The Importance of Properly Scoping Cloud Environments

PCI Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) recently released a joint industry threat bulletin highlighting the importance of properly scoping cloud environments. In this blog, the PCI SSC and CSA share guidance and best practices for properly scoping cloud environments.

Why are you issuing this industry threat bulletin and what is it about?

Troy Leach: There’s a few trends that influenced this campaign. First, our Special Interest Groups have repeatedly elected to address cloud-related topics for several years in a row. Add to that the global growth in use of cloud services where early implementation has seen common mistakes made for basic security and awareness of scoping. We felt, as a leader in payment security, and all the collective guidance that exists between us and our colleagues from the Cloud Security Alliance (CSA), that it was important to raise awareness and emphasize the critical importance of properly scoping cloud environments.

Jim Reavis: CSA works every day on cloud security issues and our industry is well aware of the many cyber threats aimed at cloud environments, which is fast becoming the dominant IT system. Those threats will continue to grow as more and more organizations, large and small utilize cloud services. We welcome the opportunity to work with the PCI SSC on the key topic of properly scoping cloud environments.

What is cloud and why does it matter?

Jim Reavis: A common understanding of what cloud computing actually is helps facilitate conversations about how to best manage risks and assure optimized security. Definitions range from the notional “running your programs on someone else’s computer” to the more formal “on demand network access to a shared pool of rapidly provisioned compute resources” that emanates from NIST’s original definition of cloud authored in 2009 and revised in 2011.

Troy Leach: The use of cloud computing services has accelerated in recent years and is projected to continue expanding in the future. It is estimated that 48% of corporate data is stored on the cloud and 90% of companies in the world now use this technology. This dramatic increase in use of cloud services makes sense given the many benefits cloud computing can provide to businesses large and small. Cloud computing can be an efficient and economic way to scale businesses and their related payment acceptance. Because of these many benefits, investment in cloud computing is projected to be an ever-increasing priority for businesses around the world, especially for Late Adopters or those expanding the services cloud technology can provide. That makes security of the cloud more important than ever.

What businesses are at risk of these possible cloud threats?

Jim Reavis: Businesses large and small use cloud computing services which means everyone who uses cloud services could be at risk of an attack. Too many small businesses that use a cloud service provider (CSP), think they are immune from any attacks. That is simply not the case.

Speaking of using a cloud service provider (CSP), what are some things organizations should know when engaging with a CSP?

Troy Leach: A CSP should be viewed as a partner in protecting payment data rather than the common assumption that all responsibility has been completely outsourced. The use of a CSP for payment security related services does not relieve an organization of the ultimate responsibility for its own security obligations, or for ensuring that its payment data and payment environment are secure.

Much of this misunderstanding comes from simply not including payment data security as part of the conversation and how requirements, such as those in PCI DSS, will be met.

Some guidance for selecting and working with a CSP include:

Third-Party Service Provider Due Diligence: When selecting a CSP, organizations should vet CSP candidates through careful due diligence prior to establishing a relationship and explicit understanding of which entity will assume management and oversight of security. This will assist organizations in reviewing and selecting CSPs with the skills and experience appropriate for the engagement.

Service Correlation to PCI DSS Requirements: Organizations should understand how the services provided by CSPs correspond to the applicable PCI DSS requirements. This will assist an organization in determining the potential security impact of utilizing CSPs on the organization’s payment data environment. This information can also be used to determine and understand which of the payment security requirements will apply to and be satisfied by the CSP, and which will apply to and be met by the organization.

Note: Regardless of how specific responsibilities may be allocated between an organization and a CSP, ultimate responsibility for payment data security rests with the organization. Engaging a CSP does NOT relieve an organization of their security obligations. This responsibility cannot be outsourced.

Written Agreements and Policies and Procedures: Organizations should consider detailed written agreements such as contracts, services agreements, and responsibility matrices to promote consistency and mutual understanding between the organization and its CSP(s) concerning their respective responsibilities and obligations with respect to PCI DSS requirements.

Monitor Third-Party Service Provider Compliance Status: Organizations should be aware of the CSP’s PCI DSS compliance status as a Service Provider compared to their own obligation to adhere to PCI DSS requirements for their own payment acceptance practices. A CSP demonstrating they have met PCI DSS for their own card environment does not necessarily equate to the services they offer have been evaluated against the PCI DSS requirements.

Having this conversation with the CSP will provide an organization assurance and awareness about whether the CSP complies with the applicable requirements for the services provided. If the CSP offers a variety of services, this knowledge will assist the entity in determining which CSP services will be in scope for the entity’s PCI DSS assessment.

What are some actions organizations can take that would help to reduce risks and be considered best practices when in comes to cloud security?

Jim Reavis: Limiting exposure to payment data reduces the chance of being a target for criminals. In addition, consider the following best practices:

• Data protection: Assure that information is protected by maximizing use of strong cryptography and key management practices, tokenization, and masking where feasible and employing robust data loss prevention solutions. Best practices call for protection of data in three states: Data in Transit (network encryption), Data at Rest (storage encryption) and Data in Use (masking, tokenization, and emerging encryption technologies). Data loss prevention solutions detect, log, and potentially block unauthorized access to sensitive data.
• Authentication: Assure that strong multi-factor authentication is pervasive to protect against common attacks against the credentials of consumers, merchants, and service providers. Strong authentication should be based upon industry standards, such as FIDO (Fast IDentity Online), SAML, OpenID and OAuth. Payment CSPs may vary in what they consider their scope of responsibilities for strong authentication. Is it optional or mandatory for users? Is it compatible with the pervasive authentication features available to consumers, such as mobile device biometrics? Does the strong authentication solution provide a frictionless consumer experience, or does it require significant user configuration?
• Systems management: Recent high-profile breaches have pointed to weaknesses in how responsible parties perform routine systems management functions, such as patch management, verification of code updates and configuration management. Most of these responsibilities should be undertaken by the payment CSP, however some components may be the responsibility of the infrastructure CSP.
• DevOps & DevSecOps: These terms describe emerging best practices for frameworks used for developing software in the cloud that is designed, coded, and tested to be as secure and defect-free as possible. DevOps processes will define both original code developed by the CSP as well as APIs and third-party modules that are incorporated into the finished software product. Merchants should determine if the CSP has a documented DevOps software development lifecycle and can provide evidence of what code it developed and what third party technology is included in the payment solution. Software supply chains are important areas of exposure for malicious attackers and merchants should understand the original source of all components of the payment solution.
• Data governance: With global nature of cloud, assure that information stays within the appropriate jurisdiction boundaries and is accessed by stakeholders with legitimate needs. This relates back to understanding the payment CSP’s selection of cloud infrastructure and how it is configured to use different datacenters in selected geographical regions.
• Resiliency: Assure that service providers take advantage of cloud’s nearly unlimited capabilities to provide redundancy for application availability and data backups. From a scoping perspective, the merchant should examine the payment CSP’s selection of cloud infrastructure. Is the system using multiple, redundant data centers? Is the data replicated between multiple data centers? Is the appropriate level of data tiering in place, including offline backups and archiving, to protect against data destruction attacks such as ransomware? Does the application automatically failover if a single datacenter has network or system availability issues?

Are there additional resources, where I can get more information on the topic of cloud security?

Jim Reavis: The CSA has many resources on our webpage that can be of help including our Cloud Controls Matrix, Certificate of Cloud Auditing Knowledge and information on our STAR (Security, Trust, Assurance and Risk) Program. That information can be found at:

• Certificate of Cloud Security Knowledge CCSK
• Top Threats to Cloud Computing: Egregious Eleven Deep Dive
• Security Guidance for Critical Areas of Focus in Cloud Computing
• Cloud Controls Matrix
• Certificate of Cloud Auditing Knowledge
• CSA (STAR) Security, Trust, Assurance and Risk Program

Troy Leach: The PCI SSC has produced several documents that can help provide greater understanding about cloud security as it relates to payment security. Our current Special Interest Group is working on the issue of “Best Practices for Container Orchestration”. The goal of the SIG is to provide guidance for companies on how to enhance security when using container orchestration tools. This guidance will include an overview of container orchestration tools as well as a breakdown of payment industry considerations, and use-case contextualized best practices. The guidance is due out later this year. PCI SSC documents that would be a helpful understanding cloud security include:

• PCI SSC Cloud Computing Guidelines
• Guidance for PCI DSS Scoping and Network Segmentation
• Information Supplement: Third-Party Security Assurance
• PCI Perspectives | Cloud Security (pcisecuritystandards.org)
• Qualified Security Assessors (pcisecuritystandards.org)
• PCI SSC Announces 2021 Special Interest Group Election Results (pcisecuritystandards.org)

Learn More About the Importance of Properly Scoping Cloud Environments