We’re in the process of making sense of the new guidance from the PCI Virtualization Special Interest Group (SIG). According to the guidance, cloud providers are obligated to “provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant.” Our question is, what constitutes sufficient evidence, and is it sufficient according to us, the customer, or sufficient according to their interpretation of PCI DSS? Basically, we’d like to know how to approach the conversation about this guidance with our cloud provider.
The new guidance on PCI virtualization requirements, put forth recently by the PCI DSS council, is an excellent document that provides a wealth of information, but also poses challenges for organizations. Some of the key points to make note of is that the "guest operating systems" within a virtualized environment are each considered an actual system component itself, thus this could, and will, dramatically increase the scope of the PCI DSS requirement for any organization using virtualization. Additionally, dormant virtual machines can expose significant threats and must be dealt with.
With that said, the phrase "sufficient evidence" means you need to validate against the interpretations of PCI compliance; after all, this is the framework you ultimately need to comply with. Sufficient evidence for you as an organization may be and mean a completely different answer and deliverable than what PCI is requiring, thus always strive to meet the "sufficient evidence" clause for PCI first and foremost, with no exceptions.
For example, when PCI is asking for the requirement (and ultimately validation) that your data is logically separated from the provider’s other clients utilizing the same cloud systems, your "sufficient evidence" may be that you have a signed Master Service Agreement (MSA) and Statement of Work (SOW) with the provider stating this, which may in fact be acceptable to you. For PCI, those documents alone will not suffice; you will have to push further to gain credible evidence of this requirement.
Another example would be Requirement 7 and access rights, particularly that of role-based access control (RBAC). It may be stated from your cloud provider that only a select few individuals within the cloud provider’s organization will have access to your environment, but what evidence can the provider offer to validate this? An email stating this? How about another MSA or SOW? I think not. Once again, you need to push much further and deeper for assurances of PCI compliance, and in this case, it may mean the ability to audit the provider’s access control (i.e., authentication and authorization activities).
Thus, you can quickly see your notion of "sufficient evidence" will many times not be enough to meet the rigors of PCI compliance. As I've stated many times, PCI compliance is not black and white, rather, it is subjective and qualitative in nature. You have to work through each of the 12 requirements, along with Appendix A, to find credible information and documentation that will assist in your compliance needs, especially in today's growing cloud environment.
This was first published in September 2011