Eclipse Authors: Pat Romanski, Elizabeth White, Liz McMillan, David H Deans, JP Morgenthal

Blog Feed Post

Cloud PCI Compliance: The Checklist

PCI Cloud Security cloud compliance  infoq Cloud PCI Compliance: The ChecklistIntroduction to PCI DSS and the Cloud

The news is always full of major incidents of consumer credit card information being compromised. To protect against dangerous hacks that can lead to thefts of business data or customer identities, best practices are set forth in the Payment Card Industry Data Security Standard (PCI DSS). These 12 steps set up a framework for a secure payment environment.

If your business stores, processes, or transmits payment cardholder data in the cloud, you are bound by PCI DSS. But unlike “brick and mortar” data centers that must also adhere to PCI DSS, those operating in the cloud have additional needs. For example, 6 of the 12 steps outlined by PCI DSS either require or are assisted by encryption of data. However, to securely encrypt in the cloud and comply with PCI DSS, you must keep control of the encryption keys. But as a cloud operation, can you keep your encryption keys in the cloud and at the same time keep them safe?

The answer is – you can.

We have compiled this checklist of the requirements of PCI DSS as they relate to cloud based operations. Ultimately, you may need to employ an external professional auditor to review your system for certification. Use this list to understand compliance, to plan for compliance, and most importantly, to protect yourself and your customers.

Like any 12-step program, adhering to PCI DSS takes commitment, but succeeding at it protects you and your customers.

12-Step Checklist

Use a firewall

You must install and consistently maintain a firewall configuration to protect your data. In the cloud, your firewall is software-based, and it will control the access to your data based on a set of rules. Choosing those rules well, as well as segmenting your network, is crucial to limiting the potential attack “surface”. It is an important part of Software Defined Networking.

Try to create a clearly defined and limited scope where sensitive data resides, which is easier to manage and control precisely because it has been isolated through firewall and networking rules.

Good examples include VMware’s “software defined data center” approach which includes asoftware-defined Firewall, Amazon’s AWS Security Groups, and the Dome9 cloud firewall. This is the first important step to protecting yourself against hackers.

Do not use defaults

For all of your systems, never use the default passwords and other security parameters provided by the vendors of commercial or open source software. Hackers are familiar with the defaults. Always change this information to something that is only known by you.

In the February 2013 PCI DSS Cloud Computing Guidelines, the Security Standards Council clearly states that businesses that use IaaS (not their cloud service providers) have the responsibility to securely configure their operating systems, applications, and virtual devices. PaaS setups share the responsibility with their provider for the OS, but the client controls the applications and software above the OS.

In IaaS and PaaS setups, you are also inheriting the settings and VM images of your provider. Check them carefully.

In fact, the best choice for you is to use vendors that offer no defaults to sensitive security parameters, but rather have processes for quickly and easily setting and enforcing unique values. Ask your vendors about this best practice.

Protect card-holder data

Seems straight-forward, but the PCI DSS enumerates the requirements in a very detailed way. In fact, this is the heart of PCI DSS. It implies many safeguards on what data is stored and how it is stored, which apply to traditional as well as cloud deployments. In the cloud, encryption becomes particularly important as a way to replace traditional physical safeguards. Data needs to be encrypted in a way that it is unreadable and unusable to those without the key. To comply, you must use hashing and encryption methods and strong key management to keep your data from being used maliciously by intruders.

Your keys protect your cardholder data, but you must protect your keys. In the cloud, your cryptographic keys must be managed separately from all other system components. Managing keys, distributing them, and storing them become a focal point for cloud applications complying with PCI DSS. This can be tricky, since ideally you would like your encryption keys to stay outside the cloud, for security; yet to utilize cloud computational resources, you need the keys inside the cloud. Fortunately, technology does offer neat solutions to these issues; look for “split key” cloud key management solutions that allow encryption keys to work in the cloud while you control them by keeping your “master key” share outside the cloud.

Encrypt data in transit

Any data that is sent over open public networks may be accessed by malicious individuals. To protect against this, always encrypt your data while in transit. Always enable SSL/TLS and consider IPsec communications and VPNs. Consider encryption in transit in conjunction with the segmentation and firewall rules you set up previously. Ideally SSL/TLS encryption should be maintained to your application servers, not terminated too near the network edge or at the load balancer. Since some security tools do need to look at the transmitted data (e.g. Web Application Firewalls), consider re-encrypting after they’ve done their job, or placing them close to application servers.

Cloud businesses do have the means to protect transmitted data. Best practice is to segment your deployment into public-facing segments and private ones, and maintain encryption (or re-encrypt if necessary) till data reaches the more private segments where app servers reside. Also consider encrypting transmission between components within your own environment – for example consider using TLS/SSL encryption for the communication between your application servers and your database.

Do use products that allow you control of the in-transit encryption parameters, such as certificates and keys. Choose cloud key management tools that assist in this task.

Use anti-virus software

Make sure your anti-virus tools are always updated with the latest releases from the vendor.

For a PCI compliant system – whether in a traditional or cloud deployment – to be infected is quite serious. Make sure consumer facing parts of the system are very carefully limited in scope, as mentioned before, to reduce the opportunities for infection. Take proper steps to regularly scan your system and your network, to quickly detect viral infections, bots and the like.

In the cloud, naturally, this applies to your guest OS – on your VM. Install appropriate anti-virus and network scanning capabilities on your cloud servers and in your environment.

Secure your systems and applications

All of your systems must always be up to date with the latest software patches and updates. Enable updates for both the OS and vendor software, and always check that everything is updated properly.

Look at it from the attackers point of view; your system contains financial information so is an attractive target for attacks. Keeping your systems and servers up to date minimizes the chance of new exploits from being used.

Cloud service providers (rightly) maintain that secure coding and proper use of tools is the client’s responsibility. Patching and maintenance of the OS, tools and software is the IaaS client’s responsibility and in some cases, the responsibility of PaaS clients as well. Quite simply, use tools and vendors that allow you to patch as frequently as necessary and with ease; “push the button” ease or auto-patching should be sought.

Restrict access

Access to your cardholder data, as well as to your encryptions keys, should always be limited to those who have a valid business need to know. Users who access this information should do so with personal accounts and all access should be logged.

Though in cloud situations, you may not know the physical location of your data, you are still responsible to define and restrict the access to your data. You should of course use the access tools provided by your provider, OS and software. Limit the number of administrators, and make sure actions they take are logged and can be traced back to a username that belongs to one identifiable person.

Data encryption can help to control access by limiting access to the “vectors” you have foreseen and place strong limitations on hacks and human error. In essence, in cloud situations, you replace physical walls by encryption – think of encryption as the walls around your data.

eek solutions where administrators simply never see encryption keys nor sensitive card holder data. This goes back to strong cloud key management.

Carefully manage users

Each person with access to your systems must have a unique ID and strong authentication. This ensures that each person is accountable for his actions and for any breaches that occurred using his ID.

Your authentication systems should be reviewed carefully, both for end users and for administrators. In the PCI context, administrative rights are especially sensitive. An administrator should never be allowed anonymity, or be allowed to hide behind a group name. And administrators should be isolated from data through encryption.

Given the importance of encryption in the cloud, you should restrict all users, and certainly administrators, by never allowing them to actually see sensitive keys such as encryption keys. Your cloud key management solution should enforce this approach, and be highly automated so as to make it practical and bring down hassles to your users.

Restrict physical access

In a cloud setup this has two aspects. One is that breaches are not always committed over the internet from faraway places, attacks can also happen when a hacker sits at your computer. Any physical device that holds protected data (paper, CDs, thumb-drives, laptops, mobile devices, backup drives, etc.) should be under lock and key and access should be carefully authorized and always logged.

Another is the so called insider threat. A cloud provider employee gone malicious or just one that made an error of judgment while providing maintenance. Review your provider’s documentation as regards their internal security policies; a good provider should be fairly open with this sort of information. Make sure to use encryption, and make sure that the encryption system you use keeps encryption keys under your control – administration of key management systems should not be with cloud provider personnel.

Track and monitor

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. This must be an ongoing process.

Make sure the cloud service provider manages monitoring and logging for their infrastructure and can provide logs. However the guest Operating System, your Application and your user activity are your responsibility. Make sure to track and monitor them.

Test systems and processes

Test systems before you roll them out and on a regular basis afterwards, including security reviews done by your own staff and regular penetration testing – probes of your environment as if you were a hacker to expose any security flaws in your setup. Find your own weaknesses and fix them before someone else finds them.

Maintain a policy

To comply with PCI DSS, you must be organized and methodical. This checklist can get you started in creating your written policy of high level steps to address your information security.


PCI DSS was created to protect consumers from financial and identity theft. By adhering to it, you are also protecting yourself from the liability, financial damages, and damaged reputation that can be the result of a security breach.

Though it may be quite involved to get compliant, it is certainly less involved than dealing with a breach.

The best way to safeguard yourself is to do business with companies that are familiar with the regulations and their challenges and have developed ways to secure your data.

The post Cloud PCI Compliance: The Checklist appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

@ThingsExpo Stories
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics gr...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things’). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing? IoT is not about the devices, it’s about the data consumed and generated. The devices are tools, mechanisms, conduits. In his session at Internet of Things at Cloud Expo | DXWor...
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution. In his session at @ThingsExpo, Akvelon expert and IoT industry leader Sergey Grebnov provided an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.