When IT teams start talking Infrastructure as a Service, I expect corporate compliance officers hear virtual alarm klaxons, along with the not-so-friendly warning, "Sir, step away from the cloud."
We have been taught that data governed by PCI and the cloud do not mix, but is that really true?
If you peruse the recent Cloud supplement to the Payment Card Industry Data Security Standard (PCI-DSS), you'll find a statement, buried somewhere in the middle of page 15, that reads:
Recommendations for minimizing and simplifying PCI DSS scope in a cloud environment include:
Don't store, process or transmit payment card data in the cloud. This is the most effective way to keep a cloud environment out of scope, as PCI DSS controls are not required if there is no payment card data to protect.
In other words, PCI compliance is a whole lot easier if you don't use the public cloud. Ouch!
But then, there is reality. Organizations are moving to the public cloud in record numbers, and many of these companies are now thinking about how to migrate even mission critical apps -- including those that might be regulated by PCI (or other privacy laws). It is certainly possible to be PCI compliant in the public cloud, but it does take some know-how.
Reducing Scope
When seeking compliance, one of the biggest questions that merchants or payment processors tend to deal with is 'scope'. For example, how to contain card data within the fewest number of systems, therefore simplifying the compliance process. When data lived in a fixed database, running on a dedicated physical server locked in your data center, limiting PCI scope was a lot easier.
Now, introduce server virtualization -- the foundation of most cloud infrastructures -- where computing resources 'float' dynamically above physical hardware, often sharing resources with other applications. This adds many new layers of complexity to the concept of scope, along with eliciting new potential points of attack.
If you leverage the public cloud, you have limited control over the underlying infrastructure so data security and PCI compliance becomes a joint initiative with your CSP. But make no mistake: you are still wholly responsible if things go wrong!
The PCI cloud supplement outlines a number of technologies and methodologies that can be used to limit scope. But it leaves some glaring holes, including:
- Storage: there is very little discussion of the storage subsystems that backend virtual machines, these are all systems that potentially house cardholder data, and therefore must be considered in scope. Yet CSPs typically co-mingle data from many different customers, making it challenging and potentially costly to segment.
- Backups: For availability and quick recovery, CSPs typically backup and replicate at the VM level. These copies are exact replicas of the data in the primary VM, and must be protected.
- Hypervisors: Unless it's encrypted in the VM, data travels through the hypervisor in the clear, and then could go over fibre channel, iSCSI or NFS to storage, leaving it open to any administrator with access to these systems, or to a malicious intruder who gains entry. Plus you're sharing the same storage fabric as everyone else!
In my opinion, encryption, combined with strong access controls, is the most effective way to create secure multi-tenancy in a shared infrastructure. If you encrypt in OS of the VM, you can lock down data from the moment it's created, through a hypervisor, and all the way through to storage and backups. Further, this type of encryption allows for mobility, so it travels when your VM is moved.
At a minimum, the PCI regulations recommend keeping the encryption keys separate from data, and security best practice would dictate that only you have access to them.
In short, I believe it's absolutely possible to use the cloud for PCI-regulated data, but there are some key steps to be followed:
- Find the right service provider. There are CSPs who are 'PCI-compliant.' But choosing a compliant provider doesn't mean you are too -- you need to understand exactly which components of their infrastructure they will take responsibility for, and how you'll work together.
- Find a well-educated Qualified Security Assessor (QSA) who knows cloud technology, or determine if you have the knowledge internally. IMHO, very few organizations have the depth of knowledge needed in this area, and will likely get it wrong if they don't get help.
- Become very well educated yourself. The more you understand the guidelines and your data flow, the easier compliance will become.
- Deploy your own encryption (in the guest OS of each VM) and make sure you control the keys
- Request that your CSP encrypt VM snapshots and VM backups. Though these files are often transient, they can still contain sensitive data.
And if your compliance officer still hears alarms about the public cloud, it's certainly possible to leverage the benefits of virtualization in your own private cloud. Are you PCI compliant in the cloud? What worked (or didn't work) for you?