News and Analysis On the Horizon: Cloud Computing Cloud computing has, of late, been a popular buzzword in the IT and business communities, largely because it is an inexpensive way to increase IT resources. IDC, an analyst and research firm, predicts that spending on IT cloud services will hit $42 billion by 2012. As more businesses look to adopt cloud computing services, more questions are going to arise. Not only about what kind of services can cloud computing offer and is it as cost effective as purported, but also more focused questions like those pertaining to security and compliance. What is "cloud computing"? Cloud computing is generally the use of hosted, Internet-accessible servers for a variety of computing needs. It can be dynamically scalable and is usually a virtualized resource. Cloud computing is primarily used in four categories: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) and Virtualization Technology. SaaS is a model of software deployment where an application is licensed for use as service on demand. PaaS is when a company uses another company to host all of their applications. IaaS is a computer infrastructure delivered in a virtual environment. Virtualization Technology is the ability to transform on-premise data centers into their own clouds. Google, Microsoft, Amazon, Citrix and Salesforce.com are just a few company's offering some or all of these cloud computing services. Cloud computing is, so far, very cheap. By "renting" computer usage from a third-party provider, companies avoid capital expenditure. Cloud computing services are typically "pay for what you use," which is ideal for organizations that may have one or two busy months (e.g., holiday season) and need a larger platform just for that time of the year. To purchase cloud computing services, all one may need is a credit card. For example, The New York Times took its archive dating from 1851 to 1922 representing more than 15 million articles, and put this fully searchable content "into the cloud" using Amazon's cloud services. What does cloud computing mean for PCI DSS Compliance? The cost savings a company achieves with cloud computing could potentially be offset by additional security measures that might be necessary. Debate is ongoing as to whether cloud computing services are able to meet regulatory compliance requirements. No hard rules or standards currently exist, although the Cloud Security Alliance (CSA), a non-profit organization promoting best practices for providing security assurance with cloud computing, has issued an ongoing "Security Guidance for Critical Areas of Focus in Cloud Computing." Some of CSA's best practice recommendations for compliance with payment card transactions include: - Classify data and systems to understand compliance requirements
- Understand data locations, in particular the copies of data that are made and how they are controlled
- Maintain a right to audit on demand as your regulatory mandates and business needs may change rapidly
- Perform external risk assessments, including a Privacy Impact Assessment
However, while these recommendations may be valid, it should be noted that the Payment Card Industry Security Standards Council (PCI SSC) has not issued formal guidelines for cloud computing as it pertains to payment card applications or data. Cloud computing in practice Several companies offer resizable and configurable compute capacity, paid for by the hour or in multi-year terms. While cost and ease of use are attractive to many businesses, cloud computing may not automatically meet enterprise compliance requirements. Cloud computing systems are not inherently PCI DSS compliant, and storing sensitive credit card payment information on such systems can lead to compliance and other risks. In a recent article at Data Center Knowledge, Amazon provided information into the issue of compliance and cloud computing, reaffirming that PCI DSS compliance is dependent on how the merchant uses solutions such as cloud computing. Reaching out to customers to address compliance concerns, Amazon spokesperson Kay Kinton stated, "Under the PCI Data Security Standard, merchants regardless of their size are independently responsible for complying with PCI when they collect, process or store credit card information. When using a shared hosting service, like AWS, where the merchant controls what credit card information touches the service, the merchant is responsible for using the services in a manner that permits them to be PCI compliant, such as the proper use of encryption and key management. Therefore, it is possible for a merchant to use Amazon EC2 and Amazon S3 and meet PCI compliance standards depending on their specific implementation." However, other cloud providers are claiming to be certified as PCI DSS compliant, or offer PCI solutions. The authenticity of these claims at this time is not certain; therefore businesses enter into cloud computing at their own risk. Conclusion Potential security and compliance problems with cloud computing abound. Because of the ability for a cloud service to reside anywhere in the world, it is difficult to know exactly where the data resides, or even if the cloud provider is meeting the physical security requirements of the PCI DSS. Most cloud providers do not allow onsite auditing either. Cloud computing is an evolving IT experiment, and not necessarily an enterprise-ready environment. While being PCI DSS compliant does not automatically make a company safe from security threats, it does help businesses ensure appropriate security measures and practices are in place to prevent and deter, as much as possible, security compromises and data theft. Therefore, for the time being, it may be a best practice to not handle any credit card transactions on a cloud infrastructure. » Trusted News Home |
No comments:
Post a Comment