UK businesses are increasingly flocking to cloud services to reap cost savings and greater IT agility. According to the Cloud Industry Forum, over 75 per cent of UK businesses will be using at least one cloud service by the end of 2013.
But, many organisations still aren’t clear on their responsibilities for protecting their data in the cloud. Cloud users commonly assume that, by working with a third party provider, the compliance requirements would either be satisfied or that responsibility would shift to the shoulders of the cloud provider.
As a result, the PCI Security Standards Council earlier this year released clarifications and clear steps to guide payment processors through their cloud adoption journey. It confirmed that cloud customers cannot shift responsibility to their cloud providers.
The revised cloud computing guidelines are for any organisation that stores, processes or transmits cardholder information in any cloud environment including SaaS, PaaS, IaaS and hosted email. Its guidance recommends shared responsibility between the cloud provider and cloud customer to ensure that cardholder data is protected and PCI-DSS compliant.
While it advocates shared responsibility, the document outlines new security responsibilities for cloud customers to protect their cardholder data according to applicable PCI DSS requirements. It also states that users need to understand and have a level of visibility into their cloud provider’s security capabilities. For example: did you know that, regardless of the security measures in the cloud provider’s arsenal, you are still responsible for ensuring your cardholder data is secure?
The new guidelines mean cloud customers must reconsider their information protection model in order to minimise PCI risks. If your business sells online, the following best practices can help you protect your cardholder information and ensure that you comply with the 2013 PCI cloud security guidelines.
- Cloud Encryption of Cardholder Data: As noted by the PCI Council, “ensuring that clear-text account data is never accessible in the cloud may also assist to reduce the number of PCI DSS requirements applicable to the cloud environment.” This can be achieved by encrypting sensitive pieces of cardholder information transparently in real time before they are sent to the cloud using operations-preserving encryption and tokenisation that do not impact the usability of the applications.
- Customers Retain Encryption Key Control: Encryption key management remains in the hands of the cloud customers. This contrasts sharply with other approaches where the cloud provider retains control over the keys that can decrypt cardholder information. So, even if a cloud provider is compromised, your payment information remains secure.
- Key Management: The keys need to be stored and managed independently from the encrypted data. At a minimum they should be maintained in a completely separate network segment, and preferably not accessible by the cloud provider.
- Full Data Sovereignty and Legal Compliance: Due to the dynamic nature of cloud operations, you may be unaware which country the information is actually stored and whether it’s accessible by foreign authorities and system administrators. This may result in concerns over data ownership and potential conflicts between domestic or international jurisdictional and regulatory requirements. By encrypting the data before sending it to the cloud, you can be assured that no information will be shared, even with law enforcement, without your direct involvement.
- Restrict Business Card Holder Data On Need-to-Know Basis: By exclusively controlling the encryption keys, the data owner controls access to decrypting the information. No one at the cloud provider can access the information.
Security experts will agree that cyber crime will follow wherever valuable data moves to – whether on-premise or in the cloud. With new PCI and other regulatory mandates in 2013 placing security and compliance responsibility on cloud users, any business that stores or processes data in the cloud could face serious repercussions for failing to meet these tougher compliance standards.