Securing your cloud environment without sacrificing PCI DSS compliance
Securing your workloads in a cloud environment comes with different challenges when compared to securing them within an on-premise location. If you were PCI DSS prior to moving into a cloud environment, subsequently your stored credit card data should have been protected with secure encryption, your business processes were documented, and policies were in place in congruence with the current operating infrastructure. While deploying and maintaining an on-premises system or a co-location environment, you have complete control over what security needs are to be implemented. However, within Cloud Services, the responsibilities become obscure, and some responsibilities and services fall to the service provider. Storage of data in a cloud environment has become the norm, with cryptographic keys being managed by the cloud service providers or entire databases being outsourced to be managed as a SaaS solution such as Azure SQL or Amazon Web Services Database Services. The emergence of new technologies requires additional assessment of traditional risk strategies as these outsourced and managed services have direct impacts on production environments in terms of availability, confidentiality, and compatibility within your existing infrastructure and applications. While data is no longer tied to a physical system or location, traditional security approaches need to evolve, addressing the emerging risk landscape and taking the responsibilities of the service providers into account.
Migrating to the cloud can be a secure and compliant journey
Cloud service providers offer a plethora of new services that are attractive to many businesses, trying to entice them into moving to the cloud. However, there still needs to be a secure way to do so while staying compliant. Some cloud providers are PCI DSS compliant for their hosting services, but that does not make the user automatically PCI DSS compliant for their business process. The relationship between a hosted entity and the cloud service provider should have a shared responsibility, delineating the responsibilities of the service provider(s) and their client. Certain services, solutions, and hosted platforms may also fall under this affected category and should be investigated and determined to be in compliance. If card data is stored, processed, or transmitted within a cloud environment, the cloud service provider and customer should both be PCI DSS compliant. To make sure everything runs smoothly, there needs to be an understanding of the data risk and security needs. Companies need to be mindful when choosing a cloud deployment model that suits the security and risk needs of their industry. A responsibility matrix defining the cloud’s governance strategy would be an appropriate approach to provide clarity of the responsibilities. To ensure that effective governance is implemented and maintained, reporting and monitoring mechanisms should be provided to you by your cloud provider. It is the responsibility of organizations leveraging the cloud service provider to determine how cardholder data will be stored in the cloud. There also needs to be documentation for end-to-end processes and data flows to show a clear path as to where cardholder data travels and resides throughout their cloud infrastructure. Appropriate deployment of cloud infrastructure is often provided by larger cloud providers such as Amazon Web Services, Microsoft Azure, and Google Compute Environment.
Protecting data in the cloud
It is important to identify and define the aspects of how security is being managed throughout the life cycle of the data and how it’s utilized within the environment. Data should be kept for the least amount of time as necessary and should be stored only in appropriate and secure locations. Data classification varies from organization to organization and having a data classification system will help identify and appropriately protect your sensitive or confidential data. Different levels of data sensitivity can affect the protection requirements within your virtual environment as part of your information governance security plan and risk tolerance. Cryptographic keys, passwords, user credentials, and cardholder data are some examples of data that need to be protected. In addition, appropriate destruction of cardholder data must be performed by using secure methods and should ensure that the data is unrecoverable after it has been destroyed per industry or company standards.
Best practices, strategies, and tools for securing cloud assets.
Data and applications hosted on a cloud infrastructure may cause some uncertainty about who is responsible for protection and regulations. While the provider’s infrastructure can be reasonably secured, your stored data in the cloud can only be safe with your help. Make sure your environment is properly configured for your applications and business process. For example, Amazon Simple Storage Service is a service that if not configured correctly, exposes the contents stored within to the internet unless the policies specify otherwise. Network access controls for Microsoft Azure, resource groups have all outbound ports available by default to allow the broadest possible applicability to networked traffic. When using an S3 bucket in AWS, you cannot rely on AWS to by default encrypt that bucket, you must encrypt it yourself using your own tools or tools that they offer. Two-factor authentication provided by the Cloud Service or Third-party provider can keep an environment safe by requiring multifactor authentication not only to the administrative console but to the data contained within a hosted database or application. Two-factor authentication can minimize the risk of an attacker gaining access using stolen credentials by requiring an additional layer of authentication via biometrics or something you have (Certificate, Yubi-Key, Push Notification, etc.). Security in the cloud is not about conventions (?) and it’s not against PCI DSS compliance to store credit card data within the cloud. To stay PCI DSS compliant it is imperative to ensure you secure the data appropriately with strong encryption, have appropriate key rotation and custodians, and have a secure deletion method for which to remove the data.
This article provides just a few samples of the responsibilities of cloud providers, their services, and leveraged resources that can come with cloud compliance. Know that all production environments have different needs and require varied resources to perform as intended. When choosing to migrate or start a PCI-compliant business in the cloud, always defer to a QSA and how the requirements will fit into your new environment.
Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We’re Here To Help!
We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!
