On the heels of PCI Council’s guidance for cloud and SaaS, CipherCloud provides in-depth strategy for protecting data in the cloud
CipherCloud, the leader in cloud information protection, has announced five steps for achieving PCI DSS compliance in the cloud to complement the PCI Council’s newly released cloud computing guidelines for organisations that store, process or transmit cardholder information in any cloud environment including SaaS, PaaS, IaaS and hosted email. The Council’s 52-page guidance calls for shared responsibility between cloud providers and cloud customers, including banks, merchants, service providers and payment processors to ensure that cardholder data is protected and PCI-DSS compliant.
While the document advocates shared responsibility between cloud providers and customers, the recommendation lays out new security responsibilities for cloud customers to protect their cardholder data according to applicable PCI DSS requirements. It also specifies that customers need to understand and have a level of oversight and visibility into their cloud provider’s security functions.
In the absence of these new guidelines, cloud customers assumed that the cloud provider satisfied many of the PCI requirements and they started to rely on cloud providers to take care of most of the PCI requirements. This new guidance is an eye-opener as it clarifies that cloud customers cannot shift responsibility to their cloud providers. Cloud customers are still responsible for ensuring their cardholder data is secure.
Under the new guidelines, cloud customers who have been hesitant to go to the cloud now have clear guidance and choices: encrypt their cardholder data before sending it to cloud to minimise PCI scope, send their unencrypted cardholder data to the cloud and thus extend the PCI DSS scope to the cloud service, or refrain from sending their cardholder data to the cloud.
CipherCloud’s recommendations for safeguarding cardholder and payment information and complying with the new PCI Cloud security guidelines include:
• Cloud Encryption of Cardholder Data: As noted by the PCI Council, “ensuring that clear-text account data is never accessible in the cloud may also assist to reduce the number of PCI DSS requirements applicable to the cloud environment.” This can be achieved by applying the CipherCloud gateway to encrypt sensitive pieces of cardholder information transparently in real time before they are sent to the cloud using operations-preserving encryption and tokenisation that do not impact the usability of the applications.
• Customers Retain Encryption Key Control: With CipherCloud’s approach encryption key management remains in the hands of the cloud customers. This contrasts sharply with other approaches in which the cloud provider retains control over the keys that can decrypt cardholder information. This ensures that payment information remains secure even if a cloud provider is compromised.
• Key Management: The keys need to be stored and managed independently from the encrypted data. At a minimum they should be maintained in a completely separate network segment, and preferably not accessible by the cloud provider.
• Full Data Sovereignty and Legal Compliance: Due to the dynamic nature of cloud operations, it may not be known in which country the information is actually stored and whether it’s accessible by foreign authorities and system administrators. This may result in concerns over data ownership and potential conflicts between domestic or international jurisdictional and regulatory requirements. By encrypting the data before sending it to the cloud, cloud customers using CipherCloudcan be assured that no information will be shared, even with law enforcement, without their direct involvement.
• Restrict Business Card Holder Data On Need-to-Know Basis: By exclusively controlling the decryption keys, the data owner can be confident that all data access is controlled by their own authorised personnel and will comply with the organisation’s internal need-to-know policies. No one at the cloud provider can access the information.
“These new PCI Cloud guidelines are very helpful,” said Pravin Kothari, founder and CEO of CipherCloud. “They provide very important clarifications to cloud customers as to their responsibility for protecting their cardholder data in the cloud, as well as defining clear steps for customers that have been hesitant to adopt the cloud on how to do so.”
CipherCloud has more than 1.2 million users and protects more than 100 million customer records around the globe. CipherCloud’s 256-bit encryption gateways protect data in the cloud and put control of the encryption keys in the hands of the customer, ensuring that organisations retain control over data in transit and at-rest in the cloud.