Cloud PCI Compliance: The Checklist
Introduction to PCI DSS and the Cloud
The news is always full of major incidents of consumer credit card information being compromised. To protect against dangerous hacks that can lead to thefts of business data or customer identities, best practices are set forth in the Payment Card Industry Data Security Standard (PCI DSS). These 12 steps set up a framework for a secure payment environment.
If your business stores, processes, or transmits payment cardholder data in the cloud, you are bound by PCI DSS. But unlike “brick and mortar” data centers that must also adhere to PCI DSS, those operating in the cloud have additional needs. For example, 6 of the 12 steps outlined by PCI DSS either require or are assisted by encryption of data. However, to securely encrypt in the cloud and comply with PCI DSS, you must keep control of the encryption keys. But as a cloud operation, can you keep your encryption keys in the cloud and at the same time keep them safe?
The answer is – you can.
We have compiled this checklist of the requirements of PCI DSS as they relate to cloud based operations. Ultimately, you may need to employ an external professional auditor to review your system for certification. Use this list to understand compliance, to plan for compliance, and most importantly, to protect yourself and your customers.
Like any 12-step program, adhering to PCI DSS takes commitment, but succeeding at it protects you and your customers.
Use a firewall
You must install and consistently maintain a firewall configuration to protect your data. In the cloud, your firewall is software-based, and it will control the access to your data based on a set of rules. Choosing those rules well, as well as segmenting your network, is crucial to limiting the potential attack “surface”. It is an important part of Software Defined Networking.
Try to create a clearly defined and limited scope where sensitive data resides, which is easier to manage and control precisely because it has been isolated through firewall and networking rules.
Good examples include VMware’s “software defined data center” approach which includes a software-defined Firewall, Amazon’s AWS Security Groups, and the Dome9 cloud firewall. This is the first important step to protecting yourself against hackers.
Do not use defaults
For all of your systems, never use the default passwords and other security parameters provided by the vendors of commercial or open source software. Hackers are familiar with the defaults. Always change this information to something that is only known by you.
In the February 2013 PCI DSS Cloud Computing Guidelines, the Security Standards Council clearly states that businesses that use IaaS (not their cloud service providers) have the responsibility to securely configure their operating systems, applications, and virtual devices. PaaS setups share the responsibility with their provider for the OS, but the client controls the applications and software above the OS.
In IaaS and PaaS setups, you are also inheriting the settings and VM images of your provider. Check them carefully.
In fact, the best choice for you is to use vendors that offer no defaults to sensitive security parameters, but rather have processes for quickly and easily setting and enforcing unique values. Ask your vendors about this best practice.
Protect card-holder data
Seems straight-forward, but the PCI DSS enumerates the requirements in a very detailed way. In fact, this is the heart of PCI DSS. It implies many safeguards on what data is stored and how it is stored, which apply to traditional as well as cloud deployments. In the cloud, encryption becomes particularly important as a way to replace traditional physical safeguards. Data needs to be encrypted in a way that it is unreadable and unusable to those without the key. To comply, you must use hashing and encryption methods and strong key management to keep your data from being used maliciously by intruders.
Your keys protect your cardholder data, but you must protect your keys. In the cloud, your cryptographic keys must be managed separately from all other system components. Managing keys, distributing them, and storing them become a focal point for cloud applications complying with PCI DSS. This can be tricky, since ideally you would like your encryption keys to stay outside the cloud, for security; yet to utilize cloud computational resources, you need the keys inside the cloud. Fortunately, technology does offer neat solutions to these issues; look for “split key” cloud key management solutions that allow encryption keys to work in the cloud while you control them by keeping your “master key” share outside the cloud.
Encrypt data in transit
Any data that is sent over open public networks may be accessed by malicious individuals. To protect against this, always encrypt your data while in transit. Always enable SSL/TLS and consider IPsec communications and VPNs. Consider encryption in transit in conjunction with the segmentation and firewall rules you set up previously. Ideally SSL/TLS encryption should be maintained to your application servers, not terminated too near the network edge or at the load balancer. Since some security tools do need to look at the transmitted data (e.g. Web Application Firewalls), consider re-encrypting after they’ve done their job, or placing them close to application servers.
Cloud businesses do have the means to protect transmitted data. Best practice is to segment your deployment into public-facing segments and private ones, and maintain encryption (or re-encrypt if necessary) till data reaches the more private segments where app servers reside. Also consider encrypting transmission between components within your own environment – for example consider using TLS/SSL encryption for the communication between your application servers and your database.
Do use products that allow you control of the in-transit encryption parameters, such as certificates and keys. Choose cloud key management tools that assist in this task.
Use anti-virus software
Make sure your anti-virus tools are always updated with the latest releases from the vendor.
For a PCI compliant system – whether in a traditional or cloud deployment - to be infected is quite serious. Make sure consumer facing parts of the system are very carefully limited in scope, as mentioned before, to reduce the opportunities for infection. Take proper steps to regularly scan your system and your network, to quickly detect viral infections, bots and the like.
In the cloud, naturally, this applies to your guest OS – on your VM. Install appropriate anti-virus and network scanning capabilities on your cloud servers and in your environment.
Secure your systems and applications
All of your systems must always be up to date with the latest software patches and updates. Enable updates for both the OS and vendor software, and always check that everything is updated properly.
Look at it from the attackers point of view; your system contains financial information so is an attractive target for attacks. Keeping your systems and servers up to date minimizes the chance of new exploits from being used.
Cloud service providers (rightly) maintain that secure coding and proper use of tools is the client’s responsibility. Patching and maintenance of the OS, tools and software is the IaaS client’s responsibility and in some cases, the responsibility of PaaS clients as well. Quite simply, use tools and vendors that allow you to patch as frequently as necessary and with ease; “push the button” ease or auto-patching should be sought.
Access to your cardholder data, as well as to your encryptions keys, should always be limited to those who have a valid business need to know. Users who access this information should do so with personal accounts and all access should be logged.
Though in cloud situations, you may not know the physical location of your data, you are still responsible to define and restrict the access to your data. You should of course use the access tools provided by your provider, OS and software. Limit the number of administrators, and make sure actions they take are logged and can be traced back to a username that belongs to one identifiable person.
Data encryption can help to control access by limiting access to the “vectors” you have foreseen and place strong limitations on hacks and human error. In essence, in cloud situations, you replace physical walls by encryption – think of encryption as the walls around your data.
eek solutions where administrators simply never see encryption keys nor sensitive card holder data. This goes back to strong cloud key management.
Carefully manage users
Each person with access to your systems must have a unique ID and strong authentication. This ensures that each person is accountable for his actions and for any breaches that occurred using his ID.
Your authentication systems should be reviewed carefully, both for end users and for administrators. In the PCI context, administrative rights are especially sensitive. An administrator should never be allowed anonymity, or be allowed to hide behind a group name. And administrators should be isolated from data through encryption.
Given the importance of encryption in the cloud, you should restrict all users, and certainly administrators, by never allowing them to actually see sensitive keys such as encryption keys. Your cloud key management solution should enforce this approach, and be highly automated so as to make it practical and bring down hassles to your users.
Restrict physical access
In a cloud setup this has two aspects. One is that breaches are not always committed over the internet from faraway places, attacks can also happen when a hacker sits at your computer. Any physical device that holds protected data (paper, CDs, thumb-drives, laptops, mobile devices, backup drives, etc.) should be under lock and key and access should be carefully authorized and always logged.
Another is the so called insider threat. A cloud provider employee gone malicious or just one that made an error of judgment while providing maintenance. Review your provider’s documentation as regards their internal security policies; a good provider should be fairly open with this sort of information. Make sure to use encryption, and make sure that the encryption system you use keeps encryption keys under your control – administration of key management systems should not be with cloud provider personnel.
Track and monitor
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. This must be an ongoing process.
Make sure the cloud service provider manages monitoring and logging for their infrastructure and can provide logs. However the guest Operating System, your Application and your user activity are your responsibility. Make sure to track and monitor them.
Test systems and processes
Test systems before you roll them out and on a regular basis afterwards, including security reviews done by your own staff and regular penetration testing - probes of your environment as if you were a hacker to expose any security flaws in your setup. Find your own weaknesses and fix them before someone else finds them.
Maintain a policy
To comply with PCI DSS, you must be organized and methodical. This checklist can get you started in creating your written policy of high level steps to address your information security.
PCI DSS was created to protect consumers from financial and identity theft. By adhering to it, you are also protecting yourself from the liability, financial damages, and damaged reputation that can be the result of a security breach.
Though it may be quite involved to get compliant, it is certainly less involved than dealing with a breach.
The best way to safeguard yourself is to do business with companies that are familiar with the regulations and their challenges and have developed ways to secure your data.
About the Author
Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. He is a pioneer in the field of cloud computing who has built SaaS clouds, contributed to SAP products and created a cloud operating system. He has written extensively on the importance of cloud encryption and encryption key management for PCI and HIPAA compliance. Gilad can be found on his blog, Twitter, LinkedIn, and Google+ discussing cloud security.
Cloud provider - responsibility to secure VM hosts.
Do you know what PCI DSS says about securing the host where the cloud VMs run? I'm know that there are some cloud providers that advertise themselves as "PCI compliant", but if a VM host gets compromised, all the data (even in-memory plain card numbers) are compromised too. And I think that the responsibility would still fall on the company using the cloud service.
Great ideas, but are they enough?
• Network Firewall to securely control incoming and outgoing network traffic
• Web Application Firewall (WAF) similar to a network firewall, but focused on the application layer to limit input, output and access to and from the application layer of the system
• Intrusion Prevention System (IPS) or Intrusion Prevention and Detection System (IDPS) to monitor network and system activities to prevent malicious activity
• Device Hardening to provide overall protection of the system looking at various layers including the host, application, operating system, user and physical levels for depth in defense
• Virus Protection to protect the overall system from viruses, malware and other vulnerabilities
• File Integrity Monitoring (FIM) to validate the integrity of the operating system and application files
• Security Information and Event Monitoring (SIEM) for real-time alerting, logging and analysis of activities across the network, hardware and software applications
• Offsite Encrypted Backups of applications, databases, file systems and operating systems to ensure business continuity in the event of a disruption or disaster
• External Vulnerability Scanning insight into what vulnerabilities are being exposed through your firewall to the outside world
• Internal Vulnerability Scanning providing a hacker’s view of vulnerabilities inside the network behind your firewall
• Dual Factor System Authentication to decrease the probability of a false system access by requiring 2 forms of identification. Often broken down to something only the user knows (password) and something other the user has (rotating PIN)
• Multi-Factor Facility Authentication to decrease the probability of false facility access by requiring something a person has (ID Card), something they know (PIN) and something they are (fingerprint)
And I wouldn't say this is a complete list, but certainly things that you need to consider when protecting your business applications, websites and databases. You can read more at www.inetu.net/solutions/product/pci-compliance
Shane Hastie on Distributed Agile Teams, Product Ownership and the Agile Manifesto Translation Program
Shane Hastie Apr 17, 2015