Eclipse Authors: Pat Romanski, Elizabeth White, Liz McMillan, David H Deans, JP Morgenthal

Blog Feed Post

Cloud PCI Compliance: The Checklist

PCI Cloud Security cloud compliance  infoq Cloud PCI Compliance: The ChecklistIntroduction to PCI DSS and the Cloud

The news is always full of major incidents of consumer credit card information being compromised. To protect against dangerous hacks that can lead to thefts of business data or customer identities, best practices are set forth in the Payment Card Industry Data Security Standard (PCI DSS). These 12 steps set up a framework for a secure payment environment.

If your business stores, processes, or transmits payment cardholder data in the cloud, you are bound by PCI DSS. But unlike “brick and mortar” data centers that must also adhere to PCI DSS, those operating in the cloud have additional needs. For example, 6 of the 12 steps outlined by PCI DSS either require or are assisted by encryption of data. However, to securely encrypt in the cloud and comply with PCI DSS, you must keep control of the encryption keys. But as a cloud operation, can you keep your encryption keys in the cloud and at the same time keep them safe?

The answer is – you can.

We have compiled this checklist of the requirements of PCI DSS as they relate to cloud based operations. Ultimately, you may need to employ an external professional auditor to review your system for certification. Use this list to understand compliance, to plan for compliance, and most importantly, to protect yourself and your customers.

Like any 12-step program, adhering to PCI DSS takes commitment, but succeeding at it protects you and your customers.

12-Step Checklist

Use a firewall

You must install and consistently maintain a firewall configuration to protect your data. In the cloud, your firewall is software-based, and it will control the access to your data based on a set of rules. Choosing those rules well, as well as segmenting your network, is crucial to limiting the potential attack “surface”. It is an important part of Software Defined Networking.

Try to create a clearly defined and limited scope where sensitive data resides, which is easier to manage and control precisely because it has been isolated through firewall and networking rules.

Good examples include VMware’s “software defined data center” approach which includes asoftware-defined Firewall, Amazon’s AWS Security Groups, and the Dome9 cloud firewall. This is the first important step to protecting yourself against hackers.

Do not use defaults

For all of your systems, never use the default passwords and other security parameters provided by the vendors of commercial or open source software. Hackers are familiar with the defaults. Always change this information to something that is only known by you.

In the February 2013 PCI DSS Cloud Computing Guidelines, the Security Standards Council clearly states that businesses that use IaaS (not their cloud service providers) have the responsibility to securely configure their operating systems, applications, and virtual devices. PaaS setups share the responsibility with their provider for the OS, but the client controls the applications and software above the OS.

In IaaS and PaaS setups, you are also inheriting the settings and VM images of your provider. Check them carefully.

In fact, the best choice for you is to use vendors that offer no defaults to sensitive security parameters, but rather have processes for quickly and easily setting and enforcing unique values. Ask your vendors about this best practice.

Protect card-holder data

Seems straight-forward, but the PCI DSS enumerates the requirements in a very detailed way. In fact, this is the heart of PCI DSS. It implies many safeguards on what data is stored and how it is stored, which apply to traditional as well as cloud deployments. In the cloud, encryption becomes particularly important as a way to replace traditional physical safeguards. Data needs to be encrypted in a way that it is unreadable and unusable to those without the key. To comply, you must use hashing and encryption methods and strong key management to keep your data from being used maliciously by intruders.

Your keys protect your cardholder data, but you must protect your keys. In the cloud, your cryptographic keys must be managed separately from all other system components. Managing keys, distributing them, and storing them become a focal point for cloud applications complying with PCI DSS. This can be tricky, since ideally you would like your encryption keys to stay outside the cloud, for security; yet to utilize cloud computational resources, you need the keys inside the cloud. Fortunately, technology does offer neat solutions to these issues; look for “split key” cloud key management solutions that allow encryption keys to work in the cloud while you control them by keeping your “master key” share outside the cloud.

Encrypt data in transit

Any data that is sent over open public networks may be accessed by malicious individuals. To protect against this, always encrypt your data while in transit. Always enable SSL/TLS and consider IPsec communications and VPNs. Consider encryption in transit in conjunction with the segmentation and firewall rules you set up previously. Ideally SSL/TLS encryption should be maintained to your application servers, not terminated too near the network edge or at the load balancer. Since some security tools do need to look at the transmitted data (e.g. Web Application Firewalls), consider re-encrypting after they’ve done their job, or placing them close to application servers.

Cloud businesses do have the means to protect transmitted data. Best practice is to segment your deployment into public-facing segments and private ones, and maintain encryption (or re-encrypt if necessary) till data reaches the more private segments where app servers reside. Also consider encrypting transmission between components within your own environment – for example consider using TLS/SSL encryption for the communication between your application servers and your database.

Do use products that allow you control of the in-transit encryption parameters, such as certificates and keys. Choose cloud key management tools that assist in this task.

Use anti-virus software

Make sure your anti-virus tools are always updated with the latest releases from the vendor.

For a PCI compliant system – whether in a traditional or cloud deployment – to be infected is quite serious. Make sure consumer facing parts of the system are very carefully limited in scope, as mentioned before, to reduce the opportunities for infection. Take proper steps to regularly scan your system and your network, to quickly detect viral infections, bots and the like.

In the cloud, naturally, this applies to your guest OS – on your VM. Install appropriate anti-virus and network scanning capabilities on your cloud servers and in your environment.

Secure your systems and applications

All of your systems must always be up to date with the latest software patches and updates. Enable updates for both the OS and vendor software, and always check that everything is updated properly.

Look at it from the attackers point of view; your system contains financial information so is an attractive target for attacks. Keeping your systems and servers up to date minimizes the chance of new exploits from being used.

Cloud service providers (rightly) maintain that secure coding and proper use of tools is the client’s responsibility. Patching and maintenance of the OS, tools and software is the IaaS client’s responsibility and in some cases, the responsibility of PaaS clients as well. Quite simply, use tools and vendors that allow you to patch as frequently as necessary and with ease; “push the button” ease or auto-patching should be sought.

Restrict access

Access to your cardholder data, as well as to your encryptions keys, should always be limited to those who have a valid business need to know. Users who access this information should do so with personal accounts and all access should be logged.

Though in cloud situations, you may not know the physical location of your data, you are still responsible to define and restrict the access to your data. You should of course use the access tools provided by your provider, OS and software. Limit the number of administrators, and make sure actions they take are logged and can be traced back to a username that belongs to one identifiable person.

Data encryption can help to control access by limiting access to the “vectors” you have foreseen and place strong limitations on hacks and human error. In essence, in cloud situations, you replace physical walls by encryption – think of encryption as the walls around your data.

eek solutions where administrators simply never see encryption keys nor sensitive card holder data. This goes back to strong cloud key management.

Carefully manage users

Each person with access to your systems must have a unique ID and strong authentication. This ensures that each person is accountable for his actions and for any breaches that occurred using his ID.

Your authentication systems should be reviewed carefully, both for end users and for administrators. In the PCI context, administrative rights are especially sensitive. An administrator should never be allowed anonymity, or be allowed to hide behind a group name. And administrators should be isolated from data through encryption.

Given the importance of encryption in the cloud, you should restrict all users, and certainly administrators, by never allowing them to actually see sensitive keys such as encryption keys. Your cloud key management solution should enforce this approach, and be highly automated so as to make it practical and bring down hassles to your users.

Restrict physical access

In a cloud setup this has two aspects. One is that breaches are not always committed over the internet from faraway places, attacks can also happen when a hacker sits at your computer. Any physical device that holds protected data (paper, CDs, thumb-drives, laptops, mobile devices, backup drives, etc.) should be under lock and key and access should be carefully authorized and always logged.

Another is the so called insider threat. A cloud provider employee gone malicious or just one that made an error of judgment while providing maintenance. Review your provider’s documentation as regards their internal security policies; a good provider should be fairly open with this sort of information. Make sure to use encryption, and make sure that the encryption system you use keeps encryption keys under your control – administration of key management systems should not be with cloud provider personnel.

Track and monitor

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. This must be an ongoing process.

Make sure the cloud service provider manages monitoring and logging for their infrastructure and can provide logs. However the guest Operating System, your Application and your user activity are your responsibility. Make sure to track and monitor them.

Test systems and processes

Test systems before you roll them out and on a regular basis afterwards, including security reviews done by your own staff and regular penetration testing – probes of your environment as if you were a hacker to expose any security flaws in your setup. Find your own weaknesses and fix them before someone else finds them.

Maintain a policy

To comply with PCI DSS, you must be organized and methodical. This checklist can get you started in creating your written policy of high level steps to address your information security.


PCI DSS was created to protect consumers from financial and identity theft. By adhering to it, you are also protecting yourself from the liability, financial damages, and damaged reputation that can be the result of a security breach.

Though it may be quite involved to get compliant, it is certainly less involved than dealing with a breach.

The best way to safeguard yourself is to do business with companies that are familiar with the regulations and their challenges and have developed ways to secure your data.

The post Cloud PCI Compliance: The Checklist appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

IoT & Smart Cities Stories
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Early Bird Registration Discount Expires on August 31, 2018 Conference Registration Link ▸ HERE. Pick from all 200 sessions in all 10 tracks, plus 22 Keynotes & General Sessions! Lunch is served two days. EXPIRES AUGUST 31, 2018. Ticket prices: ($1,295-Aug 31) ($1,495-Oct 31) ($1,995-Nov 12) ($2,500-Walk-in)
According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...