, director of information security at WellStar Health System. “Too much risk otherwise”, he adds.

A CSP throwing its hands up and saying 'not my problem', with regard to PCI compliance and security, is something else that bothers Fisher, who claims that “it just isn't a good strategy”.

Another concern falls on the laps of the firms assessing PCI-DSS adherence. As is the case with most sitting court judges, no PCI Qualified Security Assessor (QSA) wants to be on the hook for setting a precedent that might be overturned, generate bad press and cause their firm to lose credibility or future business. As such, most QSAs and the firms they work for tend to err on the side of caution when blessing a company operating in-scope cloud servers as PCI ‘compliant’ – choosing to pass what can easily be addressed while pointing out issues that warrant further investigation by the business.

CSPs have been working hard to label themselves as ‘PCI compliant’ but what, if anything, does that actually mean? A primary customer concern of running servers in a shared environment (such as a public cloud) is the potential for third-party access of customer data by another organization – or the provider itself.

A ‘Compliant’ Cloud

A CSP that claims their cloud is PCI compliant has undergone independent testing and assessment to verify that its infrastructure is built and operated in a manner that adheres to tenets of the PCI DSS. So what does this attestation of compliance mean for end-customers PCI compliance? Not a lot, actually.

“A PCI compliant cloud is like a rental car”, says Chris Nickerson, well known penetration tester and founder of Lares Consulting. “The car isn’t yours but you’re still responsible for driving it.”

Said in another way, the CSP may be compliant, but said compliance in no way cascades to encompass their customers’ cloud servers. Essentially, a compliant CSP has, to the best of its ability, ensured that its infrastructure will not introduce anything that might jeopardize a customer’s own PCI compliance aspirations. In a nutshell, this is what a ‘PCI compliant cloud’ means.

It’s a double-edge sword of sorts. On one side, customers have the ability to select the controls that best meet their organizational goals – without having specific tools pushed down upon them by the CSPs. On the other side, however, many customers are left confused as to what controls satisfy the requirements for cloud environments.

As Wendy Nather, enterprise security research director at 451 Research, puts it: “many organizations want security, and at the same time, chafe under its implementation”. Because security is not a ‘one-size-fits-all’ model, a CSP cannot be expected to expand its own compliant state to encompass its customers – just as internet service providers cannot be responsible for the network-based security of their business and personal users.

“Providers can only provide as much security as the customer will allow”, says Nather. “Security is fundamentally not only about the use of security tools, but also about operational discipline: configurations must be tightly managed and monitored, and this means that users will inevitably be restricted in some way in what they can do.”

Entering the Cloud Highway

If you’re looking to your CSP to take the responsibility of regulatory compliance off of your task list, you’ll be in for a long wait – or more likely in the short term, a shocking surprise when it comes time for your assessment. A ‘compliant cloud’ does, however, offer some semblance of progress with regard to CSP efforts to offer a trusted architecture upon which to deploy PCI in-scope servers.

“A PCI compliant cloud is like a rental car…The car isn’t yours but you’re still responsible for driving it”
Chris Nickerson, Lares Consulting

To entice more organizations to move their in-scope servers to the cloud, CSPs will likely need to partner with cloud security and compliance vendors that have purpose-built solutions that address the many nuances of cloud computing. Sure, a CSP could build or buy their way into the security space, but it’s just not in their DNA. The providers exist to facilitate the easy hosting of servers and applications in a way that reduces roadblocks to the on-ramp.

Security, as it was when we were building on-premises datacenters, continues to be an unfortunate afterthought. Not only is security an afterthought, it is also a challenge that many CSPs are more than happy to place squarely on the laps of their customers. This seemingly noble stance is often disguised as vendor or product agnosticism. Few CSPs want to be seen as forcing their customers to use specific tools, locking them into a particular vendor that may not work should the customer decide to move to another CSP where the tool is not supported.

If a CSP can provide, or at least recommend, third-party solutions that secure their customer’s data in accordance with PCI, a competitive differentiator might be found. This differentiator might be enough to provide a ‘soft lock-in’ to a CSP’s cloud environment, increasing the offering’s stickiness.

Andrew Hay is the chief evangelist at CloudPassage, where he serves as the public face of the company and lead advocate for its SaaS server security product portfolio. Prior to joining CloudPassage, Hay served as a senior security analyst for industry analyst firm 451 Research and provided technology vendors, private equity firms, venture capitalists and end users with strategic advisory services. He is a veteran strategist with more than a decade of experience related to endpoint, network and security management technologies. Prior to joining 451 Research, Hay served within the Information Security Office (ISO) of the University of Lethbridge and, prior to that, at a privately held bank in Bermuda. Hay also served as a product, program and engineering manager at Q1 Labs (now IBM) and was responsible for the entire portfolio of third-party technology partner integrations.

What’s hot on Infosecurity Magazine?