Companies increasingly include the cloud in their everyday business processes, and they have grown more comfortable relying on service providers to protect sensitive information. But it's not easy for companies that have industry-specific security and compliance requirements -- like financial institutions or any business that processes credit card data -- to simply trust a third-party provider with data they're ultimately responsible for.
Cloud security is a two-way street. Businesses deploying cloud services know their customers' payment data cannot be compromised, but the provider must shoulder some of the responsibility, too.
The Payment Card Industry (PCI) Security Standards Council recently released a report with further guidance for both business customers and service providers handling credit card data in the cloud, laying out where the responsibility ends for the customer and outlining best practices cloud providers should follow to comply with the PCI Data Security Standard (DSS).
The road to a PCI-compliant cloud
The new PCI DSS Cloud Computing Guidelines Information Supplement, created by the Cloud Special Interest Group (SIG), came about because the lines started to blur for businesses using cloud or hosted services.
"Some of the original PCI guidelines state you must have physical control of the data center and be able to record who comes in and out, so if [businesses] read some of these original PCI guidelines to the letter of the law, it [would] sound like they might never be able to be compliant," said Chris Brenton, cloud security architect for CloudPassage, a San Francisco-based cloud security Software as a Service (SaaS) provider and PCI Cloud SIG contributor.
The new guidelines supplement the original PCI standards -- written when credit card data only traversed companies' internal networks -- and overcome some of the limitations associated with proving compliance in a cloud environment by putting part of the responsibility into the hands of the provider.
Providers can now say they are PCI-compliant by having a high-quality security auditor look at their network security and physical security, and then declare their environment is OK, Brenton said.
But before providers can call in the auditors, both the customer and provider must understand where each party's responsibilities regarding PCI compliance begin and end.
The guidelines differ among cloud providers, depending on the type of services they offer, said Mike Chapple, senior director of enterprise support services at the University of Notre Dame in South Bend, Ind. Prior to the auditing process, cloud providers should compare the exact services they offer to the PCI domains and sub-requirements to figure out which ones will apply to them, and then implement the appropriate controls -- like if the provider is relying on encryption for isolation, the appropriate key management should be in place, Chapple said.
While auditors will be able to annually check the provider's data center environment against the PCI standards and provide documentation that can be given to customers, meeting the standards in a cloud environment isn't an exact science.
"While [the new guidelines] help cloud providers [and cloud customers)]understand specific concerns about cloud … it's not necessarily a 'roadmap to compliance' in the same way that the DSS currently is," said Ed Moyle, director of emerging business and technology at ISACA, a nonprofit association for IT professionals and founding partner of the analyst firm Security Curve.
Should providers already be PCI-compliant?
Many cloud providers are already PCI-complaint -- like Verizon Terremark and Amazon Web Services -- and others are working to meet the guidelines in order to gain prospective customers, but it will be harder for multi-tenant, public cloud providers to achieve compliance, Moyle said.
More on PCI-compliant cloud computing
PCI Security Standards Council introduces cloud guidelines
User guide: Determining if a provider is PCI DSS-compliant
Can cloud service providers manage PCI in the cloud?
"I think cloud providers will be pretty likely to continue having PCI-compliant environments for dedicated cloud infrastructure, particularly in Infrastructure as a Service environments," he said. "However, I think it [will] be fairly challenging to certify a large-scale public cloud environment."
The new guidelines for cloud providers cover physical security of the data center, infrastructure -- including restrictions on server function -- and network security. And while becoming PCI compliant can be an expensive undertaking for some providers, others won't have to make any large-scale changes, Notre Dame's Chapple said.
"These guidelines are really a collection of best practices," he said. "For providers working to become PCI-compliant, it will really be a matter of how much attention they paid to security and how far along they are in achieving these best practices."
Providers should keep in mind that each customer-provider relationship is going to be unique, and each customer may have different expectations about what the provider is responsible for, said ISACA's Moyle.