WHEN A CUSTOMER taps a credit card at a small business, the processing almost always happens in the cloud. Since the business is ultimately responsible for the security of that transaction, it needs to conduct "cloud scoping" to identify which upstream companies are involved, and where the financial data gets stored. The issue has become so important that the Cloud Security Alliance and the PCI Security Standards Council (SSC) issued a joint alert that stressed cloud scoping to improve transparency, accountability, and security.
"Scoping cloud responsibilities assists in providing focus to assessments, procurement, and security management," says Jim Reavis, CEO of the Cloud Security Alliance. He believes organizations are doing a better job at it, but need help understanding how the cloud is defined, structured, and delivered. "Transparency on the part of the cloud providers and an informed customer are the keys," he adds.
"The focus should be on data protection," says Troy Leach, senior vice president and engagement officer of the PCI SSC. Too many organizations think bringing in a third-party cloud service provider (CSP) is the only step necessary to secure payment data. However, Reavis warns, many CSPs have dependencies on other cloud providers "that are opaque" to the customer, such as backup, authentication, and security providers supporting the CSP.
One of the difficulties in cloud scoping is getting the transparency needed to see the full chain of providers and where the data finally resides. When a customer asks their SaaS provider questions that apply only to a physical data center, that's a clue they need help with cloud scoping.
A cloud scoping exercise by channel pros on behalf of their customers will establish internal processes to make cloud security a priority, says Leach. "Limiting exposure to payment data reduces the chances of it being a target for criminals." The PCI and CSA joint statement dives deeper into this topic.
Areas of focus in a cloud scoping exercise include maximizing the use of strong cryptography and encryption key management practices, along with implementing multifactor authentication globally to protect against common credential attacks on consumers, merchants, and service providers. Ensuring that upstream providers perform routine administrative operations such as patch management, verified code updates, and configuration management is essential too.
For some companies subject to relevant compliance requirements, checking that data is stored only within appropriate geographic boundaries will be necessary. Add in inspecting the security of development operations, outlining the source of all software components in the payment solution, and confirming system resiliency for application availability and data backups, and you can see that a cloud scoping exercise requires diligence.
"The main benefit of a scoping exercise is greater clarity to where payment data may exist and who may have access to those resources," says Leach. "Proper scoping of cloud environments is a significant step in that process for organizations that utilize cloud services and associated benefits."