PCI DSS and Cloud Primer
The news is always full of major accidents such as customer credit card information leaks. The payment card Industry Data Security Standard (PCI DSS) presents best practices to protect against hacker attacks that are dangerous to steal business data and customer identity information. By using these 12 steps, you can set up a framework that can be used for secure payment environments.
If your company stores, processes, and transmits data to the cardholder in the cloud, the PCI DSS restricts what you do. But unlike the data centers, which have to follow the PCI DSS, these operations in the cloud have additional requirements. For example, 6 of the 12 steps outlined in the PCI DSS are either required or inherently data-encrypted. However, in order to securely encrypt and follow the PCI DSS in the cloud, you must maintain control over the encryption key. But as a cloud operation, can you keep the keys in the cloud while keeping them safe?
The answer is---you can totally.
We compiled a checklist of the requirements for cloud operations in this PCI DSS. Eventually you may need to hire an external professional auditor to review your system to pass the certification. You can use this checklist to understand compliance, plan for compliance, and, most importantly, protect yourself and your customers.
As with any 12-step program, complying with the PCI DSS itself is a commitment, but ultimately successful in protecting yourself and your customers.
12 Step Checklist
Using firewalls
You must install and always maintain a firewall configuration to protect your data. Your firewall in the cloud is a software firewall that controls access to your data based on a set of rules. Choosing these rules and dividing your network properly is critical to limiting the potential attack surface. This is an important part of the software definition network.
An attempt to create a well-defined and restrictive range of sensitive data resides because it is isolated through firewalls and network rules, so it is easier to manage and control precisely.
A good example is the VMware Software Definition Data center approach, which includes a software-defined firewall, Amazon's AWS Security group, and the Dome9 cloud firewall. This is the first important step to protect yourself from hacker attacks.
Do not use default values
You should never use the default passwords and other security parameters provided by commercial software providers or Open-source software in all of your systems. Hackers are familiar with these default values. You need to constantly change the information and set it to a value you know only.
In the February 2013 PCI DSS Cloud Guide, the Security Standards Board made it clear that companies using IaaS (rather than cloud service providers) were responsible for securely configuring their operating systems, applications, and virtual devices. PAAs organizations share this responsibility with their OS providers, but customers control the applications and software above the OS.
In IaaS and PAAs installations, you also inherit your provider settings and VM images. Please check these carefully.
In fact, your best bet is to use a provider that doesn't provide default values for sensitive security parameters, but has a process that helps you set up and implement unique values quickly and easily. You can consult your own provider about best practices.
Protect cardholder Data
It looks straightforward, but the PCI DSS lists the requirements in detail. This is actually the core of the PCI DSS. This means that there is a lot of protection on what data to save and how it should be saved, both for traditional deployments and for cloud deployment. Encryption in the cloud becomes particularly important as a means of replacing traditional physical protection measures. Data needs to be encrypted in a way that is unreadable and unavailable to people without a key. To comply with the PCI DSS, you must use hashing, encryption, and strong key management to prevent intruders from maliciously using their own data.
Your key protects the cardholder's data, but you have to protect your key. Your encryption key must be managed separately from all other components in the cloud. For cloud applications that follow PCI DSS, managing keys, distributing keys, and saving keys are the focus. This can be tricky because ideally for security you want your encryption key to stay out of the cloud, but in order to be able to use cloud computing resources, you need the key to stay in the cloud. Fortunately, technology does provide a concise solution to these problems; look for a "separate key" cloud Key management solution that allows the encryption key to work in the cloud while you save the "master Key" part in the cloud.
Encrypt data in a transport
Any data transmitted in an open public network can be accessed by malicious people. To prevent this, you should always encrypt the transmitted data. Always make it ssl/tls and consider using IPSec communications and VPNs. The encryption considerations in transport are combined with the network segmentation and the firewall rules that you set up. The ideal SSL/TLS encryption should be maintained to your application server and should not be terminated near the close network boundary or in the load balancer. Because some cryptographic tools do need to see the data being transferred (such as a Web application firewall), consider encrypting it after they have finished working, or place the tools as close to the application server as possible.
Cloud companies do have a way to protect data in transit. It is best to segment your deployment into segments that are public-facing and private, and remain encrypted (or encrypted) until the data reaches the network segment where the more private application server resides. Communication of its own internal environment components also requires consideration of encrypted transmissions---such as the use of TLS/SSL encrypted communication between its application server and the database server.
Use the products that allow you to control encryption parameters such as certificates and keys in transit. Select the Cloud Key management tool that is useful for this task.