Thursday, February 26, 2009

PCI Compliance and Cloud Computing

Disclaimer: I am not a QSA and am in no way certified to determine whether a network, system, or application is PCI compliant. The information in this article is my opinion only and is intended create an open discussion about how companies subject to PCI can leverage cloud computing in their overall business strategy. If you disagree with any of my observations or conclusions, please add a comment and explain your argument, it's very likely that you are right ;-)

References:
PCI DSS version 1.2
Amazon's AWS Security Whitepaper

As I began researching cloud computing, one question I continually asked others is how payment card applications or data could be placed in a cloud computing provider's infrastructure in a PCI-compliant manner. So far, I have not received a definitive answer to this question.

In order to understand the implications of this question, I decided to read through the PCI standard and try to determine what controls would need to be in place for an example company and implementation. In this example, a fictitious financial services company wishes to leverage Amazon's EC2, EBS and S3 offerings to host a loan payoff application and its data. This application allows customers to view current loan information and pay balances using a credit or debit card.

The network and server architecture for this system will be identical to the "Basic Failover Architecture" presented in RightScale's wiki. The application will be written in Java and the database will be SQL Server 2005. Database backups will be encrypted and archived using Amazon's S3 cloud storage. Communication between the client and the web server, the web server and the database server, the master database server and the slave database server, and the database servers and Amazon's S3 service will be encrypted using SSL.

PCI DSS Scope

The PCI DSS document, page 5, states network segmentation of credit card data or activities may limit the scope of a PCI assessment. The PCI assessor must evaluate the effectiveness of network segmentation controls and then make a decision based on these results.

In a cloud computing environment, there are both physical and virtual infrastructure devices that provide segmentation. Amazon's Security Whitepaper discusses the following components that provide segmentation:
  • Configurable firewall (implemented at the Hypervisor layer)
  • Strong separation of guest OS and Hypervisor
  • Instance isolation (separation of running virtual images)
  • Prevention of packet sniffing by other tenants
  • Configurable "security groups" (similar to VLANs)
Based on these items, organizations should be able to limit the scope of assessments to "security groups" that contain payment applications or data. It is unclear whether the scope must include Amazon's physical network devices or web services associated with managing or manipulating Amazon's EC2 or S3 services. There is software segmentation between items like the host OS and the guest OS as well as between multiple guest OS's; however since payment data travels through all these systems, there may not be sufficient data segmentation to exclude the above Amazon components.

Takeaway: "segmentation" needs to be evaluated as it applies to virtual infrastructure
and Amazon's physical infrastructure.

PCI DSS and Third Party Service Providers

Page 6 of the PCI standard discusses situations in which a company uses a third party service provider to provide cardholder data services. This section states that an assessor must clearly state which third party components should be included within a PCI assessment. The third party must have a PCI assessment conducted; however this assessment can be conducted at the time of the assessment of the original company. This means that cooperation from cloud computing service providers may be required to gain PCI-compliance for components within the cloud.

Takeaway: Companies will need to establish compliance of at least some of the cloud provider's components AND companies will likely need cooperation from cloud providers in obtaining PCI compliance.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

There are a number of items within this requirement that refer to creating network diagrams, implementing firewalls, and other similar network controls. Organizations can easily fulfill these requirement as they apply to the virtual infrastructure within the cloud using the provided "security groups", Hypervisor firewall, and other similar features.

The unanswered question is to what extent the requirement applies to Amazon's physical infrastructure. This is particularly a problem if servers are constantly being spun up or down to automatically adjust based on needs/requirements. In addition, Amazon's S3 storage mirrors data across a number of geographically diverse locations. Documenting and assessing Amazon's the physical network for PCI is very tough. On the other hand, it may be sufficient to assess a sample of Amazon's data centers or physical network devices where data or servers could potentially be located.

Takeaway: It is unclear to what degree the cloud provider's physical architecture will need to be assessed in addition to the organization's virtual infrastructure.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

This section concerns default passwords, disabling unnecessary services, secure configuration of components, and the use of SSL. Most of this information applies to the virtual infrastructure.

However, item 2.4 and Appendix A list requirements that apply to shared hosting providers. These rules are concerned with segmentation of cardholder data, logging and forensics. Based on the controls implemented by the Hypervisor as well as authentication and authorization controls in place for accessing cloud storage, it is likely segmentation controls are satisfied. Logging and forensics concerns may require the creation of virtual images suited for these purposes or may require cooperation from the cloud computing provider.

Takeaway: Companies may need to plan ahead and/or get cooperation from cloud providers regarding logging and forensics. Specialized virtual images can be created to assist with forensics or incident investigation.

Requirement 3: Protect stored cardholder data and Requirement 4: Encrypt transmission of cardholder data across open, public networks


Secure storage and transportation of cardholder data is an important aspect of the PCI standard. Controls outlined in the document can be easily accomplished by the company implementing the virtual infrastructure. These companies are fully capable of encrypting data before storing it within EBS or S3, utilizing full disk encryption within virtual images, and leveraging SSL to securely send sensitive data between components.

Takeaway: This requirement can be satisfied without the cooperation of the cloud computing provider.

Requirement 5: Use and regularly update anti-virus software or programs

Anti-virus can easily be applied to virtual images. It may also be necessary for companies verify and document the cloud provider's use of anti-virus as it applies to Host OS's, cloud storage, and other related components.

Takeaway: Companies should verify and document the cloud provider's use of anti-virus on Host OS's, cloud storage, and other components.

Requirement 6: Develop and maintain secure systems and applications

I am going to separate this section into two parts. One part is concerned with the secure development of custom applications. While it is straight forward to understand how this applies to the company implementing the virtual infrastructure, its not as clear whether items like Amazon's web services need to be pen-tested or verified. Hopefully, Amazon has already completed an assessment on these components and organizations can simply receive a high-level overview of the result.

The second part is concerned with applying security updates in a timely manner. This requirement can likely be satisfied by verifying and documenting Amazon's patch management procedures.

Takeaway: It's unclear whether the cloud computing provider's applications (like Amazon's web services) must be assessed. Additionally, the cloud provider's patch management process should be verified and documented.

Requirement 7: Restrict access to cardholder data by business need to know

Amazon has stated that they do not have shell or other similar access methods to organization's running virtual images. So far, I am unable to find any literature from Amazon that explicitly states that the provider cannot read or modify companies' data with S3 or EBS. This concern should be addressed with the provider prior to a PCI assessment. It's likely that even if this data is encrypted and Amazon can only access the cipher-text containing cardholder data, this will still not satisfy requirement 7.

Takeaway: Organizations should verify Amazon administrators cannot access or modify data (encrypted or unencrypted) within EBS or S3 storage.

Requirement 8: Assign a unique ID to each person with computer access.

While this section applies to standard items such as remote access user accounts and web application user accounts, it also applies to the management and manipulation of virtual images within Amazon EC2. Currently, Amazon does not include the ability to create multiple user accounts to be assigned to various system or network administrators within an organization. This means everyone must share a single account to turn on images, remove images, and make firewall changes.

One way this can be addressed is by creating a custom interface to Amazon's API. The custom interface should require users to login with unique user accounts. Services such as RightScale provide this functionality as well.

Takeaway: Roll your own interface to Amazon's API or leverage third party services like RightScale for requiring unique accounts and assigning privileges to administrators of the company's virtual infrastructure.

Requirement 9: Restrict physical access to cardholder data.

Data centers containing cardholder data should have controls in place to ensure only authorized individuals can gain physical access to network devices and systems. In order to be compliant, companies may need to verify and document how the cloud provider satisfies physical security concerns for requirement 9.

Takeaway: Organizations will need the cloud provider's cooperation to verify physical security requirements in the PCI standard are satisfied.

Requirement 10: Track and monitor all access to network resources and cardholder data.

Tracking and monitoring data access, creation of logs, and retention of logs are all items that a company can control within the cloud without the service provider's help. This section also requires internal/external network and application vulnerability scanning and penetration testing. Organizations can create vulnerability scanning engines and remote penetration testing boxes to satisfy these requirements, however the cloud server provider should be notified before performing any of these tests.

Implementation of a network intrusion detection/prevention system within the cloud may be difficult for organizations, but it may be sufficient to implement host intrusion detection software on each virtual image.

Takeaway: Create virtual images to complete tasks such as vulnerability scanning and penetration testing. Investigate the ability to implement a network intrusion detection system. If this is not possible evaluate whether host intrusion detection software is an appropriate mitigating control.

Requirement 12: Maintain a policy that addresses information security for employees and contractors.

Organizations will need to create security policies and procedures around management of resources within the cloud provider's infrastructure. Since cloud computing is somewhat new, this may be easier said than done.

Takeaway: In addition to existing information security policies, documentation need to be written regarding appropriate use and management of resources within the organization's virtual infrastructure.

2 comments:

Anonymous said...

Very interesting post. I wanted to make you aware of a related post on the CA GRC blog:
http://blog.ca-grc.com/2009/03/expert-q-and-a-ca%e2%80%99s-rob-zanella-on-cloud-computing-and-compliance/
in which I interview the SVP of IT compliance about the challenges of compliance and cloud computing. He has some interesting insights on this topic.

Unknown said...

Good stuff. I've also been thinking about how sticky things get when you consider the international law conundrums--when you don't know where in the world your data resides, or when it resides there. Plus how do you handle e-discovery? How much of a right have I, the cloud user, to the data/logs/servers owned/maintained by the cloud provider? So... at our next conference -- CSI SX, May 17-May 19 in Las Vegas (csisx.com) -- we've got two attorneys from Proskauer-Rose LLP and the Web services evangelist from Amazon Web Services to cover all this stuff. I think it's going to prove mighty interesting.