Are you unsure if you can achieve PCI compliance in a hybrid cloud? Recently, CloudPassage participated in a webinar of expert panelists and discussed, “Addressing PCI Compliance in Hybrid Clouds.” Here are 7 key takeaways based on that panel discussion.
1. Familiarize yourself with the PCI DSS Cloud Computing Guidelines, including the shared responsibility requirements
Many companies have already achieved PCI DSS compliance in hybrid cloud environments. The journey begins with understanding the Information Supplement: PCI DSS Cloud Computing Guidelines (pdf) (released in February 2013 by the PCI Security Standards Council) to help interpret how PCI DSS applies to cloud environments. Also, the PCI DSS Cloud Computing Guidelines note that both the Cloud Service Provider (CSP), if there is one involved, and the customer are responsible for implementing PCI DSS requirements—they each must secure the infrastructure elements under their control. The exact split of infrastructure control can vary and you should determine who owns which elements at the beginning of your relationship with your CSP.
2. Ask your CSP (if there is one) what they are doing for PCI DSS compliance
The PCI DSS cloud guidelines give you specific questions to ask your CSP and suggest ways you can ensure that your CSPs provides validation of PCI DSS compliance for the infrastructure under their control. You can also use the cloud guidelines with your auditors, giving them something to reference during the audit process. Ultimately you are responsible for meeting your PCI DSS requirements. But to meet this responsibility, you will need proof of compliance for the elements under your CSP’s control. You can set up a contractual obligation with your CSP to provide this verification. You should also see which security certifications have been achieved by your CSP and that these continue to be up to date.
3. Consider PCI DSS compliance implications when deciding between public and private clouds
For starters, if you have any cloud servers that do not store PCI data, those servers are not in scope for this regulation. For your PCI workloads, you can opt to run them in your on-premise private cloud, which allows you to control all of the security. Or you may choose to run PCI workloads in the public cloud, which may be desirable if you need additional compute elasticity and cost savings. In that scenario, you would need to address the multi-tenant structure (most efficiently with host-based security controls) by coordinating with your CSPs to address your shared security responsibility for PCI DSS compliance.
4. Focus on overall security—PCI DSS compliance should only be a subset of your security
Organizations need to go beyond PCI DSS compliance to ensure that their security meets all compliance requirements and protects all sensitive data and computing infrastructure. Start with your overall security needs and then map it to your compliance requirements. If you apply security as a “check box” exercise for compliance, you will wind up not having a comprehensive security approach that meets your holistic security needs.
5. Don’t rely on traditional compliance tools in cloud-based environments
Security tools should be designed to support the on-demand, elastic nature of the cloud. Unfortunately, traditional compliance tools were designed for static on-premise data centers and are unable to keep up with the dynamic, and often ephemeral nature of this environment. They cannot transparently scale from a few servers to a few thousand without human intervention and also cannot maintain consistent protection as the PCI workload moves in and out of cloud environments. In addition, they also hinder security teams from getting the consistent visibility they need across these environments and often impact operations, limiting the benefits of cloud environments.
6. Automation is key to simplifying the process of PCI Compliance
Automation is currently the biggest priority in requests for security capabilities in cloud environments. In order to keep up with highly agile operations models and therefore maintain protection at the speed of cloud, security and compliance tools need to work without manual provisioning or other human dependencies. Companies polled during the webinar indicated that most believe they are somewhat automated (although this might be based on scripting and not true automation), but 25% said that they had no automation at all. You need real-time, automatic log generation and meaningful compliance information for any of your cloud servers that are sampled during an audit. And to help with automation, your security should integrate with orchestration tools such as Chef and Puppet.
7. Implement a sustainable security approach to PCI
As companies implement cloud technologies, they often end up with hybrid clouds, allowing them to keep some critical data on premise while moving other application workloads to a public cloud environment. To support this scenario, security must span across private and public clouds, and even multiple public clouds. The solution should provide a single pane of glass for security across these environments, and provide visibility, portability, and automation to support both the operations and security teams. And it needs to do that not just for today, but continue to work effectively as the cloud and datacenter infrastructure mix evolves in the future.
At CloudPassage, we designed our Halo security solution with compliance in mind. Halo is a comprehensive, automated security platform offered as a Software-as-a-Service (SaaS) solution. It secures all types of cloud environments, as well as virtual and bare metal servers. CloudPassage is a cloud-hosted PCI-certified level one service provider. We have been through PCI audits and used our own products to achieve compliance, so we know firsthand how to support your PCI DSS compliance needs.
Click here to learn how CloudPassage can help you achieve hybrid cloud PCI DSS compliance.