Compliance and regulatory concerns are often voiced when it comes to Cloud Computing, and often many of the interesting types of applications organisations would like to deploy to the cloud are often those governed by some form of regulatory standard. Lets look in more details at one of these.
PCI DSS is a set of comprehensive requirements for enhancing payment account data security and was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
So, is it possible to create a PCI DSS compliant application that can be deployed to EC2 ?
In order for an application or system to become PCI DSS compliant requires an end to end system design (or a review if pre-existing) and implementation. In the case of AWS customer’s attaining PCI compliance (certification), they would have to ensure they met all of the prescribed requirements through the use of encryption etc. very much like other customers have done with HIPAA applications. The AWS design allows for customers with varying security and compliance requirements to build to those standards in a customized way.
There are different levels of PCI compliance and the secondary level is quite a straight forward configuration, but requires additional things such as 3rd party external scanning (annually). You can find an example here of the PCI Scan report that is done on a quarterly basis for the Amazon platform. This isn’t meant to be a replacement for the annual scan requirement. Customers undergoing PCI certification should have a dedicated scan that includes their complete solution, therefore certifying the entire capability, not just the Amazon infrastructure.
The principles and accompanying requirements, around which the specific elements of the DSS are organized are:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Many of these requirements can’t be met strictly by a datacenter provider, but in Amazon’s case, they will be able to provide an SAS70 Type 2 Audit Statement in July that will provide much of the infrastructure information needed to meet PCI DSS certification. The Control Objectives that the Amazon Audit will address are:
Control Objective 1: Security Organization: Management sets a clear information security policy. The policy is communicated throughout the organization to users
Control Objective 2: Amazon Employee Lifecycle: Controls provide reasonable assurance that procedures have been established so that Amazon employee accounts are added, modified and deleted in a timely manner and reviewed on a periodic basis to reduce the risk of unauthorized / inappropriate access
Control Objective 3: Logical Security: Controls provide reasonable assurance that unauthorized internal and external access to data is appropriately restricted
Control Objective 4: Access to Customer Data: Controls provide reasonable assurance that access to customer data is managed by the customer and appropriately segregated from other customers
Control Objective 5: Secure Data Handling: Controls provide reasonable assurance that data handling between customer point of initiation to Amazon storage location is secured and mapped accurately
Control Objective 6: Physical Security: Controls provide reasonable assurance that physical access to Amazon’s operations building and the data centers is restricted to authorized personnel
Control Objective 7: Environmental Safeguards: Controls provide reasonable assurance that procedures exist to minimize the effect of a malfunction or physical disaster to the computer and data center facilities
Control Objective 8: Change Management: Controls provide reasonable assurance that changes (including emergency / non-routine and configuration) to existing IT resources are logged, authorized, tested, approved and documented.
Control Objective 9: Data Integrity, Availability and Redundancy: Controls provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing and the Data Lifecycle is managed by customers
Control Objective 10: Incident Handling: Controls provide reasonable assurance that system problems are properly recorded, analyzed, and resolved in a timely manner.
Many thanks to Carl from Amazon for his help with this information.
Update: Since this post was published Amazon updated their PCI DSS FAQ. You can find that here.