Welcome!

@CloudExpo Authors: Yeshim Deniz, Pat Romanski, Liz McMillan, Elizabeth White, Ed Featherston

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @DXWorldExpo, SDN Journal

@CloudExpo: Blog Feed Post

PCI Compliance in the Cloud: What You Need to Know

Cloud Computing – the buzz words of the technology sector this decade

Cloud Computing – the buzz words of the technology sector this decade: if you’re not already doing it, you’re missing out.  Articles have been written.  Experts have been crowned.  Events have been attended.  We all agree – the cloud presents opportunities for cost savings, elasticity, and scalability.

But for companies that are bound by Payment Card Industry Data Security Standard (PCI DSS), securing financial data in “the cloud” presents new issues.

How is the Cloud Different? Securing brick and mortar businesses was one thing, securing data centers and hardware was an added level, but securing the foggy boundaries of the cloud presents a new set of challenges.

The skills and knowledge you acquired in the data center are still very relevant to the cloud world. However, the most obvious change is that physical walls are no longer available to protect your systems and data. Cloud Encryption is the answer – producing “mathematical walls” to replace the physical ones.

…securing the foggy boundaries of the cloud presents a new set of challenges.  Cloud Encryption is the answer – producing “mathematical walls” to replace the physical ones.

Are these challenges manageable?  Yes.

Should you take them on?  Yes.

Should you do it alone? Oh no…

PCI Compliance and Encryption in the Cloud: The Challenges
Six of the twelve requirements of PCI DSS touch on the need for encryption and key management in the cloud, and on proper management of these systems.  The main challenges in complying with PCI and operating in public or hybrid clouds are:

  • Protection methods such as hashing and encryption (part of requirement 3)
  • Encrypting transmission over networks (requirement 4)
  • Securing systems and applications (requirement 6)
  • Restricting access to data (requirement 7)
  • Assigning unique accountability (requirement 8)
  • Tracking and monitoring access (requirement 10)

These are unequivocally big topics.  But you unequivocally do not need to take them on alone.  Solutions, like our Virtual Private Data (VPD), combine state of the art encryption with patented key management to enable organizations to effectively comply with PCI DSS in the cloud.

Protection Methods: The Solution
PCI DSS stresses the importance of protection methods such as hashing and encryption

PCI DSS stresses the importance of protection methods such as hashing and encryption since “If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.”  Our solution was designed with certain elements especially with PCI Compliance in mind, sporting features such as:

  • Strong hashing (SHA-2) and encryption (AES-256) to render PAN unreadable.
  • Key-splitting and homomorphic key encryption to protect the integrity and security of the keys.
  • Only partial keys are stored in any location, and those parts are also encrypted.
  • Exact mathematical descriptions and proofs of strength of protocols, which have been validated by leading cryptographic experts.
  • Supports of AES 256 and RSA public keys from 1024 to 4096 bits, and secure storage of keys of all major crypto systems of any length.

Encrypting Transmission: The Solution
According to the PCI standard, sensitive information must be encrypted during transmission over networks that may be accessed by malicious individuals.  Whichever solution you use, make sure that:

  • All communications within the system are always encrypted.
  • SSL/TLS is always enabled and cannot be switched off.
  • There are mechanisms for issuing certificates for SSL/TLS encryption on a per-customer per-project basis.
  • Your solution supports IPsec communications between cloud servers.

Securing Systems: The Solution

Choose a solution that helps you update the latest software patches quickly and easily.

Requirement six emphasizes the importance of keeping systems up to date with “the most recently released, appropriate software patches” in order to eliminate security vulnerabilities that could be exploited by hackers or inside threats. Choose a solution that helps you update the latest software patches quickly and easily.

Restricting Access: The Solution

Systems and processes must be in place to limit access based on need to know and according to job responsibilities.  This requirement relates both to the data itself and to management and storage of the encryption keys. Encryption is a great way to isolate date in the cloud. It depends of course on keeping the encryption keys safe and ensuring no unauthorized person has access to encryption keys. The solution to this is quite straight-forward: administrators should never be able to see the keys that are used to encrypt cardholder data. Keys should be managed by name, and the value always hidden.  Since Administrators do not know the keys, they are unable to decrypt the data.

Assigning Accountability: The Solution

Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions, so that operations on critical data and systems can be traced.

Tracking and Monitoring: The Solution

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. Your logs must be secure and stored in a way that they cannot be modified.

PCI compliance [...] these provisions protect your customers, which in turn, protect you.

PCI Compliance in the Cloud: Is it Worth the Effort?

Complying with PCI DSS is not just about the legality – it is simply good business. There are many requirements to PCI compliance.  Perhaps life would be easier without them.  But these provisions protect your customers, which in turn, protect you. PCI compliance does not have to be cost-prohibitive.  It does not have to take a lot of time.  But it absolutely does have to be done and it unequivocally is worth the effort.

The post PCI Compliance in the Cloud: What you need to know appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

@CloudExpo Stories
JETRO showcased Japan Digital Transformation Pavilion at SYS-CON's 21st International Cloud Expo® at the Santa Clara Convention Center in Santa Clara, CA. The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get...
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
"We're focused on how to get some of the attributes that you would expect from an Amazon, Azure, Google, and doing that on-prem. We believe today that you can actually get those types of things done with certain architectures available in the market today," explained Steve Conner, VP of Sales at Cloudistics, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
As organizations shift towards IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. Commvault can ensure protection, access and E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his general session at 18th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Part...
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
Vulnerability management is vital for large companies that need to secure containers across thousands of hosts, but many struggle to understand how exposed they are when they discover a new high security vulnerability. In his session at 21st Cloud Expo, John Morello, CTO of Twistlock, addressed this pressing concern by introducing the concept of the “Vulnerability Risk Tree API,” which brings all the data together in a simple REST endpoint, allowing companies to easily grasp the severity of the ...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Michael Maximilien, better known as max or Dr. Max, is a computer scientist with IBM. At IBM Research Triangle Park, he was a principal engineer for the worldwide industry point-of-sale standard: JavaPOS. At IBM Research, some highlights include pioneering research on semantic Web services, mashups, and cloud computing, and platform-as-a-service. He joined the IBM Cloud Labs in 2014 and works closely with Pivotal Inc., to help make the Cloud Found the best PaaS.
We all know that end users experience the Internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices – not doing so will be a path to eventual b...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. All In Mobile is a mobile app development company from Poland. Since 2014, they maintain passion for developing mobile applications for enterprises and startups worldwide.
Sanjeev Sharma Joins November 11-13, 2018 @DevOpsSummit at @CloudEXPO New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
As Cybric's Chief Technology Officer, Mike D. Kail is responsible for the strategic vision and technical direction of the platform. Prior to founding Cybric, Mike was Yahoo's CIO and SVP of Infrastructure, where he led the IT and Data Center functions for the company. He has more than 24 years of IT Operations experience with a focus on highly-scalable architectures.
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.