Eclipse Authors: Pat Romanski, Elizabeth White, Liz McMillan, David H Deans, JP Morgenthal

Blog Feed Post

Cloud PCI Compliance: The Checklist

PCI Cloud Security cloud compliance  infoq Cloud PCI Compliance: The ChecklistIntroduction to PCI DSS and the Cloud

The news is always full of major incidents of consumer credit card information being compromised. To protect against dangerous hacks that can lead to thefts of business data or customer identities, best practices are set forth in the Payment Card Industry Data Security Standard (PCI DSS). These 12 steps set up a framework for a secure payment environment.

If your business stores, processes, or transmits payment cardholder data in the cloud, you are bound by PCI DSS. But unlike “brick and mortar” data centers that must also adhere to PCI DSS, those operating in the cloud have additional needs. For example, 6 of the 12 steps outlined by PCI DSS either require or are assisted by encryption of data. However, to securely encrypt in the cloud and comply with PCI DSS, you must keep control of the encryption keys. But as a cloud operation, can you keep your encryption keys in the cloud and at the same time keep them safe?

The answer is – you can.

We have compiled this checklist of the requirements of PCI DSS as they relate to cloud based operations. Ultimately, you may need to employ an external professional auditor to review your system for certification. Use this list to understand compliance, to plan for compliance, and most importantly, to protect yourself and your customers.

Like any 12-step program, adhering to PCI DSS takes commitment, but succeeding at it protects you and your customers.

12-Step Checklist

Use a firewall

You must install and consistently maintain a firewall configuration to protect your data. In the cloud, your firewall is software-based, and it will control the access to your data based on a set of rules. Choosing those rules well, as well as segmenting your network, is crucial to limiting the potential attack “surface”. It is an important part of Software Defined Networking.

Try to create a clearly defined and limited scope where sensitive data resides, which is easier to manage and control precisely because it has been isolated through firewall and networking rules.

Good examples include VMware’s “software defined data center” approach which includes asoftware-defined Firewall, Amazon’s AWS Security Groups, and the Dome9 cloud firewall. This is the first important step to protecting yourself against hackers.

Do not use defaults

For all of your systems, never use the default passwords and other security parameters provided by the vendors of commercial or open source software. Hackers are familiar with the defaults. Always change this information to something that is only known by you.

In the February 2013 PCI DSS Cloud Computing Guidelines, the Security Standards Council clearly states that businesses that use IaaS (not their cloud service providers) have the responsibility to securely configure their operating systems, applications, and virtual devices. PaaS setups share the responsibility with their provider for the OS, but the client controls the applications and software above the OS.

In IaaS and PaaS setups, you are also inheriting the settings and VM images of your provider. Check them carefully.

In fact, the best choice for you is to use vendors that offer no defaults to sensitive security parameters, but rather have processes for quickly and easily setting and enforcing unique values. Ask your vendors about this best practice.

Protect card-holder data

Seems straight-forward, but the PCI DSS enumerates the requirements in a very detailed way. In fact, this is the heart of PCI DSS. It implies many safeguards on what data is stored and how it is stored, which apply to traditional as well as cloud deployments. In the cloud, encryption becomes particularly important as a way to replace traditional physical safeguards. Data needs to be encrypted in a way that it is unreadable and unusable to those without the key. To comply, you must use hashing and encryption methods and strong key management to keep your data from being used maliciously by intruders.

Your keys protect your cardholder data, but you must protect your keys. In the cloud, your cryptographic keys must be managed separately from all other system components. Managing keys, distributing them, and storing them become a focal point for cloud applications complying with PCI DSS. This can be tricky, since ideally you would like your encryption keys to stay outside the cloud, for security; yet to utilize cloud computational resources, you need the keys inside the cloud. Fortunately, technology does offer neat solutions to these issues; look for “split key” cloud key management solutions that allow encryption keys to work in the cloud while you control them by keeping your “master key” share outside the cloud.

Encrypt data in transit

Any data that is sent over open public networks may be accessed by malicious individuals. To protect against this, always encrypt your data while in transit. Always enable SSL/TLS and consider IPsec communications and VPNs. Consider encryption in transit in conjunction with the segmentation and firewall rules you set up previously. Ideally SSL/TLS encryption should be maintained to your application servers, not terminated too near the network edge or at the load balancer. Since some security tools do need to look at the transmitted data (e.g. Web Application Firewalls), consider re-encrypting after they’ve done their job, or placing them close to application servers.

Cloud businesses do have the means to protect transmitted data. Best practice is to segment your deployment into public-facing segments and private ones, and maintain encryption (or re-encrypt if necessary) till data reaches the more private segments where app servers reside. Also consider encrypting transmission between components within your own environment – for example consider using TLS/SSL encryption for the communication between your application servers and your database.

Do use products that allow you control of the in-transit encryption parameters, such as certificates and keys. Choose cloud key management tools that assist in this task.

Use anti-virus software

Make sure your anti-virus tools are always updated with the latest releases from the vendor.

For a PCI compliant system – whether in a traditional or cloud deployment – to be infected is quite serious. Make sure consumer facing parts of the system are very carefully limited in scope, as mentioned before, to reduce the opportunities for infection. Take proper steps to regularly scan your system and your network, to quickly detect viral infections, bots and the like.

In the cloud, naturally, this applies to your guest OS – on your VM. Install appropriate anti-virus and network scanning capabilities on your cloud servers and in your environment.

Secure your systems and applications

All of your systems must always be up to date with the latest software patches and updates. Enable updates for both the OS and vendor software, and always check that everything is updated properly.

Look at it from the attackers point of view; your system contains financial information so is an attractive target for attacks. Keeping your systems and servers up to date minimizes the chance of new exploits from being used.

Cloud service providers (rightly) maintain that secure coding and proper use of tools is the client’s responsibility. Patching and maintenance of the OS, tools and software is the IaaS client’s responsibility and in some cases, the responsibility of PaaS clients as well. Quite simply, use tools and vendors that allow you to patch as frequently as necessary and with ease; “push the button” ease or auto-patching should be sought.

Restrict access

Access to your cardholder data, as well as to your encryptions keys, should always be limited to those who have a valid business need to know. Users who access this information should do so with personal accounts and all access should be logged.

Though in cloud situations, you may not know the physical location of your data, you are still responsible to define and restrict the access to your data. You should of course use the access tools provided by your provider, OS and software. Limit the number of administrators, and make sure actions they take are logged and can be traced back to a username that belongs to one identifiable person.

Data encryption can help to control access by limiting access to the “vectors” you have foreseen and place strong limitations on hacks and human error. In essence, in cloud situations, you replace physical walls by encryption – think of encryption as the walls around your data.

eek solutions where administrators simply never see encryption keys nor sensitive card holder data. This goes back to strong cloud key management.

Carefully manage users

Each person with access to your systems must have a unique ID and strong authentication. This ensures that each person is accountable for his actions and for any breaches that occurred using his ID.

Your authentication systems should be reviewed carefully, both for end users and for administrators. In the PCI context, administrative rights are especially sensitive. An administrator should never be allowed anonymity, or be allowed to hide behind a group name. And administrators should be isolated from data through encryption.

Given the importance of encryption in the cloud, you should restrict all users, and certainly administrators, by never allowing them to actually see sensitive keys such as encryption keys. Your cloud key management solution should enforce this approach, and be highly automated so as to make it practical and bring down hassles to your users.

Restrict physical access

In a cloud setup this has two aspects. One is that breaches are not always committed over the internet from faraway places, attacks can also happen when a hacker sits at your computer. Any physical device that holds protected data (paper, CDs, thumb-drives, laptops, mobile devices, backup drives, etc.) should be under lock and key and access should be carefully authorized and always logged.

Another is the so called insider threat. A cloud provider employee gone malicious or just one that made an error of judgment while providing maintenance. Review your provider’s documentation as regards their internal security policies; a good provider should be fairly open with this sort of information. Make sure to use encryption, and make sure that the encryption system you use keeps encryption keys under your control – administration of key management systems should not be with cloud provider personnel.

Track and monitor

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. This must be an ongoing process.

Make sure the cloud service provider manages monitoring and logging for their infrastructure and can provide logs. However the guest Operating System, your Application and your user activity are your responsibility. Make sure to track and monitor them.

Test systems and processes

Test systems before you roll them out and on a regular basis afterwards, including security reviews done by your own staff and regular penetration testing – probes of your environment as if you were a hacker to expose any security flaws in your setup. Find your own weaknesses and fix them before someone else finds them.

Maintain a policy

To comply with PCI DSS, you must be organized and methodical. This checklist can get you started in creating your written policy of high level steps to address your information security.


PCI DSS was created to protect consumers from financial and identity theft. By adhering to it, you are also protecting yourself from the liability, financial damages, and damaged reputation that can be the result of a security breach.

Though it may be quite involved to get compliant, it is certainly less involved than dealing with a breach.

The best way to safeguard yourself is to do business with companies that are familiar with the regulations and their challenges and have developed ways to secure your data.

The post Cloud PCI Compliance: The Checklist appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

IoT & Smart Cities Stories
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, will provide an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life ...
Chris Matthieu is the President & CEO of Computes, inc. He brings 30 years of experience in development and launches of disruptive technologies to create new market opportunities as well as enhance enterprise product portfolios with emerging technologies. His most recent venture was Octoblu, a cross-protocol Internet of Things (IoT) mesh network platform, acquired by Citrix. Prior to co-founding Octoblu, Chris was founder of Nodester, an open-source Node.JS PaaS which was acquired by AppFog and ...
The Founder of NostaLab and a member of the Google Health Advisory Board, John is a unique combination of strategic thinker, marketer and entrepreneur. His career was built on the "science of advertising" combining strategy, creativity and marketing for industry-leading results. Combined with his ability to communicate complicated scientific concepts in a way that consumers and scientists alike can appreciate, John is a sought-after speaker for conferences on the forefront of healthcare science,...
"The Striim platform is a full end-to-end streaming integration and analytics platform that is middleware that covers a lot of different use cases," explained Steve Wilkes, Founder and CTO at Striim, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...