With its scalability, speed of deployment and cost
effectiveness, it’s clear to see why cloud computing has become one of today’s
most enticing technologies.
Yet, despite the
trumpeted business and technical advantages of cloud computing, there appears
to be significant concerns over certain aspects of cloud computing, including,
reduced control & governance, regulatory requirements, and excessive
standardisation.
However,
the biggest area of concern remains that of security. Will corporate and customer data be safe? What about
data protection and legal compliance requirements? What are the corporate risks
involved in entrusting a single entity with the data of an entire organisation.
Cloud advocates will argue that customers stand
to benefit from multiple points of replication and defence and the use of
sophisticated technologies that individual companies could not afford; yet
others insist that cloud computer is a ‘security nightmare’.
Whilst this view may be a little extreme, cloud
computing is already having a major impact on the way we think about PCI
compliance and react to a variety of information security issues.
Compliance status
assumptions.
When it comes to cloud
security, we tend to ignore several important aspect.
When selecting a cloud service provider and prior to migration, you must ensure that the cloud service provider is PCI DSS compliant and certified.
When selecting a cloud service provider and prior to migration, you must ensure that the cloud service provider is PCI DSS compliant and certified.
» Ask the cloud service provider to provide a
valid Attestation of Compliance (AOC).
» Review the cloud service provider’s AOC to
ensure it specifies the exact PCI requirements that the cloud service provider
has been assessed against.
One of the most common wrong
assumptions is that the cloud service provider will manage the security features
and instances on your behalf. For example, many customers assume that the cloud
service provider will be responsible for the security updates of the operation
system, which often results in an improper security update procedure which may
place the customer’s environment at risk. Other examples of aspects
frequently not covered by the cloud service providers include:
» Operation system security updates
» Host based anti-malware solutions
» Central logging solution
» Ongoing internal vulnerability assessments
»
Intrusion detection\prevention
mechanisms
Establishing and adhering to a shared
responsibility matrix will assist in ensuring a secure posture and prevent
potential liabilities in the event of an incident. . This will also place both parties in the best
position to meet PCI DSS requirements 12.8 & 12.9.
Many companies also tend not to
have the required policies in place for the cloud, including access control
policy, network access list management, and audit logs review. It’s important
that you ensure that there are standards and policies that cover not only the
system components but the entire cloud eco system. Example of policies and
procedures frequently ignored in a cloud environment include:
» Access control policy
» Access control procedures including multi
factor authentication
» Network segregation policies, including the
management of the access lists within the environment
» Audit logs review which includes the cloud
service provider’s internal audit logs
It’s important to ensure you have documented policies and procedures for your cloud environment, which are regularly updated and reviewed per the PCI DSS requirements.
Migration to the cloud can be a very efficient way to reduce the IT management costs and management overhead, the PCI scope of assessment and the compliance maintenance burden.
Need help with addressing your cloud environment security challenges?
For an initial discussion on how Comsec Consulting
UK can help please call Lee Porter or Nadav Shatz on 0203-463-8727.