Gartner Blog Network


Finally, PCI DSS In The Cloud Guidance

by Anton Chuvakin  |  February 12, 2013  |  9 Comments

As all of you already know, PCI Council has finally released an official  “Information Supplement: PCI DSS Cloud Computing Guidelines” [PDF] aka “PCI DSS in the cloud.”

image

Here are some of my favorite quotes from the 52 page [sadly, a bit, wooly] mammoth of a document:

  • “The allocation of responsibility between client and provider for managing security controls does not exempt a client from the responsibly of ensuring that their cardholder data is properly secured according to applicable PCI DSS requirements.” <- merchants, please ponder that one Smile
  • clear responsibilities for operation, management and reporting need to be defined for each [PCI DSS] requirement.” <- obvious, but oh-so-uncommon.
  • “The allocation of responsibility for managing security controls does not exempt a client from the responsibility of ensuring that their cardholder data is properly secured.”
  • “Where the CSP maintains responsibility for PCI DSS controls, the client is still responsible for monitoring the CSP’s ongoing compliance for all applicable requirements.”
  • “Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation.”
  • Any shared infrastructure used to house an in-scope client environment would be in scope for that client’s PCI DSS assessment.”
  • “If adequate segmentation is not in place or cannot be verified, the entire cloud environment would be in-scope for any one client’s assessment.”
  • The more security controls the CSP is responsible for, the greater the scope of the CDE will potentially be, thereby increasing the complexity involved in defining and maintaining CDE boundaries.”  <- counter-intuitive, but so true! Whoever wrote this particular line, really gets it!
  • “by keeping all encryption/decryption and key-management operations isolated from the cloud, the number of PCI DSS requirements that the CSP is required to maintain may be reduced, as these requirements will instead be applicable to the client’s own environment and personnel.” <- read and think about it as well.
  • “It can be challenging to collect, correlate, and/or archive all of the logs necessary to meet applicable PCI DSS requirements [in public cloud].” <- I hereby nominate this line for The Understatement of the Year prize Smile
  • “Use of a PCI DSS compliant CSP does not result in PCI DSS compliance for the clients.” <- this is a repeat, but it definitely bears repeating!
  • “The CSP should ensure that any service offered as being “PCI compliant” is accompanied by a clear and unambiguous explanation, supported by appropriate evidence, of which aspects of the service have been validated as compliant and which have not.”
  • Due diligence is not simply reading the provider’s marketing material or relying on a provider’s claims of “PCI compliance” or secure operations.”
  • “End-to-end processes and data flows must be documented across both client and cloud provider networks, so that it is clearly understood where cardholder data is located and how it is traversing the infrastructure.”

Finally, if anybody cares for my opinion, the Council made a mistake by loading the document with so much stuff  (BC/DR? Data classification? Evolving Security Technologies?) and thus making the clarity of “PCI in the cloud” guidance unachievable! Honestly, I don’t think anybody (much less merchants, much less smaller, cloud-happy merchants) will ever read it all the way to its end… To top it off, “Appendix D: PCI DSS Implementation Considerations” is an entire new document embedded inside. Sadly, the whole thing just bears signs of being designed by a committee full of members hating each other Smile

Category: cloud  compliance  pci-dss  

Tags: cloud-security  compliance  pci  pci-compliance  pci-dss  

Anton Chuvakin
Research VP
2+ years with Gartner
14 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Finally, PCI DSS In The Cloud Guidance


  1. Rich Evans says:

    One of the best no holds commentary I have seen publicly on a matter quite obvious to many, and only further confusing the rest. Right down to your drilling into the core problem underlying the consistently failed delivery of information…lack of direction, leadership, dabble in plenty of infighting. The intent has, since its inception and then continuing through to the latest here, been lost in the minutia.

  2. Well, this time they really DID screw up. I’ve met plenty of people who had issues with previous supplemental guidance docs, but I more or less liked most of them. This one is a clear FAIL! No clarity, lots of empty volume, etc, etc.

  3. John Clark says:

    I’m curious if you see a contradiction in guidance between the 2011 Virtualization Guidance and the Cloud Guidance. One opinion that seems to have changed is the Cloud Guidance indicates that virtual network isolation with some help from physical devices within a host can be acceptable for segmentation.

    For example – pg 14 of the Cloud Guidance:
    “Traditional network segmentation technologies consist of hardware devices such as firewalls, switches, routers, and so forth. These physical components could be used to separate VMs hosted on the same or multiple hypervisors similar to the manner in which systems could be segmented in a “physical” network”

    Pg 21 of the Virtualization Guidance:
    “Unlike separate physical systems, network-based segmentation alone cannot isolate in-scope from out-of-scope components in a virtual environment”

  4. Brian says:

    Anton,

    Do you think that this document modifies what level of risk can be transferred via tokenization? With this document placing all of the responsibility in the organization’s court rather than the MSP provider, does that transfer to tokenization vendors as well?

  5. @brian I didn’t feel that the document rebalances the responsibilities differently. Merchant ultimately “owns” PCI DSS.

  6. Brian says:

    @ Anton thanks!

  7. @john Yes, I did notice (rather, felt that something changed) in their “approved”/recommended segmentation approaches. IMHO, too early to say what QSAs will make out of it.

  8. […] Finally, PCI DSS In The Cloud Guidance – Gartner Blog Network Anton Chuvakin is a research director at Gartner’s IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities … blogs.gartner.com/…/finally-pci-dss-in-the-cloud-guidance/ […]

  9. […] council made a mistake by loading the document with so much stuff,” complained Andre Chuvakin, a Gartner research director for IT1 security and risk management. “Sadly, the whole thing just bears signs […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.