Tag Archives: cloud

PCI DSS Cloud Computing Guidelines

cloud, pci dss, penetration testing, ,

A new guidance document from the PCI SSC provides useful information about the use of Cloud Service Providers (CSPs) and how this may affect PCI compliance.

Although cloud computing feels like a new thing, the issues about responsibility for cardholder data are certainly not new. Related issues, such as nebulous (pun intended) statements about PCI compliance from a CSP need to be qualified, and mutual responsibilities clearly established.

Actually, this new document echoes some guidance that we’ve been publishing for a while now. Have a look at PCI Compliance Claims: 3 Questions You Must Ask for example. More recently, we published a 10 minute video entitled Penetration Testing & The Cloud, which is an ideal management introduction to the subject, even if PCI DSS isn’t on your radar.

The SSC document is available here.

The Cloud & PCI – Propagating Failure?

cloud, pci dss, security, ,

The cloud may be nebulous, but the security of your valuable data assets should be clearly defined.

We’re all seeing a continued movement of services in to the cloud, especially in the Infrastructure-as-a-Service (IaaS) arena. The security issues around cloud computing seem, to us at least, to be similar to the traditional issues – hardening, secure access, patching, vulnerability management, protecting data assets and so on.

The difference in the cloud is the speed and ease with which new server instances can be provisioned, and the level of expertise needed to do so.

If you fail to securely configure and manage your template images (AMIs, in Amazon-speak), expect these failures to be propagated throughout your infrastructure; rapidly, and by people who have no idea why this could be a problem. Look out too, for a new take on an old problem. If you own physical storage media, you can physically destroy it. What about cloud storage? How can you be sure that your data has been removed when your virtual servers are no longer needed?

The PCI compliance impact here is obvious – security failures at the template level will:

  • Extend the scope of your CDE
  • Expose the business to increased risk of data loss (be it card data or any other valuable data)
  • Increase the costs of remediation as the number of insecure or non-compliant images proliferate

As has always been the case in security, prevention is better (and cheaper) than cure.

Cloud IaaS providers need to provide appropriate tools, documentation and training in these areas. Consumers need to translate existing security processes, roles and know-how and apply these to the cloud environment. At a high level, this needs to include:

  • Definition of secure/compliant base images
  • Fit-for-purpose hardening of instances based upon those images
  • Ongoing maintenance of active instances
  • Maintaining an inventory of active instances
  • Secure and verifiable removal of instances when no longer needed

In many ways, the cloud is new, powerful and provides consumers with unprecedented levels of control and flexibility. It may hide physical detail from the consumer, but it is still real infrastructure; quick and easy to deploy, with the same underlying security concerns that we had before.

References/Further Reading:

http://blog.ambersail.com/security/video-penetration-testing-the-cloud/

http://en.wikipedia.org/wiki/Infrastructure_as_a_service#Infrastructure
http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?AESDG-chapter-sharingamis.html
http://akamai.infoworld.com/t/cloud-computing/sloppy-use-amazon-cloud-can-expose-users-hacking-178575?source=rss_security
http://www.networkworld.com/supp/2011/enterprise3/060611-ecs-iaas-provders.html