The PCI DSS Virtualization Guidelines Information Supplement outlines the complexities in securing cardholder data in virtualized environments. Merchants and QSAs have long awaited the guidance, which is based on four principals: PCI DSS requirements apply to virtualization technologies that are used for cardholder data; virtualization technology introduces new risks; virtual systems vary greatly and their characteristics and interaction with cardholder data must be thoroughly documented; and there is no one-size-fits-all solution to configure them for PCI compliance.
The PCI virtualization report states that the use of cloud computing “presents a number of scoping challenges and considerations.” Specifically, the multi-tenant nature of public cloud computing environments creates challenges in defining scope and assigning responsibilities, according to the guidance. The report lists other inherent characteristics of many cloud systems that present additional barriers to PCI compliance, including:
--Distributed architectures add complexity.
--Public cloud environments are designed to be public facing and Internet-accessible.
--Boundaries between tenant environments can be fluid.
--The hosted entity has limited or no visibility into the underlying infrastructure and security controls, and limited or no control over cardholder data storage.
Additional controls must be implemented to offset the risks associated with public cloud environments, which include the possibility of “hostile, out-of-scope” being hosted on the same virtualized infrastructure as cardholder data, according to the guidance.
“These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner,” the council warns.
Organizations planning to use the cloud for their PCI DSS environments must understand the details of the cloud service and perform a risk assessment, and the provider must clearly define and document the PCI compliance responsibilities assigned to each party, according to the guidance. Any aspects of the cloud-based service that aren’t covered in the cloud provider’s PCI review should be documented in a written agreement, the council advises.
“There's good news and bad news in the guidance. The good news is the council affirmed that PCI compliance in a virtualized, cloud-based environment is feasible,” said Ed Moyle, a senior security strategist with Saavis and a founding partner of Security Curve.
A year ago, there was much debate over whether a firm could be both PCI compliant and have cardholder environment elements in the cloud, he said. “Some QSA's were failing merchants solely on the fact that they were leveraging cloud. So this definitive statement about it being feasible is a step forward.”
At the same time, the report’s assertion that a VM being in scope means the hypervisor is also always in scope “has the potential to ratchet up the confusion significantly in a multi-tenanted environment,” Moyle said. The council provides some scoping guidance on this front, but he predicts confusion while QSAs “assimilate what they need to do to validate that cloud provider environments pass muster.”
While he’s heard some people saying the council has “outlawed cloud” with this guidance, he doesn’t interpret it that way. “My reading is that they want to put a stake in the ground with respect to validation efforts within cloud providers, ensuring cloud providers toe the line with respect to the controls they implement in environments that support the CDE [cardholder data environment],” Moyle said. “They realize merchants want to pursue cloud, so [they] are trying to work through how to do it well.”
According to Adrian Lane, analyst and CTO at information security research and advisory firm Securosis, there’s no reason organizations can’t securely store PCI data in a cloud or virtualized environment.
“Of course hypervisor security is critical to security in multi-tenant environments, but even after a decade of VM deployment, this method of attack remains an academic exercise. Cloud providers need to provide assurance for processes under their control, but that does not mean the customer cannot protect themselves in the event of a provider service failure. While data may get scattered across arbitrary resource pools, that does not mean data is unprotected or unaccounted for,” he wrote in a blog post.
The burden of proving compliance should remain with the merchant, regardless of the cloud deployment, Lane added. “The biggest obstacle will be PCI assessors who need to get comfortable with all of the variables in play, and understand how their audits change,” he wrote.