24 October 2014

44975

Retired Member

699 | posts 2,182,030 | views 829 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

The PCI SSC Publish Virtualisation and Cloud Advice

23 June 2011  |  5054 views  |  0

I have just been reading the new guidance provided by the PCI SSC on Virtualisation. This document has been long anticipated, having been pre - announced at the PCI SSC User Forum back in October 2010.

 

The document includes advice for local virtualised servers and environments as well as advice for those merchants considering a wholesale switch to cloud computing in whatever guise they believe beneficial. It covers a wide range of options and topics and the authors are to be congratulated on the output they have delivered.

 

The guidance comes at an opportune time with a number of articles recently highlighting security issues with regard to cloud computing environments.

 

What is the guidance? Well it makes many valid points of which, perhaps, the leading two may be characterised as:

 

Firstly, whenever environments become more complex they are more difficult to manage and make secure. It was only this year that the Ponemon Institute reported that security complexity was the number one obstacle which system administrators felt they faced. Clearly virtualised environments add in a new layer of administration and configuration which can lead to errors and hence security vulnerabilities being inadvertently opened. Not only that, but because most of the technologies are still relatively new and less mature than other security solutions this introduces the possibility of new vulnerabilities being found which may be exploited.

 

Secondly and very importantly, there is no one size fits all solution to configuring a virtualised environment to meet PCI DSS, or any other security standards. If people are expecting a simple tick box to follow they will be disappointed.

 

Certainly from the point of view of a PCI DSS audit virtualised environments have had to be considered more and more by the assessor. There are few large merchants who don’t take advantage of a virtualised solution in some form. Think Virtual Machines, (VM), Storage Area Networks (SAN), Network Attached Storage (NAS) even before we begin to consider virtual firewalls, virtual routers and switches and security appliances and a move to the “cloud”.

 

It was interesting to read the advice for cloud computing environments as these have been in the news recently. As we know, in certain cloud environments a merchant may not know where their data is hosted, even by country, never mind by data centre, nor may they know who else is hosting data within the same virtual infrastructure. As a result some cloud based services may be inherently unable to support the PCI DSS for a merchant. However to resolve this conundrum  the PCI SSC suggest moving the burden of proof across to the cloud based service provider and this does seem to be the only logical place where this responsibility can be placed. PCI DSS does have a set of controls related to management of service providers with whom cardholder data is shared and these should be implemented before a cloud solution is selected.

 

One key consideration during this process should be to ensure the service provider provides the scope of any PCI DSS audit which has been undertaken and which services have been included so that the merchant can ensure all the necessary PCI DSS controls to which they are required to comply with are fulfilled. The merchant shouldn’t forget this should also include integration of incident response planning.

 

This can be problematic in a virtualised shared environment for a whole number of practical and technical reasons so gaining support for an investigation should be written into a contract to ensure the merchant’s obligations can be fulfilled.

 

As all boy scouts know, it’s best to Be Prepared!

 

 

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Retired

7-day account switch: customer empowerment or indifference

18 June 2014  |  1840 views  |  1  |  Recommends 0 TagsRisk & regulationRetail banking

On Reinventing Money.

03 June 2014  |  1237 views  |  0  |  Recommends 0 TagsPaymentsInnovation

Operational Lessons for New Boutique Asset Managers

27 May 2014  |  623 views  |  0  |  Recommends 0 TagsRisk & regulation

Trading System Failures Cannot Be Our Norm

21 May 2014  |  1479 views  |  0  |  Recommends 0 TagsRisk & regulationInnovation

Around the Clock Tweeting

15 May 2014  |  1946 views  |  0  |  Recommends 0 TagsMobile & onlineRetail banking
name

Retired Member

job title

company name

member since

2014

location

Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who is commenting on Retired's posts

Rasvan Stanescu
Sian Bentley
Tony Wenzel
Jorge Yui
Ketharaman Swaminathan
Mark Pavan
Vishal Chaturvedi
Matt Scott
Geoffrey Barraclough
Thad Peterson
Marinka Ryan
Alexander Peschkoff