Tips from the payment card industry for maintaining cloud compliance

A complex IT environment demands a complex data compliance plan. Agent-based software and other traditional approaches to compliance are products of an industry that’s been maturing for a long time, and such solutions were designed to let their owners relax as a third party managed their information. However, as virtualized storage and public and private clouds now dominate most IT strategies, the responsibility to maintain compliance in such environments is falling on IT teams – and no two organizations’ compliance needs are alike.

The payment card industry’s cloud special interest group (PCI SIG) aims to shoulder some of this responsibility, as it shares guidance and recommendations to help companies comply with PCI data security standards (DSS) as they leverage the cloud. The group released a report in 2013 outlining the state of PCI compliance on cloud infrastructure, and many of its takeaways continue to provide insight today. Below are three questions raised by the report that can help any company maintain compliance – PCI or otherwise – across environments:

Can your current compliance plan scale in a cloud environment?

Software agents, a traditional approach to antivirus protection, tend to use memory and processing resources as they function. While the amount of resources used is minor, it can add up when multiple agents are installed on multiple virtual machines (VMs) that share a host. As neither these agents nor the resources they demand were designed to scale in a cloud or entirely virtualized environment, they can create operational issues and raise overhead costs.

Does every cloud service provider observe the same compliance standards as your internal team?

One of the cloud’s greatest benefits is the freedom it grants users. Organizations can work with cloud service providers (CSPs) of their choice, and shift data, applications and servers between providers at their convenience. However, not ever CSP is certified PCI compliant – meaning it’s up to the company owning the data to obtain and maintain a PCI certification. In this instance, the company’s initial assessment of the desired CSP for its cloud project should consider the CSP’s infrastructure and processes with the same scrutiny as used on the organization’s internal environment, which can be a complicated, frequently overlooked process.

Will virtual machine activity expose your data to vulnerabilities? 

Simply put, security and monitoring solutions for virtual and cloud networks are still evolving. As VMs can be rapidly activated and deactivated, it can be difficult to maintain up-to-date security oversight in such environments. It’s critical for organizations to look inside the data stored on their VMs and ensure sensitive data is properly managed. As a result, the IT team won’t find itself activating a VM and inadvertently exposing PCI information – or any other piece of critical data.

Get security tips in your inbox by subscribing to the DataGravity blog.

1 Like
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.