PCI Compliance Also on Cloud?

What about “PCI Compliance on Cloud?”

 

There _is_ a document by the Payment Card Industry (PCI) SSC(Security Standards Council) website

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

Notice this is a v2(Feb 2013) document of the DSS (Data Security Standard), and we know that the latest DSS document is v3 (Nov 2013), but we can figure out a few things by placing a couple of the updated items next to the Cloud specific importance.

PCI-on-cloud-Compliance

 

So the ease of setup and maintenance make some things easier, and some harder.

Keeping track of logging and auditing is different on the “cloud” Remember the cloud really means that it is a computer system managed by someone else.

 

So the interesting points in the PCI cloud document are the following:

Assuming that the physical security requirements are met (since that is the reason we are outsourcing the computer systems), what are the grey areas in a computer environment that is being managed by another company?

The obvious grey areas are encryption, Data storage, Logging access, Hypervisor delineation (virtual machines are they actually separate) and in case of an incident the actual incident response.

First problem:  Logging access, since the Cloud Service Provider (CSP) cannot give you as the client full access, since that is a violation for other clients. So what logging can you actually see? and is that enough?

Second problem: Identity and access management review, the client can only have access to their information and is that enough to put together a proper audit? It likely depends on the CSP.

Third problem:Hypervisor delineation, what will the CSP give as far as proof for Virtual machine division?

 

Of course it depends on the type of cloud environment: Private, Public, or Hybrid. the differences come out for Software as a Service(SaaS) as well.

If you are using Software as a Service for Credit Cards processing does it need to be audited? The answer is yes. and here it becomes interesting as far as the Pentesting area (included in the image is the Pentesting requirements which are the updated in v3 over v2 PCI DSS).

In pentesting there are also other problems that creep in to the audit process, who do we get a pentesting permission from? One cannot just perform a pentest without permission as a proper Ethical Hacker.  The criminal hacker does not have this problem, to them the “cloud” system is just another computer, an ip address to hack. But  we as ethical hackers have to worry about the right responsible party to get permission from.

 

Obviously you can see that this PCI audit process can get very complicated very fast.

Now let’s move to the “Conclusions” from the PCI v2 cloud doc:

 

 UNDERSTAND your risk and security requirements first.
 CHOOSE a deployment model that aligns with your security and risk needs.
 EVALUATE different service options.
 KNOW what you want from your CSP.
 COMPARE providers and service offerings.
 ASK questions of the CSP and verify the responses, for example:
o What does each service consist of exactly, and how is the service delivered?
o What does the service provide with respect to security maintenance, PCI DSS compliance, segmentation, assurance, and what is the client responsible for?
o How will the CSP provide ongoing evidence that security controls continue to be in place and are kept up to date?
o What will the CSP commit to in writing?
o Are other parties involved in the service delivery, security, or support?

 DOCUMENT everything with your provider in written agreements—for example, SLAs / Terms of Service contracts, etc.
 REQUEST written assurances that security controls will be in place and maintained.
 REVIEW the service and written agreements periodically to identify if anything has changed.

 

One thing that seems to be the case the best time to get contractual requirements answered is before signing the contract.

this especially seems to be good advice:

DOCUMENT everything with your provider in written agreements—for example, SLAs / Terms of Service contracts, etc.

Written documentation of all security controls is preferable as well.

 

This topic has more discussion and could uncover more issues, but the big one of who will control what part of the logs of the computer system managed by the CSP is the most important in my book.

 

Remember the criminal hacker is likely already in your network or already in the CSP systems

cloud_computing_hackers are lurking

 

 

Contact Us if you want a specific consulting engagement on PCI compliance in the cloud.