This is page 2 of:
PCI Compliance In The Cloud
The driving force behind the move to the cloud is economics: low cost, high availability, almost instant expandability. The downsides of cloud computing are increased risk and loss of direct control over the computing environment. Perhaps because of this perceived risk, the most common applications companies move to the cloud are human resources, sales force and customer management, payroll and maybe E-mail.
A piece of sound advice I heard from several cloud experts is to start by moving relatively lower value, what some might call “housekeeping” applications to the cloud. This approach allows an organization to get experience with the cloud and its cloud provider before migrating more mission-critical (e.g., payment) applications.
Step one to determining how you will achieve PCI compliance with a cloud provider is to understand what you are buying. Not all “clouds,” and certainly not all cloud providers, are the same. A merchant will contract with a cloud provider for either computing infrastructure alone, a platform to host its application or a complete service, including the application. In each case, the SLA negotiated by the merchant will require different controls, visibility, transparency and evidence to support PCI compliance.
Based on what I heard at the RSA Conference and discussions with providers and others, here is my understanding of what a merchant or service provider needs to consider when moving to the cloud.
If a cloud provider offers infrastructure as a service (IaaS), that means the cloud provider is offering, essentially, bare metal; the merchant provides everything else. Think of this as a co-location facility with fancy marketing. The merchant brings the operating system and applications, and it manages all firewalls, logging, access, etc. Therefore, an IaaS cloud client is responsible for, and needs the ability to manage, all these functions to validate its PCI compliance. The focus of the SLA will be availability and platform security, including the cloud provider’s ability to demonstrate security in the layer(s) below you.
A platform as a service (PaaS) cloud provider goes to the next step and has an operating system and application platform. The customer (whether merchant or service provider) brings its own application and maintains its own database. In this case, you need to understand what services are “shared” with other users. The focus of the SLA now also includes all the aspects of multi-tenancy, such as where are your data (logically, maybe physically) and logging and what is your visibility to the provider’s controls and procedures.
With software as a service (SaaS) cloud providers, a merchant is buying (or hopes to be buying) the complete outsourced package. The merchant needs an SLA that defines which party—it or the cloud provider—is responsible for each PCI requirement.
Looking at this, it is clear that PCI compliance in the cloud is more a matter of context than technology. That is, the same PCI requirements apply. A merchant’s first step is to identify which service(s) it will perform and which the cloud provider will perform. Then the merchant’s own PCI compliance will depend on each party’s compliance.
That a cloud provider is on the list of PCI-validated Level 1 Service Providers is a good start. But it is not the end of the merchant’s work. Merchants need to understand what services were included in the scope of the assessment. For example, a cloud provider could have validated IaaS but is selling PaaS. Nothing about cloud computing has invalidated any part of Requirement 12.8. A merchant’s compliance—and security—will be only as reliable as the service provider’s actual implementation.
Achieving the expected benefits of cloud computing requires the cloud service provider to be competent, diligent and vigilant every second of every day. Each party needs to understand its roles and which party will be responsible for each PCI requirement. I have seen some vendor spreadsheets that list each PCI requirement and, alongside it, whether it is a customer, vendor or shared responsibility. If your vendor can’t give you this level of detail, I’d consider delaying any further conversation until it can. Without this knowledge, a merchant cannot even begin to scope its PCI assessment or prepare an SLA.
What do you think? I’d like to hear your thoughts on cloud computing or SLAs. Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
March 14th, 2011 at 10:24 am
Payment risks and cloud service quirks certainly call for putting together an appropriate SLA. Many small businesses as well as merchants have similar risks when putting other sensitive financial or sales data in the cloud. Small businesses are especially vulnerable to these risks since they may not realize there are technology holes or just do not have the technical expertise or staff to develop or negotiate a SLA.
March 22nd, 2011 at 6:45 pm
Dear Walter,
I’m not a PCI specialist and (because of this?) wonder if there is – so far – a real interest to move such a critical application to the wild wide cloud? The cloud magic lies in its amazing efficiency thanks to massive and virtualized infrastructure and a high level of automation/orchestration. The level of complexity and trust required by PCI compliance will likely limit suppliers to very specialized one. Hence, the true added value would be this specialized knowledge rather than plain computing power and flexibility. A bit like renting a cheap car driven by a rock star. Am I missing a point?
All the best, Thierry.
March 25th, 2011 at 5:56 pm
Thanks for the comments!
Dr. P: I agree it can be difficult to put together an SLA even with a lot of resources. I am hoping to try and do a little bit more on that in an upcoming column.
Thierry: You asked if there is any real interest in moving a mission-critical application like payments to the cloud. I can tell you from first hand experience that there most definitely is such interest, and it is not just merchants, but their service providers, too. I’ll not comment specifically on your analogy (I’d get the cloud providers mad at me for saying they are like “cheap cars”…), but you raise the first half of what I think is the key issue: trust.
The other half? It is: verify. And this will not be easy.