Problem solve Get help with specific problems with your technologies, process and projects.

Cloud computing providers and PCI virtualization requirements

Find out how enterprises should approach cloud computing providers following the debut of the PCI virtualization requirements.

We’re in the process of making sense of the new guidance from the PCI Virtualization Special Interest Group (SIG). According to the guidance, cloud providers are obligated to “provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant.” Our question is, what constitutes sufficient evidence, and is it sufficient according to us, the customer, or sufficient according to their interpretation of PCI DSS? Basically, we’d like to know how to approach the conversation about this guidance with our cloud provider.

The new guidance on PCI virtualization requirements, put forth recently by the PCI DSS council, is an excellent document that provides a wealth of information, but also poses challenges for organizations. Some of the key points to make note of is that the "guest operating systems" within a virtualized environment are each considered an actual system component itself, thus this could, and will, dramatically increase the scope of the PCI DSS requirement for any organization using virtualization. Additionally, dormant virtual machines can expose significant threats and must be dealt with.

With that said, the phrase "sufficient evidence" means you need to validate against the interpretations of PCI compliance; after all, this is the framework you ultimately need to comply with.  Sufficient evidence for you as an organization may be and mean a completely different answer and deliverable than what PCI is requiring, thus always strive to meet the "sufficient evidence" clause for PCI first and foremost, with no exceptions. 

For example, when PCI is asking for the requirement (and ultimately validation) that  your data is logically separated from the provider’s other clients utilizing the same cloud systems, your "sufficient evidence" may be that you have a signed Master Service Agreement (MSA) and  Statement of Work (SOW) with the provider stating this, which may in fact be acceptable to you. For PCI, those documents alone will not suffice; you will have to push further to gain credible evidence of this requirement.

Another example would be Requirement 7 and access rights, particularly that of role-based access control (RBAC).  It may be stated from your cloud provider that only a select few individuals within the cloud provider’s organization will have access to your environment, but what evidence can the provider offer to validate this? An email stating this? How about another MSA or SOW? I think not. Once again, you need to push much further and deeper for assurances of PCI compliance, and in this case, it may mean the ability to audit the provider’s access control (i.e., authentication and authorization activities).

Thus, you can quickly see your notion of "sufficient evidence" will many times not be enough to meet the rigors of PCI compliance.  As I've stated many times, PCI compliance is not black and white, rather, it is subjective and qualitative in nature. You have to work through each of the 12 requirements, along with Appendix A, to find credible information and documentation that will assist in your compliance needs, especially in today's growing cloud environment.

This was last published in September 2011

Dig Deeper on Security audit, compliance and standards

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.