Welcome!

@CloudExpo Authors: Liz McMillan, Elizabeth White, Pat Romanski, Yeshim Deniz, Aruna Ravichandran

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @BigDataExpo, SDN Journal

@CloudExpo: Blog Feed Post

PCI Compliance in the Cloud: What You Need to Know

Cloud Computing – the buzz words of the technology sector this decade

Cloud Computing – the buzz words of the technology sector this decade: if you’re not already doing it, you’re missing out.  Articles have been written.  Experts have been crowned.  Events have been attended.  We all agree – the cloud presents opportunities for cost savings, elasticity, and scalability.

But for companies that are bound by Payment Card Industry Data Security Standard (PCI DSS), securing financial data in “the cloud” presents new issues.

How is the Cloud Different? Securing brick and mortar businesses was one thing, securing data centers and hardware was an added level, but securing the foggy boundaries of the cloud presents a new set of challenges.

The skills and knowledge you acquired in the data center are still very relevant to the cloud world. However, the most obvious change is that physical walls are no longer available to protect your systems and data. Cloud Encryption is the answer – producing “mathematical walls” to replace the physical ones.

…securing the foggy boundaries of the cloud presents a new set of challenges.  Cloud Encryption is the answer – producing “mathematical walls” to replace the physical ones.

Are these challenges manageable?  Yes.

Should you take them on?  Yes.

Should you do it alone? Oh no…

PCI Compliance and Encryption in the Cloud: The Challenges
Six of the twelve requirements of PCI DSS touch on the need for encryption and key management in the cloud, and on proper management of these systems.  The main challenges in complying with PCI and operating in public or hybrid clouds are:

  • Protection methods such as hashing and encryption (part of requirement 3)
  • Encrypting transmission over networks (requirement 4)
  • Securing systems and applications (requirement 6)
  • Restricting access to data (requirement 7)
  • Assigning unique accountability (requirement 8)
  • Tracking and monitoring access (requirement 10)

These are unequivocally big topics.  But you unequivocally do not need to take them on alone.  Solutions, like our Virtual Private Data (VPD), combine state of the art encryption with patented key management to enable organizations to effectively comply with PCI DSS in the cloud.

Protection Methods: The Solution
PCI DSS stresses the importance of protection methods such as hashing and encryption

PCI DSS stresses the importance of protection methods such as hashing and encryption since “If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.”  Our solution was designed with certain elements especially with PCI Compliance in mind, sporting features such as:

  • Strong hashing (SHA-2) and encryption (AES-256) to render PAN unreadable.
  • Key-splitting and homomorphic key encryption to protect the integrity and security of the keys.
  • Only partial keys are stored in any location, and those parts are also encrypted.
  • Exact mathematical descriptions and proofs of strength of protocols, which have been validated by leading cryptographic experts.
  • Supports of AES 256 and RSA public keys from 1024 to 4096 bits, and secure storage of keys of all major crypto systems of any length.

Encrypting Transmission: The Solution
According to the PCI standard, sensitive information must be encrypted during transmission over networks that may be accessed by malicious individuals.  Whichever solution you use, make sure that:

  • All communications within the system are always encrypted.
  • SSL/TLS is always enabled and cannot be switched off.
  • There are mechanisms for issuing certificates for SSL/TLS encryption on a per-customer per-project basis.
  • Your solution supports IPsec communications between cloud servers.

Securing Systems: The Solution

Choose a solution that helps you update the latest software patches quickly and easily.

Requirement six emphasizes the importance of keeping systems up to date with “the most recently released, appropriate software patches” in order to eliminate security vulnerabilities that could be exploited by hackers or inside threats. Choose a solution that helps you update the latest software patches quickly and easily.

Restricting Access: The Solution

Systems and processes must be in place to limit access based on need to know and according to job responsibilities.  This requirement relates both to the data itself and to management and storage of the encryption keys. Encryption is a great way to isolate date in the cloud. It depends of course on keeping the encryption keys safe and ensuring no unauthorized person has access to encryption keys. The solution to this is quite straight-forward: administrators should never be able to see the keys that are used to encrypt cardholder data. Keys should be managed by name, and the value always hidden.  Since Administrators do not know the keys, they are unable to decrypt the data.

Assigning Accountability: The Solution

Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions, so that operations on critical data and systems can be traced.

Tracking and Monitoring: The Solution

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. Your logs must be secure and stored in a way that they cannot be modified.

PCI compliance [...] these provisions protect your customers, which in turn, protect you.

PCI Compliance in the Cloud: Is it Worth the Effort?

Complying with PCI DSS is not just about the legality – it is simply good business. There are many requirements to PCI compliance.  Perhaps life would be easier without them.  But these provisions protect your customers, which in turn, protect you. PCI compliance does not have to be cost-prohibitive.  It does not have to take a lot of time.  But it absolutely does have to be done and it unequivocally is worth the effort.

The post PCI Compliance in the Cloud: What you need to know appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

@CloudExpo Stories
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...
As people view cloud as a preferred option to build IT systems, the size of the cloud-based system is getting bigger and more complex. As the system gets bigger, more people need to collaborate from design to management. As more people collaborate to create a bigger system, the need for a systematic approach to automate the process is required. Just as in software, cloud now needs DevOps. In this session, the audience can see how people can solve this issue with a visual model. Visual models ha...
Microsoft Azure Container Services can be used for container deployment in a variety of ways including support for Orchestrators like Kubernetes, Docker Swarm and Mesos. However, the abstraction for app development that support application self-healing, scaling and so on may not be at the right level. Helm and Draft makes this a lot easier. In this primarily demo-driven session at @DevOpsSummit at 21st Cloud Expo, Raghavan "Rags" Srinivas, a Cloud Solutions Architect/Evangelist at Microsoft, wi...
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, will discuss some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he’ll go over some of the best practices for structured team migr...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, will discuss how from store operations...
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.
SYS-CON Events announced today that Ryobi Systems will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ryobi Systems Co., Ltd., as an information service company, specialized in business support for local governments and medical industry. We are challenging to achive the precision farming with AI. For more information, visit http:...
As you move to the cloud, your network should be efficient, secure, and easy to manage. An enterprise adopting a hybrid or public cloud needs systems and tools that provide: Agility: ability to deliver applications and services faster, even in complex hybrid environments Easier manageability: enable reliable connectivity with complete oversight as the data center network evolves Greater efficiency: eliminate wasted effort while reducing errors and optimize asset utilization Security: imple...
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, will discuss how by using...
The next XaaS is CICDaaS. Why? Because CICD saves developers a huge amount of time. CD is an especially great option for projects that require multiple and frequent contributions to be integrated. But… securing CICD best practices is an emerging, essential, yet little understood practice for DevOps teams and their Cloud Service Providers. The only way to get CICD to work in a highly secure environment takes collaboration, patience and persistence. Building CICD in the cloud requires rigorous ar...
Transforming cloud-based data into a reportable format can be a very expensive, time-intensive and complex operation. As a SaaS platform with more than 30 million global users, Cornerstone OnDemand’s challenge was to create a scalable solution that would improve the time it took customers to access their user data. Our Real-Time Data Warehouse (RTDW) process vastly reduced data time-to-availability from 24 hours to just 10 minutes. In his session at 21st Cloud Expo, Mark Goldin, Chief Technolo...
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...
SYS-CON Events announced today that CAST Software will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CAST was founded more than 25 years ago to make the invisible visible. Built around the idea that even the best analytics on the market still leave blind spots for technical teams looking to deliver better software and prevent outages, CAST provides the software intelligence that matter ...
SYS-CON Events announced today that Daiya Industry will exhibit at the Japanese Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ruby Development Inc. builds new services in short period of time and provides a continuous support of those services based on Ruby on Rails. For more information, please visit https://github.com/RubyDevInc.
When it comes to cloud computing, the ability to turn massive amounts of compute cores on and off on demand sounds attractive to IT staff, who need to manage peaks and valleys in user activity. With cloud bursting, the majority of the data can stay on premises while tapping into compute from public cloud providers, reducing risk and minimizing need to move large files. In his session at 18th Cloud Expo, Scott Jeschonek, Director of Product Management at Avere Systems, discussed the IT and busine...
Is advanced scheduling in Kubernetes achievable? Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, will answer these questions and demonstrate techniques for implementing advanced scheduling. For example, using spot instances ...
As businesses evolve, they need technology that is simple to help them succeed today and flexible enough to help them build for tomorrow. Chrome is fit for the workplace of the future — providing a secure, consistent user experience across a range of devices that can be used anywhere. In her session at 21st Cloud Expo, Vidya Nagarajan, a Senior Product Manager at Google, will take a look at various options as to how ChromeOS can be leveraged to interact with people on the devices, and formats th...
First generation hyperconverged solutions have taken the data center by storm, rapidly proliferating in pockets everywhere to provide further consolidation of floor space and workloads. These first generation solutions are not without challenges, however. In his session at 21st Cloud Expo, Wes Talbert, a Principal Architect and results-driven enterprise sales leader at NetApp, will discuss how the HCI solution of tomorrow will integrate with the public cloud to deliver a quality hybrid cloud e...
SYS-CON Events announced today that Yuasa System will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Yuasa System is introducing a multi-purpose endurance testing system for flexible displays, OLED devices, flexible substrates, flat cables, and films in smartphones, wearables, automobiles, and healthcare.