Home » Inside SafeNet » Compliance in the Cloud
Compliance in the Cloud
March 24, 2011, 10:02 am EDT
For years now, journalists, analysts, vendors, and pretty much everyone else in the tech industry have been singing the praises of the cloud, touting such benefits as cost savings, enhanced service levels, unprecedented agility, and more. However, for those security teams working at PCI-regulated businesses, the cloud hype can seem pretty empty—unless some critical and fundamental security questions can be resolved.
It is important to start by stressing that PCI DSS, and the standards that preceded it, were intended to address a fundamental objective—reducing the incidence of card fraud by promoting a series of best practices in information security.
For the merchants, issuers, payment processors, service providers, and other organizations within the payment lifecycle, gaining compliance has never been a static, one-and-done event. The reality is that, since PCI DSS was unveiled, and even before each of the card brands issued their own standards, organizations’ PCI DSS compliance efforts have been an ongoing effort.
Over the years, standards, and their interpretation by qualified security assessors and other security professionals, have continued to evolve. Further, the infrastructures employed and threats needing to be addressed have also changed substantially. While the latest release of PCI DSS, version 2.0, is expected to be in effect for several years, compliance initiatives will continue to be an ongoing, concerted effort. Ensuring sustained compliance has been a critical objective for some time, and it will only grow more critical as organizations begin to plan and embark on their cloud initiatives.
While adapting to change is nothing new for security teams, the implications of the cloud present issues that are unprecedented. For the first time, this most recent version of the standard introduces wording around virtualization. The intent of this new rule is clear. Given the dynamic nature of virtualized resources, organizations need to refrain from having any one virtual system that has multiple uses. The need for this is obvious—having multiple uses for a virtual resource that contains PCI data can make it difficult to apply the needed controls to ensure the handling of that data remains PCI DSS compliant.
In order to migrate to the cloud, while ensuring sustained PCI DSS compliance and long-term security, organizations will need to apply a host of security capabilities to cloud-based assets.
Encryption: When properly implemented, encryption can be the most secure way to address several core PCI requirements, including rule 3 and its mandate to protect stored cardholder data. This holds true in cloud environments, just as it does in the traditional datacenter or other computing environments.
Key Management: Section 3 of PCI DSS outlines a host of requirements for managing cryptographic keys securely—including such policies as restricting access to the fewest number of custodians possible, storing keys securely, rotating keys, split knowledge and dual control over key administration, and more.
Policy Enforcement: Cloud deployments can pose a host of challenges from a policy enforcement standpoint, and it is a vital endeavor to overcome these challenges if organizations are to remain compliant with PCI DSS. To address these issues, security teams need on-premise, centralized, and granular control over user access. This includes assigning policies at the group and user level, and applying those settings to specific instances and volumes in the cloud.
It is critical to realize that, from the perspective of an organization’s responsibilities, the cloud doesn’t change anything—every rule still applies when migrating sensitive data to the cloud. The key is to map out your strategy before moving to the cloud in order to maintain compliance.This entry was posted in Cloud Security, Compliance, Data Center, Financial Services, Healthcare, Key Management, Retail, Tokenization by Trisha Paine. Bookmark the permalink.
SafeNet October 6, 2011, 11:35 am UTC
SafeNet October 4, 2011, 03:03 pm UTC
SafeNet September 13, 2011, 04:40 pm UTC
SafeNet October 6, 2011, 11:35 am UTC