Let’s Talk

The latest updates from our team of experts. Find out what’s happening here at 6fusion and our take on the industry at large.

PCI cloud guidelines miss the cloud security mark

By Steven Wolford, Director of Information Security, 6fusion

In case you missed it, the PCI Security Standards Council (PCI SSC) released the PCI DSS Cloud Computing Guidelines Information Supplement last week. Unfortunately, they missed the mark on cloud security and added more uncertainty to an already cloudy topic (forgive the terrible pun).  A few quotes from the report:

  • “Businesses deploying cloud technology can use this resource as a guide for choosing solutions and third-party cloud providers that will help them secure their customer payment data and support PCI DSS compliance.”
  • Chris Brenton, PCI Special Interest Group contributor and director of security for CloudPassage, said “One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud.”

My assessment of this guidance is that it offers little help to public cloud service providers (CSP’s) and the customers wanting to take advantage of those services. While there is verbiage ostensibly addressing requirements for CSP’s, when you dig into the details, actual implementation of these guidelines become difficult if not impossible.

Here are a few examples:

  • “Any shared infrastructure used to house an in-scope client environment would be in scope for that client’s PCI DSS assessment.”

This could easily be interpreted that a CSP must get all hypervisor instances fully PCI compliant as there is a possibility that a CDE component could end up on any hypervisor. With most cloud operating models today, CSP’s are not in a position to know what data is where in the cloud. They provide the infrastructure or platform that is then modified by the cloud consumer, which means the CSP likely has no idea what data they are hosting and therefore no idea what is or is not in scope for PCI.

  • “Implement a dedicated physical infrastructure that is used only for the in-scope cloud environment.”

This seems to strongly recommend against the use of public cloud. The point of public cloud is to take advantage of multi-tenancy. To quote NIST “The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model…”

And there is this,

  • “CSPs should be able to segregate log data applicable for each client and provide it to each respective client for analysis without exposing log data from other clients. Additionally, the ability to maintain an accurate and complete audit trail may require logs from all levels of the infrastructure, requiring involvement from both the CSP and the client.” (emphasis added)

Again, this is an easy logical application of PCI, but it is not practical for cloud security. Getting that granular in logging is just not a way that public providers are architected nor do most cloud components give them the ability to provide this capability. The technology is not there in most cases.

All in all this is a real shame, because it is a HUGE missed opportunity. Instead of just coming out and making a clear statement that public cloud would not be acceptable or providing real world guidance, they have relied on caveats and impractical requirements that leave the door open to the interpretations of the particular assessor hired to determine PCI compliance. In other words, right where we were before.

Recommendations that were applicable to capabilities that exist today would have been a welcome resource to many in the PCI and cloud security community.



Tags: , , , , ,