PCI DSS: Cloudy Meanings for Cloud Service Provider (CSPs)

PCI DSS: Cloudy Meanings for CSPs

If you’re a cloud service provider (CSP), it’s important to examine the security of your virtualized infrastructure. This starts at choosing hardware/software with superior multi-tenancy capability and a top-notch web application firewall (WAF) solution. Before we get to how A10 can help, let’s look at some metrics.

After eight years in the making, version 2.0 of the Payment Card Industry Data Security Standards (PCI DSS) was released in February 2013. The document, in its own words, “provides guidance on the use of cloud technologies and considerations for maintaining PCI DSS controls in cloud environments.”  For merchants, CSPs, and IT quality assurance staff, these were long-awaited metrics for assessing their network security.

Until now, as Thor Olavsrud notes in “PCI Council Releases Guidelines for Cloud Compliance,” “the question of whether and how PCI DSS covers cloud deployments has remained up in the air.” Prior PCI DSS regulations repeatedly dissuaded industries from using cloud-based services for storage or for processing of payment card information. Indeed, when Amazon Web Services announced in 2009 that it could not support the highest levels of PCI compliance and therefore discouraged users from storing sensitive credit card information within the EC2 system, this effectively ousted public cloud services from the PCI DSS discussion.

Amazon’s statement not only presented a detrimental picture of AWS’ overall security model, it reaffirmed that we couldn’t deviate from spending thousands in building private data centers to store customer data. Branden Williams laments in “Why 2013 is a Pivotal Year for PCI DSS,” that “[PCI Compliance has] notoriously been behind the times when it comes to the types of attacks that merchants face” and stuck to measures which ensured data protection in the past.

What forced the council to finally develop the 2013 revisions was the fact that organizations could develop security standards for cloud on-the-go, without formal recognition within PCI DSS. The wording of these twelve standards was ambiguous enough to compel the council to invent a solution that would keep up with emerging business technologies. (A glaring example from RightScale’s Director of Security, Phil Cox, provided a per-standard procedure to building a PCI compliant IaaS cloud a year before the 2013 revisions came out.) Even with the current revisions, we still see much of the same issue as before: a framework which is still relatively amorphous given different distribution models and virtualization practices for cloud service providers.

What does this mean? As the PCI DSS guidelines explain, different types of virtualization have different security needs. If using a private cloud service, the scope of security inspection is smaller because things are kept internally between the client and CSP. But if using a public cloud service, there is shared responsibility on both the client side and CSP to independently enforce standards. If the CSP is PCI compliant, it won’t necessarily mean the client is, and vice versa. This requires both the client and CSP to be acutely aware of each other’s boundaries. As PCI DSS explains, the more data you entrust with a third-party cloud provider, the broader the scope and complexity of your cardholder data environment (CDE).

This is where multi-tenancy comes in. With large scope and complexity, you need strong isolation. Guaranteeing strong isolation between tenants matters not only for security, but also for expanding your customer base.  An expanding customer base means increased demand, and to meet this demand CSPs also need superior load balancing capability.

A10 offers the following options for multi-tenancy:

Additionally, the following Application Delivery features, available exclusively on our Thunder Series appliances, further help with PCI compliance:

  1. DDoS protection
  2. SSL and TLS encryption features
  3. WAF  (for protection against SQL attacks, CSRF and XSS breaches)

However, as with any security discussion, “secure” is never secure enough. Being PCI compliant shouldn’t give CSPs or their clients a reason to be complacent. The guidelines leave enough open to interpretation as to how they can be enforced, and as discussed, can evolve with changing technology needs.

Geoff Blaine
September 16, 2013

About Geoff Blaine

A 10-year veteran of the security space, Geoff serves as A10's senior communications writer and content manager. He brings a blend of real-world journalism experience, cybersecurity perspective and mainstream tech interest. READ MORE