Scoping cloud environments: Tips and best practices
The PCI Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) issued a joint bulletin to highlight the importance of properly scoping cloud environments.
Why cloud computing matters
The use of cloud computing services has accelerated in recent years and is projected to continue expanding in the future. This dramatic increase in use of cloud services makes sense given the many benefits cloud computing can provide to businesses large and small.
Cloud computing can be used to provide customers with access to the latest technologies without a costly investment in computing resources. Because of these many benefits, investment in cloud computing is projected to be an ever-increasing priority for businesses around the world. Along with this increased use has come increased concern about security.
Cloud scoping to payment environment security
At a high level, scoping involves the identification of people, processes, and technologies that interact with or could otherwise impact the security of payment data or systems. When utilizing cloud security for payments, this responsibility is typically shared between the cloud customer and the cloud service provider.
Data breach investigation reports continue to find that organizations suffering compromises involving payment data were unaware that cardholder data was present on the compromised systems. Proper scoping should be a critical and ongoing activity for organizations to ensure they are aware of where their payment data is located and that the necessary security controls are in place to protect that data. Improper scoping can result in vulnerabilities being unidentified and unaddressed, which criminals can exploit. Knowing exactly where payment data is located within your systems will empower organizations to develop a game plan to protect that data.
“Cloud computing can be very secure when best practices are employed and all stakeholders understand their shared responsibility, which is learned through proper scoping. While companies of all sizes use the cloud, the knowledge gap is most evident with smaller businesses, which put them at risk of suffering a security incident. We are all in this together,” said Jim Reavis, CEO, Cloud Security Alliance.
Roles and responsibilities
Organizations that outsource payment services to CSPs, often rely on the CSP to securely store, process, or transmit cardholder data on their behalf, or to manage components of the entity’s payment data environment. CSPs can become an integral part of the organization’s payment data environment and directly impact the security of that environment.
For too many organizations, bringing in a third party CSP for payment security services is seen as the only step necessary to securing payment data. The use of a CSP for payment security related services does not relieve an organization of ultimate responsibility for its own security obligations, or for ensuring that its payment data and payment environment are secure. Clear policies and procedures should be established between the organization and its CSP for all applicable security requirements, and measures developed to manage and report on security requirements.
Best practices
Limiting exposure to payment data reduces the chance of being a target for criminals. Some important best practices areas of focus should be:
Data protection: Assure that information is protected by maximizing use of strong cryptography and key management practices, tokenization, and masking where feasible and employing robust data loss prevention solutions.
Authentication: Assure that strong multi-factor authentication is pervasive to protect against common attacks against the credentials of consumers, merchants, and service providers
Systems management: Recent high-profile breaches have pointed to weaknesses in how responsible parties perform routine systems management functions, such as patch management, verification of code updates and configuration management.
DevOps & DevSecOps: Software supply chains are important areas of exposure for malicious attackers and merchants should understand the original source of all components of the payment solution.
Data governance: With global nature of cloud, assure that information stays within the appropriate jurisdiction boundaries and is accessed by stakeholders with legitimate needs.
Resiliency: Assure that service providers take advantage of cloud’s nearly unlimited capabilities to provide redundancy for application availability and data backups.