Making sense of new PCI advice on virtualisation and cloud

The  payment card industry security standards council (PCI SSC) has discovered virtualisation and cloud computing and  a move that’s going to have some implications for companies looking to move to cloud. The body has just issued new guidance on virtualisation, something that may cause merchants to change their approach.

 Actually, it’s a misleading to say that it’s just discovered the technology, this document has been long awaited, having been pre - announced at the PCI SSC User Forum back in October 2010.

 The document includes advice for local virtualised servers and environments as well as advice for those merchants considering a wholesale switch to cloud computing in whatever flavour they believe beneficial. It covers a wide range of options and topics and the authors are to be congratulated on the output they have achieved.

 The guidance comes at an opportune time with a number of articles recently highlighting security issues with regard to cloud computing environments.

But what is the guidance? Well it makes many valid points of which, perhaps, the leading two may be characterised as:

• Whenever environments become more complex they are more difficult to manage and make secure. It was only this year that the Ponemon Institute reported that security complexity was the number one obstacle which system administrators felt they faced. Clearly virtualised environments add in a new layer of administration and configuration which can lead to errors and in turn the inadvertent exposure of security vulnerabilities. Not only that, but because most of the technologies are still relatively new and less mature than other security solutions, this introduces the possibility of new vulnerabilities being discovered which may be exploited.
• Secondly and very importantly, there is no one size fits all solution to configuring a virtualised environment to meet the PCI  Data Security Standard (PCI DSS), or indeed any other security standards. If people are expecting a simple tick box to follow they will be disappointed.

Certainly from the point of view of a PCI DSS audit, virtualised environments have increasingly become a consideration for the assessor. There are few large merchants who don’t take advantage of a virtualised solution in some form. Think Virtual Machines, (VM), Storage Area Networks (SAN), Network Attached Storage (NAS) even before we start to consider virtual firewalls, virtual routers and switches and security appliances and a move to the “cloud”.

It was interesting to read the advice for data stored in cloud computing environments, with the cloud continuing to be a subject of discussion in the news. As we know, in certain cloud environments a merchant may not know where their data is hosted, even by country, never mind by data centre, nor may they know who else is hosting data within the same virtual infrastructure. As a result some cloud based services may be inherently unable to support the PCI DSS for a merchant.

Summary
To review; from a PCI DSS perspective, the very first step of any assessment is to accurately determine the scope of the review. The scope is determined by the cardholder data flows, since any system component which processes, transmits or stores cardholder data is within scope along with any system components which are connected to this cardholder data environment, unless these are adequately segregated.

When a merchant is using cloud services then this review and scope setting can become far more difficult. Not only do the systems need to be found and defined but then the scope of the services provided by the cloud service provider must also be considered. For example, a cloud service provider may only provide Infrastructure (IaaS) and hence may only be responsible for physical facilities, computer and network hardware. In other cases a cloud service provider may go much further and provide system support up to and including application software (SaaS), providing operating systems, virtual infrastructures and the application software.

In either case, all of the relevant controls for all of the systems in scope must be achieved, but the problem will now be assessing where that responsibility lies. In my experience, the interface and demarcation between merchant and cloud provider is where gaps and misunderstandings can appear which may allow the security to be compromised, since both parties believe the other is responsible.

However to resolve this conundrum  the PCI Security Standard Council (SSC) suggest moving the burden of proof across to the cloud based service provider and this does seem to be the only logical location where this responsibility can be safely placed. PCI DSS does have a set of controls related to the management of service providers with whom cardholder data is shared and these should be implemented before a cloud solution is selected.

One key aspect during this process should be to ensure the service provider makes available the scope of any PCI DSS audit which has been undertaken and which services have been included so that the merchant can ensure all the necessary PCI DSS controls to which they are required to comply with are fulfilled. The merchant shouldn’t forget this should also include integrated incident response planning.

This can be problematic in a virtualised, shared environment for a whole number of practical and technical reasons so gaining support for an investigation should be written into a contract to ensure the merchant’s obligations can be fulfilled. As all boy scouts know, it’s best to be prepared!

Robin Adams is director of security fraud and risk management at The Logic Group. He has over 20 years of experience as an IT professional covering diverse platforms and security issues. His previous roles include heading up a European team of QSA's and leading a team of Security specialist consultants at PwC.  He has specialised in Security Architecture, Security Administration, Security Management, PKI Consultancy, Security and risk based audits and Identity Management.