It might not surprise readers to find out that enterprise IT organizations have a certain degree of fear, uncertainty and doubt built up around public cloud computing models -- and it might not surprise them that most of that FUD
In fact, the Payment Card Industry's PCI Security Standards Council (PCI SSC) recently published the PCI DSS Cloud Computing Guidelines, a document that clarifies many compliance issues around using cloud services to process credit card transactions. While the PCI Data Security Standard (PCI DSS) cloud guidelines are designed for the payment card industry, major contributors to the guideline suggest they work as a model for cloud data security in general.
As a large, not-for-profit security standards organization, the PCI SSC sets out smaller subcommittees on particular niches within the enormous sphere of protecting payment card information. The council recognized the need for better guidelines on the use of cloud computing services, and established the Cloud Special Interest Group, which consists of approximately 40 companies and about 12 to 16 major contributors, according to Chris Brenton. He is one of those major contributors, as well as a professor with the SANS Institute and the security director for CloudPassage.
Before the creation of the PCI DSS Cloud Computing Guidelines, Brenton says, the guidelines for PCI compliance were completely contained in a two-paragraph section on third-party outsourcing. The gist of that section was that third-party outsourcing could be compliant if the third-party was compliant. It left a lot of room for subjective interpretation on the part of individual Quality Security Assessors (QSAs).
"Two different QSAs might look at the same cloud provider," Brenton said, "and one might say, 'Absolutely not. There's no way this can be compliant.' But another QSA might see the same thing and say, 'Well, it could be compliant, but we'll have to check on [a number of key factors].'"
The new guidelines are designed to put QSAs on the same page, with much clearer guidelines for PCI-compliant cloud services. They explain what to look for in cloud services to ensure that they live up to PCI security standards. However, Brenton says, the new guidelines do still leave some room for subjective analysis on the part of QSAs, and some QSAs are still not ready to put their stamp of approval on cloud services.
Still, the new PCI SSC cloud computing guidelines do make it easier for some organizations to trust cloud service providers that have attained PCI DSS compliance. Although the use of a compliant service provider doesn't ensure that the client organization will pass a PCI assessment, the use of compliant cloud services will certainly make the assessment process easier. The new guidelines set out three major models, each with different levels of responsibility for both the client and the cloud service provider.
Software as a Service, or SaaS, places most of the control -- and therefore most of the responsibility -- on the side of the cloud service provider. However, the client remains responsible for user-specific configuration settings, as well as the user-directed use of the software. Platform as a Service, or PaaS, splits the responsibility more evenly. The client controls the deployed application and shares more responsibility for proper configuration. Infrastructure as a Service, or IaaS, places most of the responsibility on the client. The cloud service provider is only providing computing power, and it largely falls on the application developers to ensure that the software uses those resources in a secure manner.