The Cloud Computing Channel is brought to you by ZT Systems
-
A PCI-Compliant Cloud? Not at Amazon
August 19th, 2009 : Rich Miller
There’s an ongoing debate about the ability of cloud computing services to meet enterprise regulatory compliance requirements, including the Payment Card Industry Data Security Standard (PCI DSS) standard that is essential for e-commerce. Martin McKeay at the Network Security Blog recently highlighted the admission by one of the most popular cloud services, Amazon Web Services, that it does not support the highest levels of PCI compliance.“From a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant,” an Amazon representative told a customer in an exchange that was posted on an AWS web forum. A key issue is that PCI auditors are unable to inspect Amazon’s data centers. (Read on for additional information from Amazon on this issue).
McKeay’s post has prompted a fresh round of discussion of cloud computing’s ability to support PCI DSS, even as recent data breaches have raised questions about the value of PCI compliance.
“PCI compliance doesn’t automatically make a site safe,” writes Lori McVittie of F5 Networks. “Lack of PCI compliance doesn’t make EC2 unsafe, either. It means it isn’t compliant with the policies designated by the PCI council for handling credit card transactions and sensitive data. And, if we look past the hand-waving, we’ll find that Amazon admits you can’t build a PCI Level 1 compliant application using EC2 and S3, but you can build a PCI Level 2 compliant application.”
Amazon’s admission may not make it unsafe, but the way in which it was revealed is a reminder of why confusion persists about support for key compliance standards by some cloud services. Amazon’s ability to support PCI for its cloud computing customers has been questioned before, and was typically met with a vague statement about Amazon’s “commitment to provide a secure, world-class cloud computing environment.” This time the question was posed in a forum thread. Amazon didn’t respond directly on the thread, but the customer posted an email response.
UPDATE: Amazon spokesperson Kay Kinton has followed up with some comments and perspective on this discussion. “It’s important to recognize that PCI compliance is dependent on how a particular merchant uses a hosted solution like AWS and should not be linked to the overall security of AWS’ services,” Kinton writes. “Under the PCI Data Security Standard, merchants regardless of their size are independently responsible for complying with PCI when they collect, process or store credit card information. When using a shared hosting service, like AWS, where the merchant controls what credit card information touches the service, the merchant is responsible for using the services in a manner that permits them to be PCI compliant, such as the proper use of encryption and key management. Therefore, it is possible for a merchant to use Amazon EC2 and Amazon S3 and meet PCI compliance standards depending on their specific implementation.
“For customers who don’t have the expertise, time or otherwise don’t want responsibility of managing a fully compliant payments application, the customer can use our web service for payments, the Amazon Flexible Payments (Amazon FPS), or use solutions offered by Amazon Payments (such as Checkout by Amazon),” Kinton adds. “While these solutions address the specific needs for some customers, it does not mean that it is the only means of using Amazon Web Services in a completely compliant manner.”
Amazon is an important player in cloud computing, but its capabilities aren’t representative of all cloud services. As we’ve previously noted, several providers say they have achieved certifications for customers using cloud platforms. These include Terremark Worldwide (TMRK) which describes its Enterprise Cloud platform as “certified as PCI DSS Compliant,” and Savvis Inc. (SVVS), which offers a version of its just-in-time utility computing platform that is customized for online retailers and includes PCI solutions. For further reading, see Cloud Computing and PCI Security, a review of the topic by Michael Dahn of the PCI Blog. Dahn compares the current debate to earlier concerns about compliance in a virtualized environment.
Meanwhile, security publications have noted a recent incident in which a PCI-compliant provider, web host Network Solutions, suffered an intrusion and data breach that compromised more than 4,300 customer sites and approximately 573,928 individuals’ credit card information.
Tom
Posted August 19th, 2009You’d have to be INSANE to think that a “cloud” could be secured without many heavy duty layers. The lack of PCI compliance for EC2 will hopefully be a wakeup call for people pretending that this stuff works…
Indianapolis IT support » Email and sharing – technology planning
Posted August 19th, 2009[...] credit card numbers (EC2 and S3)… In fact Amazon has come back to clarify their position on security in the cloud after the initial comments. Hosted Exchange mail with Outlook Anywhere was the first widely [...]
It is surprising how much publicity gets the negative news. I think we should respect the Amazon’s honesty when it comes to security compliance of their cloud platform.
Jim
Posted August 20th, 2009I do not believe you can even build a PCI Level 2 compliant application in EC2/S3 environment. To be Level 2 compliant you need to complete the PCI Self-Assessment Questionnaire. PCI requirement 12.8.2 is in the questionnaire which would require AWS to provide a written agreement that includes an acknowledgment that the service provider (AWS) is responsible for the security of the cardholder data the service provider possess. AWS stated on this AWS web forum that they do not and will not provide this acknowledgement.
I believe the bottom line is that not card data can be processed or stored in the EC2/S3 environment. If this done, PCI is not relevant.
For clients that want to continue to use cloud-based services such as Amazon EC2, tokenizing sensitive data before storing it into the cloud is certainly an option – see http://www.nubridges.com/tokenization for more details. This would take the cloud out of PCI DSS scope.
Vidur Apparao
Posted August 20th, 2009I believe it’s important not to paint all Cloud-based systems with the same brush.
Cloud-based development platforms, such as AWS, may offer different services or components, each with their own security and compliance capabilities. The PCI DSS Level 1 framework is divided into 12 different security domains some of which are just common sense security policies and should apply to any service or site, and others that are specific to storage of card data and may be too onerous for a generic cloud-based deployment or storage system. As the follow-up suggests, specific services related to payment and secure storage may be more appropriate for specific compliance needs.
Cloud-based applications (aka Software-as-a-Service applications) definitely can be built to be PCI DSS Level 1 compliant. The LiveOps On-Demand Contact Center Platform (http://www.liveops.com/on-demand-contact-center/index.html), for example, implements all 12 domains of PCI – both the standard, common-sense policies, as well as the more specific requirements when handling payment data.
As Lori McVittie says in the article, the fact that EC2 and S3 themselves are not PCI compliant doesn’t make them unsafe. And, in fact, it’s not clear that PCI compliance should be an expectation of a generic cloud-based service. However, it does make sense to expect PCI compliance for specific services or applications that are built to deal with payment, secure storage, and fulfillment.
–Vidur Apparao
CTO, LiveOps Inc.
Cannot achieve PCI compliance with Amazon EC2/S3 « すでにそこにある雲
Posted August 21st, 2009[...] A PCI-Compliant Cloud? Not at Amazon (追記) [...]
Having played in the PCI Space in a previous life, I have some carnal knowledge of some of the issues.
One is data. data at rest, data in motion. Where does it sit physically? how is it moved? what happens when the data is no longer needed? What is the physical and logical security setting for every network, drive, port, and interconnection across the environment?
Another point is access. Who (specifically) has accees to collect, see, store, and change/remove data. Ok now prove it. How about machine to machine, network to network. The issue here is more about whether or not you can prove how secure something is by access control, be it human or machine. The difference between being secure and being compliant. They are not the same.
Levels of vendors. Level 1’s are the big guys – think Target and Walmart. They have budgets for this kind of stuff. Level 4’s are the mom and pop’s of the world who have little if any budgets and are at the highest end of risk profile, yet have the fewest resources to address the risk.
Case in point – a school district I worked with (Level 4) came up with a plan to compute their liability exposure in terms of records and money (based on Ponemon Institute’s cost per record in a breach) and just buy an insurance policy for $100M. This is the neither secure nor compliant. I took care of it for $50K and gave them security and proof.
The application of Cloud services/apps is not geared up very well for a massive scale PCI compliant offering. It’s a bitch – not only to figure out, but to manage and prove, especially on a global basis.
Mohan Radhakrishnan
Posted August 23rd, 2009Though PCI regulations might be clear the auditors I have worked with are not really tech-savvy. How do you audit a massive PCI application if you don’t spend time and prod and probe the application to tease out the weak points ?
It looks like if we know about cryptography and basic securiy we don’t need to have a PCI audit at all. Even after the PCI audit a developer of the application can easily pinpoint vulnerabilities. This probably applies to AWS also. I think developers who built the Amazon cloud infrastructure know more about security than PCI demands.
How to be PCI Compliant in the Cloud | Kavis Technology Consulting
Posted August 25th, 2009[...] has been a lot of talk lately about PCI Compliance in the cloud. Amazon even admitted that PCI Level 1 could not be [...]
If you need PCI, you can also check out OpSource.
We are a certified Level 1 PCI DSS Compliant provider.
We specialize in SaaS and On-Demand and manage many of today’s largest applications.
People Over Process » The Enterprise Cloud: Who’s ready for who?
Posted August 27th, 2009[...] has more to do with enterprises being ready for the cloud vs the cloud for it. There was that PCI dust-up last week. But the point is: if enterprises wanted to use Amazon, both sides would figure out how [...]
Interesting Cloud developments, and other technical news « C# Hacker – The Rambling Coder
Posted September 1st, 2009[...] A PCI-Compliant Cloud? Not at Amazon [...]
“This whole cloud thing”… The Five Big Fallacies surrounding Cloud Computing « chuck.goolsbee.org
Posted September 29th, 2009[...] 4. Cloud computing can work for any IT need. This is more of an inference to the “everything will move to the cloud” statement I hear so often. There are several IT needs that can not be solved with cloud computing. Meeting audit requirements is one. I’ve written about this fallacy before, and it caused a bit of an uproar. It seemed to be the first time anyone brought this issue up, and it became a hot topic in the cloud blogosphere for a short time. I felt vindicated when a cloud provider admitted what I said was true. [...]
Email and sharing – technology planning | L5 Solutions
Posted January 4th, 2010[...] credit card numbers (EC2 and S3)… In fact Amazon has come back to clarify their position on security in the cloud after the initial comments. Hosted Exchange mail with Outlook Anywhere was the first widely [...]
RESOURCE LINKS:
