In yesterday’s PCI and the Cloud webinar, Dave Shackleford (IANS) and Andrew Hay (CloudPassage) discussed how to be PCI compliant in the cloud, why compliance in the cloud is so hard, what the QSA really looks for, and more.
We thought we’d take an opportunity to address all of the great questions asked during the webinar.
Q. Will CloudPassage Halo work with CloudStack? If so, how?
A. Halo is completely hypervisor vendor agnostic and will run on CloudStack, Eucalyptus, VMware and others.
Q. All Cloud Service Providers (CSPs) are required to have an externally generated review by a QSA; do you need to see the full record of compliance (many companies are hesitant to provide) or just the executive summary?
A: Many service providers will let you have a look at their record of compliance – but only under NDA. To learn how each CSP handles these types of requests you would have to contact them directly.
Q. What existing tools used in traditional environment can still be used in the cloud? Are there any other tools you would recommend (open source or otherwise?)
A. This is a hard question to answer as architectures of various security products differ from vendor to vendor. Suffice it to say, most security tools were built to protect one server and/or were built to protect a relatively static server. If the tool you’re looking at is unable to function in a dynamic environment and scale automatically, it probably won’t be very valuable to your security program in a cloud environment.
Q. Were the survey results on slide 16 specific to PCI compliance?
A. No, the results from this question were applicable to all standards and regulatory mandates listed at the beginning of the survey – including PCI, HIPAA, SOX, GLBA, etc.
Q. Is there any foreseeable scope for compliance as a service?
A. No, we don’t see it happening at this point, there are too many facets involved.
Q. Have you come across any particular cloud providers that go over and above on compliance?
A. Any CSP with a sizeable enterprise customer base, such as Amazon, Rackspace, GoGrid, and others, all have a vested interest in ensuring their architectures help their customers towards a state of PCI compliance. I don’t believe any particular CSP has materialized as the ‘top’ player – but it’s certainly a title that they’re all vying for.
Q. When can we expect to get guidance from the PCI Security Council about the cloud?
A. The PCI Cloud Security Special Interest Group (SIG) was supposed to have their cloud guidance ready to coincide with the PCI North American 2012 Community Meeting but the delivery date has been pushed to November. Information about the Cloud SIG can be found here.
Q. Are there a subset of PCI compliances that are standard across geographical lines?
A. The key tenets of the PCI DSS are geography agnostic, but that doesn’t mean that an organization or their QSA might not interpret the spirit of a particular tenet differently in one part of the world compared to another. More information about the PCI DSS (in several languages) can be found here.
Q. What do you think will change and get updated with the next version of PCI DSS guidelines?
A. I would fully expect to see more language around cloud environments and more concise guidance for cloud service providers in the next full revision of the PCI DSS. We might also see other new technologies listed as adequate technical controls, such as application whitelisting, deep packet inspection and automated code scanning software, to supplement or replace previously prescribed controls.
Q. Do you have any general numbers as to how many SaaS, IaaS, and PaaS are on the CSP list(s) (in reference to slide 9)?
A. Unfortunately the list found here does not identify SaaS, IaaS and PaaS vendors by architecture type.
Q. Could you please elaborate on PCI requirement #9 (slide 13)?
A. Requirement 9 pertains to physical security (i.e. the security as it pertains to the physical hardware). In cloud environments, this is almost always beyond your sphere of control and, as such, you must rely on your cloud services provider to provide official attestation to their own physical security.
Thanks again to everyone who participated in the webinar – if you missed it, you can still view the recording or view the slides. A summary of PCI milestones and goals as they map to CloudPassage Halo is provided below. If you want to try Halo, sign up for a free 30-day trial.
IANS is the leading provider of in-depth security insights and decision support delivered through research, community, and consulting. Fueled by interactions among IANS Faculty and information security practitioners, IANS’ experience-driven advice helps IT security, risk management, and compliance executives make better, faster technical and managerial decisions.