Organizations outsourcing card data to the cloud face significant security risks, says Bob Russo, general manager of the Payment Card Industry Security Standards Council.
"You really need to know where your data is at all times," Russo says. And as soon as an organization adds other players to the offsite card-management mix, ensuring compliance with the PCI Data Security Standard becomes increasingly challenging, he says.
"Cloud users and cloud service providers need to understand what their roles and responsibilities are when it comes to protecting this data," Russo says in an interview with Information Security Media Group [transcript below].
Questions to ask, he says, include: Where's the data being stored? Is it stored in multiple locations?
"Storing, processing and transmitting cardholder data in the cloud brings the cloud environment into scope for PCI-DSS," he explains.
Emerging cloud risks and compliance challenges surrounding the cloud are addressed in the PCI Council's new PCI DSS Cloud Computing Guidelines Information Supplement - a set of best practices and guidelines developed by the PCI's Council's Cloud Special Interest Group.
"A lot of these [cloud] clients have limited or no control over cardholder data storage," Russo says. Organizations need to be concerned about collecting and correlating access logs and other information from cloud vendors to ensure they are maintaining security compliance, he adds.
"These are all things that you have to take into consideration when you're thinking about outsourcing to a cloud provider," Russo says.
During this interview, Russo discusses why organizations must:
- Review contracts carefully before signing with cloud services providers;
- Ensure security across the payments chain and understand the role each entity plays;
- Assess risk when card data could potentially be stored in multiple locations.
Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. He guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. Russo works with representatives of American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI Data Security Standard.
Cloud's Impact on Payments
TRACY KITTEN: How is cloud computing impacting payments?
BOB RUSSO: Cloud services certainly provide an attractive opportunity for all kinds of organizations to outsource and utilize centrally-managed security resources. When we're looking at the benefits that the cloud can bring to these people, from our perspective, we want to make sure that organizations are aware of all of the risks and the challenges that are associated with a particular cloud choice, because they're not all the same. Before moving all of their payment data and everything that they're processing into one of these cloud service providers, we want to make sure that they're looking at some of this guidance.
KITTEN: What would you say are some of the key points from the guidance?
RUSSO: At a very, very high level, there are some pretty key takeaways in this particular guidance. Outsourcing management of these security controls - and this is something that everybody has to keep in mind - doesn't equate to outsourcing your responsibility to be PCI-DSS compliant. It's critical to understand that there's scope involved for both parties - the cloud service provider, as well as the client - or whoever's going to be using it. And something to bear in mind is that, as I said before, cloud services are not all created equal. You need to understand what PCI-compliant cloud service really means and who's responsible for being compliant when somebody advertises that they're a PCI-compliant cloud service provider. Does this result in them being PCI compliant or the client being PCI compliant as well? It really requires some due diligence when it comes to contracts and the SLAs [service level agreements] that you've got in your contracts and ongoing monitoring, to make sure that you're staying PCI compliant.
KITTEN: What specific PCI challenges has the council noted as they relate to the cloud?
RUSSO: Storing, processing and transmitting cardholder data in the cloud brings the cloud environment into scope for PCI-DSS, and it may be particularly challenging to validate PCI-DSS compliance in a distributed and a dynamic infrastructure, such as a public or a shared cloud. You have to take these things into consideration. Some of the things that the paper looks at are the facts that a lot of these clients have limited or no control over the cardholder data storage. Where's that data being stored? Is it being stored in multiple locations because they're backing it up? Not only do you know where it has to be physically stored, but also how often they are creating redundant storage? Where is it being stored at any given time and in how many different places?
Some of the virtual components that don't have the same level of access control that you would have if you had it inside your own shop, like logging and monitoring, you have to be concerned about as well. It can be particularly challenging to collect and, more importantly, correlate all the different logs necessary to be able to meet PCI-DSS compliance. These are all things that you have to take into consideration when you're thinking about outsourcing to a cloud provider.
Impact to Card Issuers
KITTEN: How does the guidance impact card issuers?
RUSSO: The guidance is intended for any organization that stores, processes or transmits credit card data. It's equally applicable to issuers as it is to any other entity that's touching cardholder data.
KITTEN: What about the types of applications that are impacted by the cloud and what are some of the security risks that the council noted?
RUSSO: Let's not lose sight of the fact that the cloud is essentially made up of software. The same rule holds true for this environment as it does for traditional computing environments. Any application that's touching cardholder data is in scope for PCI-DSS and needs to be addressed and secured. The same security challenges we see with applications, like misconfiguring, apply here. We're seeing improper installation, which is why we have our QIR program, and the maintenance of passwords and password management is all at risk again, whether it's in your environment or in a cloud environment, and it all needs to be addressed.
KITTEN: What about merchants? What would you say are some of the challenges that merchants and others face when it comes to protecting cardholder data in a cloud?
RUSSO: Merchants were involved in this document. This is a way to introduce priority into specific areas that the merchants want to see. In this case, PCI applies to wherever in your organization your cardholder data is transmitted, processed or stored. The industry asked for guidance on how to understand the risks and what some of the challenges were when it came to securing the cloud, and, more importantly, how they related to PCI-DSS requirements and how those requirements could be applied. The council is always talking about payment security as a shared responsibility. The cloud, certainly, is a shared resource, which means it's pretty important for all the parties involved to understand what their responsibilities are when it comes to protecting this data.
KITTEN: What about the timing of the guidance? Why did the council think the time was right to issue this guidance?
RUSSO: The stakeholders wanted this thing. They said it was an important issue to them, and right now they want the guidance around it. You probably remember back in 2011 we had another special interest group that put out a paper on virtualization, and the cloud was addressed, to some degree, in that document. But people wanted to build on it, which is why it became a special interest group last year as well.
KITTEN: As you've noted, addressing cloud security issues is challenging, just because cloud computing involves so many different entities. How inclusive would you say this guidance is?
RUSSO: I think it's very inclusive. Cloud, as I said, is a shared responsibility between the service provider and the merchant or the client, which means that if you're storing this credit card data or processing or transmitting it in a cloud environment, then PCI applies and needs to be validated, both for the service provider's infrastructure as well as the client's usage in that environment. This guidance really focuses on helping these organizations understand what the different roles and responsibilities are across cloud models, and there are many different models. They're all discussed within this document.
For example, clients that want to outsource the responsibility of managing their security controls to a cloud provider need to be aware that this really doesn't exempt them from their PCI-DSS responsibilities. The client still has to ensure that the cardholder data is properly protected. They have to validate that their PCI-DSS compliance is in accordance with whatever brands they're using, in terms of cards, in their program.
Another point that cloud services are, as I said earlier, not created equal. And it's important to understand what's covered by the cloud service provider and what the client's responsibilities are, because they'll vary from implementation to implementation. Different providers will provide different coverages, even if they refer to their services in the same way. Their marketing data may say the same thing, but you really need to get inside that and understand what it is that they're actually offering.
KITTEN: What about the risks that third-party providers pose?
RUSSO: As we always say, you really need to know where your data is at all times, and we see organizations that don't realize that they had card data in certain places. You can imagine in the cloud, as soon as you add other players to the mix and your data is being managed offsite by different parties, it pretty much complicates the tracking of all of this. The real challenge that we see - and what this paper really gets to - is that both cloud users and cloud service providers need to understand what their roles are and what their responsibilities are when it comes to protecting this data.
Often we see cloud scenarios that we refer to as nested service providers or nested service provider relationships, and this is where cloud service providers themselves are relying on third parties to deliver some of this service. Now, you have a responsibility not only to deal with your cloud service provider, but also with their relationships as well, and who's providing service to them, since you're ultimately responsible for this entire environment as the client. You need to clarify and understand what the scope and responsibility is for that cloud service provider and what they're accepting in terms of PCI-DSS compliance, and which systems or components are validated under PCI. PCI-DSS requirement 6.1 and 6.2 address the need for vulnerabilities to be identified and ranked according to risk, and then you have to deploy the fixes in a timely manner to make sure that you're compliant with these specific requirements.
If you don't properly define this thing, a client basically can assume that the cloud service provider is managing this process. In essence, however, the cloud provider could only be managing the vulnerabilities to their underlying infrastructure, assuming that the client is managing the other vulnerabilities for their own operating systems and applications. You really need to know all of these things, and this document goes a very long way toward telling you specifically the kinds of questions you need to ask and the kinds of things that you need to look for. There are some really good graphics within the document that show these different types of scenarios and what you need to do and what you need to make sure you're responsible for.
Cloud Special Interest Group
KITTEN: What can you tell us about the special interest group that developed the guidance?
RUSSO: We're pretty happy about this particular special interest group, as we are with all of our special interest groups. We had over a hundred global organizations on this particular group. They represented banks, merchants, technology vendors, and they were very involved with the development of this guidance. The value of this resource and all of the supplements that the council puts out comes from these special interest groups and comes from the fact that these are written by people who are in the industry. They're written for people in their particular industries, so there's really practical, hands-on experience, recommendations and advice brought to bear when we bring these things out, and that's really important.
KITTEN: What about the organizations that are involved in the group?
RUSSO: A lot of them are very big merchants. Tesco, as an example, was part of this. A lot of the big banks and acquirers were all part of this. As I said, there was close to a hundred people that were in this, so it had really good participation.
KITTEN: I assume that cloud vendors were probably involved as well.
RUSSO: They had a lot of cloud vendors involved as well, making sure that people understood what the service was that they were bringing to bear and how to better define what you're getting. This is a differentiator between these vendors, so they want to make sure that people who are buying these services understand that they need to be asking these specific questions to make sure they know what they're getting.
Getting the Word Out
KITTEN: This is an area that we've talked about before, getting the word out. How is the council working to inform the community about this new guidance?
RUSSO: As with any of our guidance documents, they're released on our website. A number of our board members were actively involved in this particular SIG, and in most of our SIGs as well. They serve as representatives to the participating organizations on the board. We look to them to help educate not only in their particular vertical but also in their specific global region that many of these guys are in.
We also continue to promote all of this guidance through social media channels and conversations with people like you about these things.
Final Thoughts on Cloud Guidance
KITTEN: What final thoughts or advice can you offer about this guidance?
RUSSO: As you can see from what we've discussed here today, when it comes to the cloud, the considerations include business considerations, operational considerations and there are technical issues that you have to deal with as well. With this in mind, we want to encourage everyone out there using or thinking about using any kind of cloud technologies to bring people from various teams together, including IT, legal, information security, compliance and risk, and make sure that they do their due diligence. To help define that, this document goes a long way to helping them understand what's there.
Lastly, I want to reiterate how much we appreciate all the work that all of these hundred-plus organizations that were involved in developing and producing this guidance put in, because there was a lot of work that went into this document. We think this will go a long way toward helping organizations better understand what the risks are and, more importantly, how to evaluate them and how to deal with them as you move into this cloud computing environment.