PCI compliance in the cloud decoded
Andrew Hay, chief evangelist, CloudPassage
The Payment Card Industry's (PCI) Cloud Special Interest Group (SIG) is responsible for evaluating cloud technology – particularly public cloud – and providing guidance on achieving PCI Data Security Standard (PCI DSS) compliance within these environments.
The output of the SIG was an information supplement titled “PCI DSS Guidance: Cloud Technologies.” The document was released by the PCI Standards Security Council in February, after several rounds of internal review and revision, and aims to clarify a number of cloud-related questions, including inter-environment, host-based control requirements, and even the shared infrastructure model and how it relates to PCI DSS scoping.
In the guidance, the SIG acknowledges that the management of virtual machine (VM)-to-VM traffic isn't feasible in all cloud environments, especially not in those hosted by third-party CSPs. In an effort to address VM-to-VM communications that do not, or cannot, pass through traditional network-based security controls, the SIG recommends the use of additional host-based security controls to monitor and control the traffic.
According to the SIG, examples of controls to be considered when evaluating segmentation options include, but are not limited to:
- Physical firewalls and network segmentation at the infrastructure level
- Firewalls at the hypervisor and VM level
- VLAN tagging or zoning in addition to firewalls
- Intrusion-prevention systems at the hypervisor and/or VM level to detect and block unwanted traffic
- Data-loss-prevention tools at the hypervisor and/or VM level
- Controls to prevent out-of-band communications occurring via the underlying infrastructure
- Isolation of shared processes and resources from client environments
- Segmented data stores for each client
- Strong, two-factor authentication
- Separation of duties and administrative oversight
- Continuous logging and monitoring of perimeter traffic, and real-time response
That being said, the SIG does point out that traditional security software and security device functions often do not scale well to a cloud environment. Also, traditional agent-based software security solutions that are not designed for virtualized environments may cause operational issues.
For example, Section 3.4.1 of the SIG guidance states that “[Software agents] often used for anti-virus, each use a small percentage of memory and processing resources which can result in a large overhead where multiple agents are installed on multiple VMs on the same host.”
The fact is that security and monitoring solutions for virtual networks are still evolving and are not as mature as those available for physical networks. As stated by the SIG, “It is difficult to maintain up-to-date, secure configurations on virtual machines when they are being activated and deactivated in rapid cycles.” The SIG also states that “Virtual machines that are dormant for any period of time may be improperly secured or introduce security vulnerabilities when activated” – issues rarely encountered in traditional data center environments.
What about the scope of the PCI environment in a shared infrastructure? As a customer, you are free to choose whichever CSP you wish, just as you should be free to move your servers, application, and data between CSPs. You should note, however, that if you are not using a certified PCI-compliant CSP, you will likely run into issues achieving PCI certification yourself. According to the Cloud SIG, “CSPs that have not undergone a PCI DSS compliance assessment will need to be included in their client's assessment. The CSP will need to agree to provide the client's assessor with access to their environment in order for the client to complete their assessment.”
Therefore, if you need to be compliant while operating on a non-compliant CSP's infrastructure, the scope of your assessment would need to include your CSPs infrastructure and processes as well as your own. This really forces every CSP to implement the controls required to be compliant with the PCI DSS if they want to entice customers to host in-scope servers, applications, and data on their infrastructure.
The guidance also explicitly states, “Clients are still required to validate their compliance in accordance with payment brand programs.” This means that the compliance of the CSP does not transfer to the end-user servers, application, and data, and vice versa.
At the end of the day, the guidance is just that, guidance. Ultimately, the decisions regarding applicability of chosen controls, architecture, and practices will be up to the PCI qualified security assessors (QSA) performing the assessment.
Will this result in a rush to cloud for PCI? Will previously hesitant organizations finally take the plunge? It's hard to say. I would, however, be interested in hearing your thoughts on the matter.
Find Hay tweeting at @andrewsmhay.