This article originally appeared in Cloud Computing Magazine Q4 2012
Implementing the technical and administrative controls that will pass a PCI (News - Alert) audit is challenging enough in a traditional data center where everything is under your complete control. Cloud-based application and server hosting, however, adds additional complexity to these challenges. Cloud teams often hit a wall when it’s time to select and deploy PCI security controls for cloud server environments.
Quite simply, the approaches we’ve come to rely on just don’t work in highly dynamic, less-controlled cloud environments. Things were much easier when all computing resources were behind the firewall with layers of network-deployed security controls between critical internal resources and the bad guys on the outside.
Organizations required to follow international, state or industry-specific regulatory compliance mandates often find themselves scratching their heads when it comes to moving ‘in-scope’ servers and applications to cloud environments. As such, compliance is frequently perceived as one of the primary roadblocks to cloud adoption by most organizations. Several questions plague the minds of security architects and compliance offers looking to move servers and applications to cloud environments. If a cloud provider is compliant with a particular mandate, does that mean that the customer’s cloud instances are automatically compliant? Will an auditor or assessor look upon the cloud server instances and deployed host-based controls as sufficient to satisfy the requirement? Will the previous “certification” be nullified if some in-scope servers are moved to a cloud environment?
Unfortunately, the answers to the aforementioned questions are “probably not,” “maybe” and “it depends” – answers that no company ever wants to justify to its business stakeholders, let alone its customers.
Addressing the challenges of PCI DSS in cloud environments isn’t an insurmountable challenge. Luckily, there are ways to address some of these key challenges when operating a PCI-DSS in-scope server in a cloud environment. The first step toward embracing cloud computing, however, is admitting (or in some cases learning) that your existing tools might be not capable of getting the job done.
Traditional security strategies were created at a time when cloud infrastructures did not exist and the use of public, multi-tenant infrastructure was data communications via the Internet. Multi-tenant (and even some single-tenant) cloud hosting environments introduce many nuances, such as dynamic IP addressing of servers, cloud bursting, rapid deployment and equally rapid server decommissioning, that the vast majority of security tools cannot handle.
The technical nature of cloud-hosting environments makes them more difficult to secure. A technique sometimes called “cloud-bursting” can be used to increase available compute power extremely rapidly by cloning virtual servers, typically within seconds to minutes.
That’s certainly not enough time for manual security configuration or review.
Though highly beneficial, high-speed scalability also means high-speed growth of vulnerabilities and attackable surface area. Using poorly secured images for cloud-bursting or failing to automate security in the stack means a growing threat of server compromise and nasty compliance problems during audits.
Traditional firewall technologies present another challenge in cloud environments. Network address assignment is far more dynamic in clouds, especially in public clouds. There is rarely a guarantee that your server will spin up with the same IP address every time. Current host-based firewalls can usually handle changes of this nature, but what about firewall policies defined with specific source and destination IP addresses? How will you accurately keep track of cloud server assets or administer network access controls when IP addresses can change to an arbitrary address within a massive IP address space?
The auditing and assessment of deployed servers is an addressable challenge presented by cloud architectures. Deploying tools purpose-built for dynamic public, private and hybrid cloud environments will also ensure that your security scales alongside your cloud server deployments.
Also, if you think of cloud servers as semi-static entities deployed on a dynamic architecture, you’ll be better prepared to help educate internal stakeholders, partners and assessors on the aforementioned cloud nuances – and how your organization has implemented safeguards to ensure adherence to PCI-DSS.
Customers need to know that cloud architectures are different than on-premises physical and virtualized servers. Depending on which cloud architectures are employed, whether they’re SaaS (News - Alert), PaaS, IaaS or some combination of the three, customers must be education on the required changes to existing policies and procedures – or in some cases, educated on how to create new policies and procedures to specifically address cloud architecture adoption.
A number of free resources exist to facilitate cloud security education:
Cloud Security Alliance (https://cloudsecurityalliance.org/) – Promotes the use of best practices for providing security assurance within cloud environments.
The National Institute of Science and Technology (NIST - http://csrc.nist.gov/publications/PubsSPs.html) – Fairly detailed guidance on cloud computing security.
The European Network and Information Security Agency (ENISA - http://www.enisa.europa.eu/activities/application-security/cloud-computing) – Cloud security risk assessment guidance, in addition to an assurance framework, aimed at a European audience.
CloudPassage (News - Alert) PCI Resource Kit site (http://pages.cloudpassage.com/pci-kit.html) – Free white papers, solutions briefs, use cases and blog posts that provide information and guidance on aligning server operations with PCI compliance mandates.
Using the aforementioned resources should help expedite cloud comfort-levels and address some of the questions customers may have with regards to their inevitable adoption of cloud computing architectures.
Edited by Braden Becker