Virtualization Technology News and Information
Two Top Cybersecurity Organizations Issue Joint Bulletin on the Importance of Cloud Scoping

The PCI Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) issued a joint bulletin to highlight the importance of properly scoping cloud environments. The full bulletin can be viewed here.

Why Cloud Matters
The use of cloud computing services has accelerated in recent years and is projected to continue expanding in the future. This dramatic increase in use of cloud services makes sense given the many benefits cloud computing can provide to businesses large and small. Cloud computing can be used to provide customers with access to the latest technologies without a costly investment in computing resources. Because of these many benefits, investment in cloud computing is projected to be an ever-increasing priority for businesses around the world. Along with this increased use has come increased concern about security.

The Importance of Cloud Scoping to Payment Environment Security
At a high level, scoping involves the identification of people, processes, and technologies that interact with or could otherwise impact the security of payment data or systems. When utilizing cloud security for payments, this responsibility is typically shared between the cloud customer and the cloud service provider.

Data breach investigation reports continue to find that organizations suffering compromises involving payment data were unaware that cardholder data was present on the compromised systems. Proper scoping should be a critical and ongoing activity for organizations to ensure they are aware of where their payment data is located and that the necessary security controls are in place to protect that data. Improper scoping can result in vulnerabilities being unidentified and unaddressed, which criminals can exploit. Knowing exactly where payment data is located within your systems will empower organizations to develop a game plan to protect that data.

Understanding Roles and Responsibilities
Organizations that outsource payment services to CSPs, often rely on the CSP to securely store, process, or transmit cardholder data on their behalf, or to manage components of the entity's payment data environment. CSPs can become an integral part of the organization's payment data environment and directly impact the security of that environment.

For too many organizations, bringing in a third party CSP for payment security services is seen as the only step necessary to securing payment data. The use of a CSP for payment security related services does not relieve an organization of ultimate responsibility for its own security obligations, or for ensuring that its payment data and payment environment are secure. Clear policies and procedures should be established between the organization and its CSP for all applicable security requirements, and measures developed to manage and report on security requirements.

Best Practices
Limiting exposure to payment data reduces the chance of being a target for criminals. Some important best practices areas of focus should be:

  • Data protection:Assure that information is protected by maximizing use of strong cryptography and key management practices, tokenization, and masking where feasible and employing robust data loss prevention solutions.
  • Authentication:Assure that strong multi-factor authentication is pervasive to protect against common attacks against the credentials of consumers, merchants, and service providers
  • Systems management:Recent high-profile breaches have pointed to weaknesses in how responsible parties perform routine systems management functions, such as patch management, verification of code updates and configuration management.
  • DevOps & DevSecOps:Software supply chains are important areas of exposure for malicious attackers and merchants should understand the original source of all components of the payment solution.
  • Data governance:With global nature of cloud, assure that information stays within the appropriate jurisdiction boundaries and is accessed by stakeholders with legitimate needs.
  • Resiliency:Assure that service providers take advantage of cloud's nearly unlimited capabilities to provide redundancy for application availability and data backups.

"The importance of scoping payment environments and then properly security payment data and authentication credentials within cloud environments continues to be a common request from stakeholders," said Troy Leach, Senior Vice President, Market Intelligence and Industry Engagement, PCI Security Standards Council (PCI SSC). "Based on these requests on scoping and related industry trends, we wanted to raise awareness of this important issue with our friends and colleagues from the Cloud Security Alliance (CSA) to highlight existing material that provides a wealth of guidance."

"The bulletin we are jointly issuing today should be read by those who care about data security in cloud environments," remarked Jim Reavis, CEO of the Cloud Security Alliance (CSA). "By understanding cloud and the various roles, responsibilities and best practices related to cloud security, organizations can be better prepared to guard against cyber-attacks."
Published Thursday, August 05, 2021 12:06 PM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2021>