Evan Schuman's StorefrontBacktalk

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa

If you missed the recent RSA Conference–that annual Woodstock for security professionals worldwide–all you need to do is put the words cloud, security and compliance in a sentence with just about any verb and you can pretend you were there.

The cloud is all the rage in corporate computing, and with good reason: It promises to significantly reduce your IT infrastructure investment and operating costs while improving availability. The issue for merchants is how to maintain security and validate PCI compliance in this brave new world of cloud computing. Are PCI and the cloud incompatible? Maybe the best place to start answering that question is by asking two more: What is so new about the cloud, and is it secure? But the ultimate question is, What does it do to my PCI scope?

The concept behind cloud computing is not new. It takes advantage of shared resources to give you, the user, the most bang for your computing buck. The cloud is like an updated version of 1970s timesharing, when users had dumb terminals connected over phone lines to remote mainframe computers that stored their data and applications.

The computing pendulum swung away from the centralized model toward desktop computing in the 1980s, with the acceptance of personal computers and the client/server model. With the spread of the Internet, cloud computing is moving us back to a centralized computing model–but one where the network, data and applications are all remote, that is, in the “cloud.” Other than the technology, there is not a lot new here.

If the cloud is not new, neither is the issue of security. If you consider the top security threats from cloud computing, you will find that they sound pretty familiar: improper use; insecure applications; malicious insiders; shared technology (for example, virtualization) vulnerabilities; data loss; and account hijacking. So the questions are the same. What has changed is the context.

CIOs need to assess the security of cloud packages as they evaluate what to move and when to move it to the cloud. The biggest security hurdle seems to be the transparency, interoperability and auditability of the cloud provider. That is, do you as CIO understand fully how and where your data are stored, what you will do if your cloud provider goes out of business, and whether you can adequately audit its performance?

Unfortunately, we have no reliable third-party seal of approval or assessment of cloud providers. And marketing hype is not going to fill that gap.

From a PCI compliance perspective, it all comes down to scope. That is, although the technology–primarily virtualization–may be new, the compliance concerns you need to address (see above) are the same. You need (hopefully together with your QSA) to tell the story of how you are meeting PCI requirements in the cloud.

What will you move to the cloud? It might be cardholder data, a payment application or another application that uses the cardholder data. Possibly your development system or even network will be in the cloud. Your decision will greatly determine what part of your PCI scope is in the cloud. It also helps to know what kind of cloud you are using: public, private or some combination of the two.