The public cloud is a cloud computing deployment model in which a service provider makes IT resources and services, such as virtual machines, database applications, and storage, available for use via an Internet connection.
In the public cloud, the data of companies or individuals who are clients of the service provider remains secure and visible only to that specific user or group of users. The word public refers to the fact that the underlying infrastructure is shared by all the service provider’s customers and that you access the services over the public Internet.
Some of the main service providers in the public cloud are:
- Microsoft Azure, which provides a range of service delivery models including software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS.
- AWS, which provides over 90 services, spanning areas such as computing, AWS storage, networking, database, analytics, application services, and IoT. A thriving sub-market has emerged composed of third-party services that link to AWS services and expand their functionality. Enterprise storage extends enterprise storage to the cloud using AWS storage services.
- Google Cloud Platform, which provides cloud computing services that use the same infrastructure as that used for Google’s own internal services.
Being PCI-compliant is a major concern for businesses and organizations that accept credit card as payment for their products or services. Formally known as the Payment Card Industry Data Security Standard (PCI DSS), the regulation specifies a set of security standards organizations must meet if they are to store, process, and transmit cardholder data.
The regulation assigns organizations to one of four merchant levels depending on their volume of Visa transactions in a given twelve month period. The transaction volume includes debit, credit, and prepaid Visa transactions. There are specific requirements to meet at each of these merchant levels.
From the perspective of organizations that use public cloud infrastructure, a range of important issues need addressing in terms of whether they will remain PCI-compliant in the cloud.
First and foremost is the issue of responsibility. Organizations want to know whether it is them or the cloud provider that is responsible for PCI compliance in the cloud, and the answer is both. The difficulty lies in the fact that that there is no specific guidance or method in terms of assigning responsibility to achieve PCI compliance in public cloud services because of the vastly different ways organizations choose to deploy those services.
Furthermore, while cloud providers typically operate on a shared responsibility basis, the exact responsibilities assigned between provider and customer are unique to and at the discretion of each service provider.
General recommendations from the PCI DSS Virtualization Guidelines relate to cloud service models and the responsibility for compliance as follows:
- In SaaS services, cloud customers may be responsible for PCI compliance for credit card data only.
- In PaaS services, cloud customers may be responsible for PCI compliance for data and user applications.
- In IaaS services, cloud customers may be responsible for PCI compliance for data, user applications, operating systems, databases, and virtual infrastructure.
A more recent document published in April 2018 specifically on cloud computing guidelines for PCI DSS says that the more aspects of a customer’s operations that a cloud provider manages, the more responsibility the provider has for maintaining PCI DSS controls.
Thankfully, all of the major cloud service providers are now PCI-compliant. This means that you can create your own create your own cardholder data environment (CDE) using the services of such providers safe in the knowledge that their systems comply with PCI DSS.
If a customer decides to store cardholder data in the public cloud, however, another challenge is the lack of visibility or control over where that data is physically located. Additionally, the location can change and data might be stored in multiple locations at once.
Another challenge is the lack of separation of duties that often exists when using virtualized cloud environments. It can be difficult to define explicit roles for users with proper access policies in such a computing environment. Lack of separation through improperly defined roles and policies can result in an individual user gaining access to key infrastructure where payment card information is processed and stored.
Lastly, the very nature of the public cloud is that it is accessible anytime and from anywhere via the Internet. This, in itself, presents PCI compliance challenges.
Best Practices for PCI Compliance in The Cloud:
- Identify data security needs for cardholder information before moving to the cloud.
- Make sure when using cloud storage services that you are always aware of the services in which cardholder data is stored and that you take steps to protect the information within each service. Backups or snapshots are prime examples.
- Only give access to systems or services containing cardholder data to those who need such access to perform their jobs.
- Always encrypt and cardholder data you store in the cloud.
- Store cardholder data in private subnets if possible, using the virtual private cloud option provided by many leading vendors.
- When transmitting cardholder information between two endpoints, make sure you use later TLS as the encryption channel instead of SSL or early TLS because the former is PCI-compliant while the latter are no longer compliant.
- Use two-factor authentication for user access accounts to cloud systems.
- Use vulnerability scanning tools in your cloud environments.
There is a plethora of challenges involved in using the public cloud while remaining PCI-compliant. Many organizations consider the hassle not worth the additional complexities and they opt to keep their cardholder data environments strictly on-premise.
For organizations that don’t have such an option, the above best practices can help provide guidance on maintaining PCI compliance in the public cloud.