PCI DSS and the Cloud: Top Risk and Mitigation Strategies To Tackle The Challenges
Narendra Sahoo
Director| PCI DSS| PCI SSF | SOC 2| GDPR | HIPAA | ISO 27001 Auditor / Consultant
In the digital world, cloud computing is essential for most businesses online. It is a significant technology for your organization, be it of any size for ease of operations and efficiency. Despite the prevalence of moving data to the cloud environment, many fail to assess how you can maintain PCI DSS Compliance with critical information stored entirely in the cloud.
In order to stay compliant and secure data, your organization needs to understand ways to maintain PCI DSS Compliance while using cloud services. While PCI DSS 3.2.1 as on date does not have a list of controls for Cloud Services, yet there is a set of guidelines outlined by the PCI SSC that you can refer. You can search for this document as “PCI SSC Cloud Computing Guidelines” on www.pcisecuritystandards.org.
In today’s article, we will be covering important elements that you should consider if your organization is looking to maintain PCI Compliance while using the cloud. In the article, we have given a brief insight into cloud technology, its different service models and explored some of the challenges of meeting PCI DSS requirements when using cloud-based services. So, before moving on to learning about the risk pertaining to Cloud-based services, let us first understand the Cloud Technology.
Brief description of the Cloud Computing Technology
Cloud computing is a technology that uses a network of remote servers hosted on the Internet to store, manage, and process data, with all servers working cohesively as one unit rather than each server performing each process individually. Cloud Services provide for dynamic provisioning and invoicing. Most cloud computing services fall into the three categories namely Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Infrastructure as a Service Provider– Infrastructure as a service (IaaS) is an internet-based offering that involves computing infrastructure, provisioned, and managed over the internet. It is a service that helps prevent the expense of buying and managing physical servers and datacenter infrastructure. In other words, this is what can be called “bare metal” provisioning.
Platform as a Service Provider-In this model, the base platform including the physical resources (IAAS) plus the OS and depending on what you have signed up for, additional systems such as Database, web server, Middleware, etc. are provided and managed by the Cloud Provider.
Software as a Service Provider– Software as a Service Provider is the most popularly used cloud computing model that hosts applications and makes them available to the end-users or customers over the Internet. Examples of SaaS based Cloud providers would be Salesforce.com, Webex, GoToMeeting, GSuite of apps, Office 365, etc.
While each of the listed cloud service models are very different from each other, they offer or rather have a limited degree of control over the actual cloud infrastructure. This is the major concern for organizations like you who use these services to store transmit and process cardholder data. Security and confidentiality of cardholder data becomes a major concern for your organizations using outsourced services.
Shared responsibilities for PCI DSS Compliance
Although your organization’s use cloud services for storing, processing, and transmitting cardholder data, you are still expected to be PCI DSS Compliant. Unfortunately, most organizations believe that security for their data, systems, platform, or infrastructure rests entirely with the cloud service providers. However, in reality, that is not the case.
The responsibility for security is shared between your organization and Cloud Service Providers. Which is why understanding and having clarity on all security responsibility is essential between both the parties. The CSP (Cloud Services Provider) needs to clearly outline roles, responsibilities, pertaining to the security of data and the CDE. It should be clearly documented to ensure you know your responsibility.
The level of responsibility of each party is based on the type of cloud service model utilized, and the capabilities of the provider. With a greater degree of control over the cloud infrastructure, the responsibility related to PCI DSS Compliance also varies for both the parties. Sharing responsibilities is not just the best practice, but is also a mandate under the PCI section 12.
Risk exposure & Mitigation Strategies in Cloud Technology
1. Risk Exposure-
Limited Visibility and Control-The transition of business assets to the cloud has its own set of pros and cons. So, while it makes the operations easy for your organization, it also limits your visibility and control over it. Using external cloud services increases the risk of exposure to data and security breaches. Security of data becomes out of purview in the case of Third-party Cloud services.
Mitigation strategy –
Outline the shared security responsibility–Whether your organization is availing the Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS), a document detailing the shared responsibility should be well-defined. Moreover, there must be a mutually signed agreement with a cloud services provider for the same, to mitigate the risks associated with cloud-hosted services. Additionally, you must ensure that all your staff is well aware of the shared responsibility models in use by your cloud providers. Implementing such practices will emphasize the importance of mitigating the inherent risk associated with the cloud.
2. Risk Exposure
Unauthorized Access-In an outsourced or third-party service, the probability of unauthorized use or access to business-critical data increases. Unauthorized access or use of data without the knowledge of the IT team poses a huge risk to your organization. It could increase to malware infections or intrusion since the protection of the network in which they are stored is out of your purview.
Mitigation strategy-
Data Encryption :Data Encryption is one way you can protect your sensitive data from unauthorized access or data breach. While most of us believe that the data is protected by firewalls and monitoring, and hence it does not require encryption is a huge mistake. When sensitive data is moved to a third-party cloud provider, the risk of unauthorized access is way more than you expect it to be. But data encryption can minimize this risk, ensuring data security even in case of unauthorized access via stolen credentials occurs. Moreover, data encryption is mandatory for PCI DSS Compliance and other government and industry mandates.
3. Risk Exposure-
Management APIs can be Compromised
Cloud Technology often expose application programming interfaces (APIs) to software vulnerabilities. The APIs may contain the same software vulnerabilities as an API for an operating system may have. Since the Cloud Service Providers APIs are accessible via the Internet, it is exposed to a wide range of exploit and vulnerability. Vulnerabilities can be turned to a successful attack and can compromise your organization’s sensitive assets.
Ensuring Vendor’s security control implementation
While the security of assets or data on a third-party vendor’s cloud is not in your hands, you can still do your bit by ensuring you collaborate with the right Cloud Service Provider. Before you plan to move your assets on a third-party vendor cloud, we suggest you check with the vendor their security posture and see if they are compliant to various data security standards as required by your industry. Ask for evidence to prove their claim of compliance. This is probably the best you can do to prevent an attack or incidents of a data breach.
4. Risk Exposure
Compliance and Legal risks
Cloud service providers are expected to be Compliant to various data security standards and industry regulations like PCI DSS, SOC2, HIPAA, CCPA, NESA to name a few. So, if your company plans to outsource the processing or storage of data you will be relying on a cloud service provider to maintain their compliance. If in case they do not have adequate legal protections, then they may be liable when there is a data breach that exposes the company’s sensitive data. Using outsourced services means you are transferring the responsibility of protecting your sensitive data to the third party, but you are still liable if that party fails to secure data or end-up being non-compliant. This is one of the major risks in cloud computing that your organization maybe exposed to when outsourcing services to the Cloud Service Provider.
Mitigation Risk
Attestation of Compliance (AOC)
When you avail third-party services to store data on their server, you do not have much control over the infrastructure and depend on their capabilities of securing data. To verify their claims of being a safe haven for your data, you need to do your bit of homework to confirm their word. You should verify whether your cloud service provider has an AOC that confirms they are PCI DSS Compliant and more importantly, you need to confirm that those services that you intend to take from your provider is also covered in the Audit and Attestation for PCI DSS. You also need to verify annually in the form of a statement that acknowledges the CSP’s responsibility for PCI DSS compliance.
Final Thought
Just like a double-edged sword, Cloud computing has its share of both pros and cons. However, it is up to your organization to assess your company’s risk appetite and decide whether the transition to Cloud Infrastructure is feasible or not. As industry experts we believe, if your organization does its bit of due diligence you are sure to benefit more from the cloud computing technology than regret using it. Careful planning, strategy, and implementation of security controls, along with regular audits will ensure the safety of your data even on a third-party Cloud.
This article originally published on cybersecuritynews
Associate Director-Security Consulting @Kyndry | Ex-IBM| Ex-Jubilant Pharma| Ex-Hindustan Times| Ex-BPCL
3 年Strongly Agree, Tenant needs to understand the responsibility of cloud and themselves. Responsibility Matrix is key when we need to drive PCI compliance.