Welcome!

@CloudExpo Authors: Elizabeth White, Pat Romanski, Zakia Bouachraoui, Yeshim Deniz, Carmen Gonzalez

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @DXWorldExpo, SDN Journal

@CloudExpo: Blog Feed Post

PCI Compliance in the Cloud: What You Need to Know

Cloud Computing – the buzz words of the technology sector this decade

Cloud Computing – the buzz words of the technology sector this decade: if you’re not already doing it, you’re missing out.  Articles have been written.  Experts have been crowned.  Events have been attended.  We all agree – the cloud presents opportunities for cost savings, elasticity, and scalability.

But for companies that are bound by Payment Card Industry Data Security Standard (PCI DSS), securing financial data in “the cloud” presents new issues.

How is the Cloud Different? Securing brick and mortar businesses was one thing, securing data centers and hardware was an added level, but securing the foggy boundaries of the cloud presents a new set of challenges.

The skills and knowledge you acquired in the data center are still very relevant to the cloud world. However, the most obvious change is that physical walls are no longer available to protect your systems and data. Cloud Encryption is the answer – producing “mathematical walls” to replace the physical ones.

…securing the foggy boundaries of the cloud presents a new set of challenges.  Cloud Encryption is the answer – producing “mathematical walls” to replace the physical ones.

Are these challenges manageable?  Yes.

Should you take them on?  Yes.

Should you do it alone? Oh no…

PCI Compliance and Encryption in the Cloud: The Challenges
Six of the twelve requirements of PCI DSS touch on the need for encryption and key management in the cloud, and on proper management of these systems.  The main challenges in complying with PCI and operating in public or hybrid clouds are:

  • Protection methods such as hashing and encryption (part of requirement 3)
  • Encrypting transmission over networks (requirement 4)
  • Securing systems and applications (requirement 6)
  • Restricting access to data (requirement 7)
  • Assigning unique accountability (requirement 8)
  • Tracking and monitoring access (requirement 10)

These are unequivocally big topics.  But you unequivocally do not need to take them on alone.  Solutions, like our Virtual Private Data (VPD), combine state of the art encryption with patented key management to enable organizations to effectively comply with PCI DSS in the cloud.

Protection Methods: The Solution
PCI DSS stresses the importance of protection methods such as hashing and encryption

PCI DSS stresses the importance of protection methods such as hashing and encryption since “If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.”  Our solution was designed with certain elements especially with PCI Compliance in mind, sporting features such as:

  • Strong hashing (SHA-2) and encryption (AES-256) to render PAN unreadable.
  • Key-splitting and homomorphic key encryption to protect the integrity and security of the keys.
  • Only partial keys are stored in any location, and those parts are also encrypted.
  • Exact mathematical descriptions and proofs of strength of protocols, which have been validated by leading cryptographic experts.
  • Supports of AES 256 and RSA public keys from 1024 to 4096 bits, and secure storage of keys of all major crypto systems of any length.

Encrypting Transmission: The Solution
According to the PCI standard, sensitive information must be encrypted during transmission over networks that may be accessed by malicious individuals.  Whichever solution you use, make sure that:

  • All communications within the system are always encrypted.
  • SSL/TLS is always enabled and cannot be switched off.
  • There are mechanisms for issuing certificates for SSL/TLS encryption on a per-customer per-project basis.
  • Your solution supports IPsec communications between cloud servers.

Securing Systems: The Solution

Choose a solution that helps you update the latest software patches quickly and easily.

Requirement six emphasizes the importance of keeping systems up to date with “the most recently released, appropriate software patches” in order to eliminate security vulnerabilities that could be exploited by hackers or inside threats. Choose a solution that helps you update the latest software patches quickly and easily.

Restricting Access: The Solution

Systems and processes must be in place to limit access based on need to know and according to job responsibilities.  This requirement relates both to the data itself and to management and storage of the encryption keys. Encryption is a great way to isolate date in the cloud. It depends of course on keeping the encryption keys safe and ensuring no unauthorized person has access to encryption keys. The solution to this is quite straight-forward: administrators should never be able to see the keys that are used to encrypt cardholder data. Keys should be managed by name, and the value always hidden.  Since Administrators do not know the keys, they are unable to decrypt the data.

Assigning Accountability: The Solution

Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions, so that operations on critical data and systems can be traced.

Tracking and Monitoring: The Solution

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. Your logs must be secure and stored in a way that they cannot be modified.

PCI compliance [...] these provisions protect your customers, which in turn, protect you.

PCI Compliance in the Cloud: Is it Worth the Effort?

Complying with PCI DSS is not just about the legality – it is simply good business. There are many requirements to PCI compliance.  Perhaps life would be easier without them.  But these provisions protect your customers, which in turn, protect you. PCI compliance does not have to be cost-prohibitive.  It does not have to take a lot of time.  But it absolutely does have to be done and it unequivocally is worth the effort.

The post PCI Compliance in the Cloud: What you need to know appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

CloudEXPO Stories
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at Dice, he takes a metrics-driven approach to management. His experience in building and managing high performance teams was built throughout his experience at Oracle, Sun Microsystems and SocialEkwity.
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups. As a result, many firms employ new business models that place enormous importance on software-based innovations. They require not only skilled occupations, such as data analysts and DevOps professionals, with more technical skills, but also middle-level employees with more software and computing acumen. Both large and small firms operate differently.
Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes. We are offering early bird savings on all ticket types where you can save significant amount of money by purchasing your conference tickets today.
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of San Francisco which creates an "Outcomes-Centric Business Analytics" degree." Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science" is responsible for guiding the technology strategy within Hitachi Vantara for IoT and Analytics. Bill brings a balanced business-technology approach that focuses on business ou...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the massive amount of information associated with these devices. Ed presented sought out sessions at CloudEXPO Silicon Valley 2017 and CloudEXPO New York 2017. He is a regular contributor to Cloud Computing Journal.