PCI Cloud Guidance: Private Cloud Is The Preferred Way To Go
A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Cloud computing is here. For merchants and service providers, the question is how best to implement the technology. The PCI Security Standards Council (PCI SSC) recently released PCI DSS Cloud Computing Guidelines, a document that has important information for any retailer or merchant looking to take advantage of the benefits from cloud computing. This document is well written, and it has a lot of details both on how cloud computing works and on how merchants can be compliant in a cloud environment.
The guidance document begins with a simple statement: "It may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or other shared cloud." Using the phrase "particularly challenging" communicates that a merchant's PCI compliance will be easier or harder depending on the chosen cloud deployment model.
One gem tells clients (a.k.a., merchants) they need to "obtain the details of the CSP's [cloud service provider's] compliance validation." The guidance goes on to suggest merchants review "The Executive Summary and Scope of Work sections" of the CSP's report on compliance (ROC) and the "specific components, facilities, and services that were assessed."
Securing a copy of the current attestation of compliance (AOC) for the CSP is a good start, but it is not enough. Merchants need to know the scope of the CSP's assessment, which is not sufficiently detailed in the AOC. The special interest group (SIG) recognized this situation explicitly with its recommendation. The body of a CSP's ROC is proprietary, and it may contain information that would not necessarily be useful or appropriate to share. But that does not have to be the case for parts of the Executive Summary and Scope of Work sections.
The Executive Summary of a ROC certainly contains proprietary information. However, the guidance advises the client and the CSP work together to provide the client with the information the client needs to be PCI compliant. Ideally, this information can be transmitted in a redacted Executive Summary (or part of it) that still defines the scope and lists the specific PCI DSS requirements assessed.
To the best of my knowledge, this is the first official guidance that tells merchants to go beyond asking for the AOC.
My experience with clients is that CSPs will share this documentation once they understand the reason, but it can sometimes take several calls and E-mails to get it. Hopefully, with the SIG's—and maybe the PCI SSC's—encouragement, every merchant can understand more easily what is the scope of its CSP's PCI assessment. (Note to all merchants, whether or not you are considering cloud computing: Shouldn't you get this same scoping detail for all your service providers?) Securing this documentation, coupled with a strong service-level agreement (SLA) as described in section 6.3.1, should give merchants increased confidence in their CSP and their own PCI DSS compliance.
This clear preference for a private cloud implementation may surprise some merchants, cloud providers and security experts. Speaking only for myself, though, I wasn't surprised by the recommendations. This is because, like most QSAs, I have accepted that the preferred way to achieve PCI compliance in the cloud is with a private cloud. I was a little surprised, albeit pleasantly, by a number of gems tucked away inside the recommendations. Any merchant moving or planning to move its card processing to the cloud needs to digest the recommendations and some of the more subtle signals in this report.
Some cloud proponents will be disappointed in the document, but I think that is because they don't understand the focus of the report. The guidelines are really not a generic overview of how to conduct business in the cloud. Rather, the Cloud SIG focused on how to process payment-card data in the cloud. And its conclusion is that the most practical way to be PCI compliant in the cloud is with a private cloud.
The SIG did not look at cloud computing for application development or E-mail; it looked at using the cloud to process payment-card data. Merchants can start by accepting a couple of basics about cloud computing, which, according to the guidance document, is a technology that is "yet to be standardized" and still an "evolving technology." Some CSPs might take issue with this characterization. But from the point of view of the Cloud Computing Special Interest Group (SIG), which authored the report, it is a fair description.
The guidance makes an important distinction between cloud deployment models (private, public, community and hybrid clouds) and cloud service models (software as a service [SaaS], platform as a service [PaaS] and infrastructure as a service [IaaS]). The differences between service models are very important, because the difference in service models in particular is control (i.e., responsibility) for PCI DSS compliance between the CSP and the merchant. The differences, however, are between cloud deployment models, which are the most critical.My reading of the guidance leads to a single conclusion: The most practical way for a merchant to be PCI DSS compliant in the cloud is with a private cloud deployment. The guidance acknowledges there are alternatives, but the PCI SSC's preference is clear. For example, in section 3.3 the guidance says, "Any cloud deployment model that is not truly private (on-premises) is by nature a shared responsibility model" and, "Even if a [merchant] does not have control over a particular layer, they may still have responsibility for configurations or settings that the CSP maintains on their behalf."
Section 4 has some very thoughtful advice on PCI DSS responsibilities in the cloud. By stating, "Clients utilizing a public or otherwise shared cloud must rely on the CSP to ensure that their environment is sufficiently isolated from the other client environments," the guidance reinforces the case that it will be easier to use a private cloud to protect payment-card data.
Other statements in section 4.4 reinforce the conclusion that PCI compliance is easiest in a private cloud. For example, the guidance states, "there should be guaranteed isolation of data that is stored" and client environments "must be isolated from each other such that they can be considered separate entities with no connectivity between them." Meeting these tests with anything but a private cloud can present challenges.
The scoping guidance in section 4.5 has three recommendations: Don't store, process or transmit payments in the cloud; implement a dedicated physical infrastructure that is used only for the in-scope cloud environment; and minimize reliance on third-party CSPs. This is scoping guidance. It does not say that merchants must use a private cloud, but it does reinforce the case that a private cloud is the preferred option.
The segmentation and scoping advice is well developed and, throughout the document, the SIG focuses on protecting the merchant. As a QSA who shares this focus, I appreciated the guidance and the perspective.
Sections of the Cloud Computing Guidelines contain a few gems that are worth particular note. For example, Section 5.1 begins with some sage advice that merchants must remember when they speak to potential CSPs: "Use of a PCI DSS compliant CSP does not result in PCI DSS compliance for the clients." That means in cloud computing, as in any other aspect of PCI compliance, a merchant can outsource its infrastructure or management controls to a CSP, but it cannot outsource its PCI responsibility.
There is more good reading in the guidance. The individual appendices convey some important, if subtle, messages, and they reflect the experience and knowledge of the SIG participants.
For example, Appendix C, which addresses responsibilities of CSPs and clients, goes beyond the usual single column identifying which party is responsible for a particular PCI DSS requirement. It adds three more columns: one specifying the precise scope of the client's responsibility; a second specifying the precise scope of the CSP's responsibility; and a third asking for "how and when the CSP will provide evidence of compliance to the Client." Appendix D could serve as a pretty good discussion guide for any merchant to use when it meets with a potential CSP. Print it out and distribute a copy in advance, both internally and to any potential CSP.
How you view the PCI DSS Cloud Computing Guidelines may depend on your particular perspective. From one QSA's perspective, it is a thoughtful document with lots of specific advice for merchants (and service providers) moving to or contemplating a move to the cloud. The clear preference appears to be the private cloud option. And looking at cloud computing through a PCI lens, it is difficult to see things differently. But to their credit, the SIG members analyzed the alternatives and described a set of action items for merchants considering other deployment models.
Has your company explored moving some of its payment-card processing to the cloud? Did you see the relevant parts of the Executive Summary in the CSP's ROC? And if not, how did you assess its PCI compliance as a PCI service provider? Do you have a strong SLA in place? I'd like to hear about your experiences. Either leave a comment or E-mail me.