Amazon's higher end Web cloud offering is often considered one of the more secure cloud options. But a careful read of Amazon's FAQ raises very serious compliance questions.
Let's start with PCI's own virtualization guidelines from June 2011: "In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment. More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity's CDE. These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls."
That seems pretty clear. In a public cloud environment—such as AWS—the retailer must be able to examine credible evidence, demonstrating that all elements of the environment are secure, and not simply rely on a third-party's word. That includes the virtual private cloud (VPC) alternative, because even its isolated network space relies on an AWS-based infrastructure. Therefore, to effectively support merchants and service providers who choose to use their services, Amazon should readily be prepared to be forthcoming and supportive of QSA validation, right? Not quite.
This is from Amazon's FAQ: "A merchant can obtain certification without a physical walkthrough of a service provider's data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant's QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers."
Amazon takes this position despite PCI DSS version 2.0 requirement 9 validation requirements, which instruct that the QSA verify physical controls and that both the QSA and the merchant/service provider annually verify storage location security.
Perhaps compliance is still possible, if we assume the following is provided by Amazon. For example, Amazon would have to provide report on compliance (ROC) content completed within a reasonable period of time from the date of assessment, given that PCI assessments must reflect a specific point of time. Amazon would also need to detail specific control evaluations, in addition to detailing how each control applies to merchant/service provider-defined cardholder data environment scope.
But what are the odds of this happening, given that Amazon won't permit a simple walkthrough, let alone a customer site visit?
Then again, as Amazon states on its AWS Security and Compliance Center page, "Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers." Therein lies perhaps the most puzzling of questions for cloud service adoptees: Where exactly is your data? We can only assume, based on Amazon's documentation, that the secrecy is "a security thing."
In fact, datacenter providers have long grumbled at having QSAs complete walkthroughs of their facilities, and yet it happens everyday without any known case of malicious security incident. So, is Amazon to be treated as a case of some datacenters being more equal than others? Not if the merchant QSA is adhering to the ROC Reporting Instructions.
Amazon continues: "The AWS environment is a virtualized, multi-tenant environment. AWS has effectively implemented security management processes, PCI controls, and other compensating controls that effectively and securely segregate each customer into its own protected environment."
Hmmm. OK. Well, we know that compensating controls are used when a PCI DSS requirement cannot be met due to identified constraint and that they must also meet the intent and rigor of the original control. Notice how there is no mention of compensating control worksheets being included in the PCI Compliance Package? Perhaps if the merchant asks nicely.
Amazon is indeed offering some documentation about how its QSA has approved what Amazon has done. But what's missing is documentation—and access—so your QSA can do the same for you.
Disagree? Would love to hear from you, either with a comment below or you can zap me an E-mail.