PCI in the Public Cloud
When people hear the words "PCI assessment", they usually sigh or reach for a beer. If you're environment is hosted in Amazons public cloud (AWS), then those 2 words might even have you looking for a new job. The PCI-DSS standards are really in a state of flux with the PCI Council attempting to make their DSS standards a "one size fits all" type standard. Unfortunately in todays hi-tech world, it never works that way; add a totally virtual environment, and it adds in even more question marks.
Lately I've had a few discussions with peers at other companies who want to be PCI Level 1 compliant, but are hosted in AWS as we are. Their assessors have flat out told them NO, they can not be PCI Level 1 in a public cloud. So thinking that's the final answer, they go back to Amazon to ask for guidance (i.e. to bitch, moan and complain). They all quickly learn that you have to go "assessor shopping" if you want to get your PCI Level 1 assesstation. This probably sounds a bit like "doctor shopping", and while you're not trying to score drugs the practice sounds just about as shady.
PCI assessors have a rule that they can not question another QSA's approved work, so if a QSA has done something, another QSA can not overturn it. So once your have received your PCI Level 1 attestation of compliance (AoC), you're good to go - some other companies QSA can not say your AoC is invalid simply because their company wouldn't have given you one. This leaves you simply having to find assessors who are familiar with Amazon, cloud infrastructures and IaaS in general. When things get fuzzy, the PCI guidelines leave the call in the hands of your assessor, so if you meet the spirit of a rule and hence successfully satisfy that requirement, even by other means, the QSA can still give you a pass.
A prime example is in requirement 11, where it calls for inline IDS/IPS systems that live on the border if your network. In Amazon there is no border, and no way to put a device inline, so we run host based IDS (HIDS) on all our systems. It's a workable solution that addresses the section and fulfills the requirement - even though it's not exactly how it's spelled out. This isn't something that a QSA who isn't familiar with a public cloud infrastructure would probably sign off on, as this is specific to Amazon. If you were in another cloud chances you are could put an IDS/IPS device inline, but that's specific to each environment.
So like anything else it comes down to the knowledge and experience of your PCI assessors. Don't be scared thinking the PCI standards are chiseled in stone and you must meet the letter of the law, that's simply not the case.
I often get questions on how to choose an assessor that with play nice with public clouds and IaaS. I don't pretend to know who all the assessors are out there, or who plays nice with public clouds and who doesn't, but I do know how to find out. First start contacting assessors, the PCI Council has a list (found here) of approved QSA providers. Not to say I don't want to support the little guy, but when the prices are all within a few thousand dollars of each other I always go with the bigger company. I find they have a greater breadth of experience, reach and influence. Anyways, find a couple of them and tell them exactly what you are working with and what you're doing. Find one you feel you can work with (the personal relationship with the assessors is vital! You want to work together on this, not against each other!!)
Once you find one you want to go with, if this is your first level 1 audit, it is critical to start with a gap analysis. Let me say this again: start with the gap analysis! You may think you run a tight ship, but are you willing to bet $50,000 to $100,000 on it? Be sure where the gaps lie, address them, and then do a stress free assessment. Trust me, it will save you a headache down the road. And believe me when I say that no assessors want to come onsite and then fail you - they want you to pass and will probably push for a gap analysis to begin with to ensure your success.
Remember that even though this is an assessment, you are still a paying customer and the assessors are providing you with a service. So work together with your assessors, they want to to make sure you pass, so take advantage of it!
* All views expressed in this post are mine, and don't reflect the views of my employer, professional groups or any organizations I may be a member of.
** And no one proof reads my stuff before I post, so of course I have spelling and grammar errors :)
Erik Bloch writes for fun from San Francisco California and G?teborg Sweden, mostly about struggles he's had to overcome that others may face as well.
On twitter: @ejbloch
Retired at None
10 年Very interesting. I work for a company that holds Level 1 certification and while I myself do not work with our QSA I have worked closely with our security management team for several years. I have always thought a QSA was a QSA and they all abided by the same regulations but I suppose with the wide use of cloud based hosting solutions these days someone, somewhere would eventually have to come up with a work around.
Solution Specialist
10 年Good article - many thanks. There's just one comment I'd like to make in relation to your first step being a gap analysis - it's splitting hairs really, but the first step is all about *scope reduction* (facilitated by a QSA), followed by gap analysis. QSAs often spend time performing a GA which involves 'assessing' things which really shouldn't be in scope in the first place. Defining, then reducing scope then leads to a practical exercise of understanding gaps/deficiencies within the proposed card data environment. QSAs aren't cheap (if they are any good), so buying the right kind of advice is the best use of their time and your money!
Interesting. AWS say they are Level 1 certified for their infrastructure services - https://aws.amazon.com/compliance/pci-dss-level-1-faqs/ - does that not make the discussion with the QSA easier, i.e. to define the requirements satisfied by the AWS AOC?