Monday, August 22, 2016

PCI Security in the Cloud: have you considered everything?


With its scalability, speed of deployment and cost effectiveness, it’s clear to see why cloud computing has become one of today’s most enticing technologies.

Yet, despite the trumpeted business and technical advantages of cloud computing, there appears to be significant concerns over certain aspects of cloud computing, including, reduced control & governance, regulatory requirements, and excessive standardisation. 
However, the biggest area of concern remains that of security. Will corporate and customer data be safe? What about data protection and legal compliance requirements? What are the corporate risks involved in entrusting a single entity with the data of an entire organisation.
Cloud advocates will argue that customers stand to benefit from multiple points of replication and defence and the use of sophisticated technologies that individual companies could not afford; yet others insist that cloud computer is a ‘security nightmare’.
Whilst this view may be a little extreme, cloud computing is already having a major impact on the way we think about PCI compliance and react to a variety of information security issues.

Compliance status assumptions. 

When it comes to cloud security, we tend to ignore several important aspect.

When selecting a cloud service provider and prior to migration, you must ensure that the cloud service provider is PCI DSS compliant and certified.

»       Ask the cloud service provider to provide a valid Attestation of Compliance (AOC).
»       Review the cloud service provider’s AOC to ensure it specifies the exact PCI requirements that the cloud service provider has been assessed against. 


One of the most common wrong assumptions is that the cloud service provider will manage the security features and instances on your behalf. For example, many customers assume that the cloud service provider will be responsible for the security updates of the operation system, which often results in an improper security update procedure which may place the customer’s environment at risk.  Other examples of aspects frequently not covered by the cloud service providers include:

»       Operation system security updates
»       Host based anti-malware solutions
»       Central logging solution
»       Ongoing internal vulnerability assessments
»       Intrusion detection\prevention mechanisms

Establishing and adhering to a shared responsibility matrix will assist in ensuring a secure posture and prevent potential liabilities in the event of an incident. . This will also place both parties in the best position to meet PCI DSS requirements 12.8 & 12.9.

Many companies also tend not to have the required policies in place for the cloud, including access control policy, network access list management, and audit logs review. It’s important that you ensure that there are standards and policies that cover not only the system components but the entire cloud eco system. Example of policies and procedures frequently ignored in a cloud environment include:

»       Access control policy
»       Access control procedures including multi factor authentication
»       Network segregation policies, including the management of the access lists within the environment
»       Audit logs review which includes the cloud service provider’s internal audit logs

It’s important to ensure you have documented policies and procedures for your cloud environment, which are regularly updated and reviewed per the PCI DSS requirements.

Migration to the cloud can be a very efficient way to reduce the IT management costs and management overhead, the PCI scope of assessment and the compliance maintenance burden.

Need help with addressing your cloud environment security challenges? 


For an initial discussion on how Comsec Consulting UK can help please call Lee Porter or Nadav Shatz on 0203-463-8727.