With the current boom in cloud services, many companies are considering migrating all or part of their computing architecture to cloud providers (CSP – Cloud Service Provider) to take advantage of the particular advantages of this model in their business, Among those that are – just to name a few – the optimization of the deployment times of new services, improvements in performance and availability, hardware independence, virtualization, storage, and scalable performance, etc.
However, one of the variables that can affect the migration decision to this model is the level of security that the cloud environment will offer compared to the original environment deployed in the client. Depending on the service provider and the model to be implemented (IaaS, PaaS, SaaS, etc.), there are many questions that must be analyzed before proceeding: does the chosen platform guarantee the privacy of customer data? To what extent can the contracted cloud environment be adapted to compliance requirements? What will be the responsibilities of the supplier and the company in the implementation and management of security controls? In the case of a security incident, who will be responsible for the management?
And if – in addition to your own security controls – the company that is looking for a cloud service provider stores, processes and/or transmits payment card data, you must ensure compliance with the payment card data security standard ( Payment Card Industry Data Security Standard or PCI DSS) in the cloud environment, work for nothing easy that requires the specific assignment of responsibilities between the client and the service provider.
To manage this last point, in February 2013 the PCI SSC (Payment Card Industry Security Standards Council, which is the organization that develops payment card data security standards (published the document “Information Supplement: PCI DSS Cloud Computing Guidelines ”) in which a series of practical considerations are offered when choosing, implementing and managing a compliance environment partially or fully deployed in the cloud, including physical, documentary, logical and administrative security controls, where the CSP must be able to provide its customers with:
- PCI DSS compliance documentation for your environment (such as the Attestation of Compliance – AoC or related sections of the Report on Compliance – RoC) including the date of the review
- Documented evidence of system and service components included in the PCI DSS validation
- Documented evidence of system and service components excluded from PCI DSS validation
- A descriptive contract where the responsibilities covered by the CSP and the client are explicitly described
If the above points cannot be provided by the CSP, the associated physical and logical environment must be validated within the PCI DSS audit of the client itself, with the associated costs that this implies.
Likewise – and in order to avoid confusion from deceptive marketing strategies – it is very important to keep in mind the following basic criteria when choosing a CSP to deploy an environment that complies with PCI DSS:
1. If a CSP complies with PCI DSS does not imply that by extension its customers comply
2. If the clients of a CSP comply with PCI DSS does not imply that the CSP complies
3. If a CSP and one of its clients comply with PCI DSS does not imply that the other clients comply
To clarify all these concepts with a practical example, this article will focus on the deployment of infrastructure in the cloud using Amazon Web Services (AWS) and aligning the services provided by that provider with PCI DSS.
Amazon Web Services (AWS) and PCI DSS
One of the pioneers in cloud computing services is Amazon with its Amazon Web Services (AWS) service. This is a shared responsibility model of Infrastructure as a Service (IaaS) in which AWS is responsible for the security of the infrastructure that supports the service, while the client is responsible for the security of the services and data deployed about this environment.
Under these premises, Amazon has certified a series of services within its PCI DSS Level 1 certification as a Service Provider within which they are:
As previously mentioned, Amazon as CSP offers its customers a series of documentation that establishes their level of compliance (through the Attestation of Compliance – AoC) and a document of assignment of responsibilities. This documentation can be requested directly from Amazon through a commercial representative.
Apart from the certification of infrastructure services provided by Amazon, the customer is responsible for the following activities to ensure compliance with their own payment card data environment (among others):
- Configuration and administration of EC2 virtual instances (Guest Operating System)
- Configuration of filtering rules and segmentation of your environment
- Authentication and authorization of the operating system and any service or application executed on an EC2 instance
- Update of operating systems, applications and services
- Antimalware controls deployment, integrity monitoring and intrusion detection/prevention
- Payment card data encryption stored in EC2 instances
- Coordination of incident response activities
- Use and configuration of other Amazon services that are not explicitly certified as PCI DSS
Based on these responsibilities, the following will describe how the services provided and certified by Amazon can be used to achieve customer environment compliance for each of the PCI DSS requirements.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use system passwords and other security parameters provided by providers
Requirement 3: Protect the cardholder data that was stored
Requirement 4: Encrypt the transmission of cardholder data in open public networks
Requirement 5: Protect all systems against malware and update antivirus programs or software regularly
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data based on the need to know what the company has
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Test security systems and processes regularly
Requirement 12: Maintain a policy that addresses the information security of all personnel
Next steps: Amazon AWS Enterprise Accelerator for PCI DSS Compliance Quick Start
In order to simplify the initial deployment and configuration of modular components within the AWS infrastructure under the guidelines of a standard or best practice, Amazon periodically publishes a series of reference quick start documents for implementations called AWS Quick Start Reference Deployments. These guides are oriented towards automating the initial configuration based on the AWS CloudFormation service. CloudFormation is composed of two main elements:
JSON format configuration files that define how resources will be created using the AWS API
Collection of resources created as a result of the execution of a template.
Taking advantage of this model, Amazon published in May 2016 AWS Enterprise Accelerator -Compliance: Standardized Architecture for PCI DSS on the AWS Cloud, where a basic PCI DSS environment is deployed contemplating AWS IAM, VPC with subnets for DMZ and backend, Security Groups and ACL for EC2, load balancing with ELB and TLS policies, S3 buckets for content storage, administrative access through SSH, MySQL databases under RDS and log management with CloudTrail, CloudWatch, and AWS Config rules, components fully described in this document.
To support the validation of the standard compared to the services provided by AWS, a validation list (checklist) is provided with the PCI DSS v3.0 controls in accordance with the Prioritized Approach for PCI DSS Compliance document of the PCI SSC and CloudFormation functionalities for each control. It should be noted that at the time of writing this article, the PCI DSS version was v3.2 while the CloudFormation reference document was based on PCI DSS v3.0.
When technical or administrative considerations are chosen to delegate the management of certain components or of the entire IT infrastructure to a third party, it is essential to ensure that the security levels that said the third party will apply will be equal to or better than those Own organization maintains. Additionally, if the delegated environment must comply with legal requirements or industry standards, the responsibility of part and part must be clearly stipulated in contractual terms. This is the case of Amazon cloud services (Amazon AWS) and PCI DSS compliance. Although the provider (CSP) offers a large number of services to configure the infrastructure in a secure way, it is finally the customer responsible for the security of the data and the configuration of the services that run on the layer provided by Amazon.
On the other hand, the complexity in the deployment of a solution of these characteristics implies a high knowledge of both the CSP platform (in this case, Amazon) and the application of PCI DSS controls. That is why it is recommended (if not essential) the accompaniment of a QSA consultant, who can guide the organization at all times in the implementation and configuration of controls to avoid inconsistencies with the standard.
Finally, this article has shaped the technical deployment of controls using the features provided by a CSP such as Amazon. However, many of the concepts can be extrapolated to other service providers using as a premise the clear description in contractual terms of the responsibilities of both the client and the provider.