As more and more organizations turn to cloud computing to reduce their costs and increase their operational efficiency and agility, it’s natural for cloud security to become ever more top of mind. CISOs must balance their compliance responsibilities against the benefits of the cloud. Luckily, a well-planned cloud security implementation can enable businesses to take full advantage of the cloud while maintaining PCI compliance. Let’s look at some PCI DSS 3.0 requirements and how cloud security can help.
Requirement 3.4: “Render PAN unreadable anywhere it is stored”
The protection of sensitive cardholder data like PANs is critical to maintaining PCI compliance. These days, with cloud computing drastically increasing the amount of places where data might be stored, that can seem challenging. In a cloud environment, data might be duplicated, moved around, or stored in multiple places without the original owner’s knowledge.
Fortunately, it’s easier to ensure the continuous protection of PANs than you might think. An automated, policy-based cloud security strategy that granularly applies your choice of strong encryption and tokenization to data before it even leaves your perimeter will keep PANs safe no matter where they’re stored. Add enterprise-exclusive access to and control of encryption keys to render PANs unreadable by anyone except authorized parties. Additionally, that tight control of your encryption keys helps satisfy Requirement 3.5.1, which mandates that organizations “restrict access to cryptographic keys to the fewest number of custodians necessary,” and 3.5.3, which requires organizations to “store cryptographic keys in the fewest possible locations.”
Requirement 4.2: “Never send unprotected PANs by end-user messaging technologies”
Cloud computing and the mobility trend go hand-in-hand. One of the key benefits of the cloud is the accessibility of data and services from anywhere, at any time, and often using any device—desktop, laptop, tablet, or mobile. But with so many vectors for the transmission of potentially sensitive data, how can organizations ensure that that data is protected no matter where it originates?
Working in conjunction with clear DLP and BYOD device registration policies, data-focused cloud security and mobile device management solutions can address this problem. Look for a solution that can identify and encrypt sensitive information on the fly so that it is always protected, no matter who’s sending it, or over what platform. In many cases, these solutions cause little to no noticeable latency or disruption to the end user experience and can greatly beef up your overall data security posture.
Requirement 5.1: “Deploy anti-virus software on all systems commonly affected by malicious software”
PCI DSS 3.0 Requirement 5 focuses generally on the deployment, maintenance, and timely updating of antivirus and malware protection software, which continues to be critical to data security. Malicious software poses a continuing threat to the integrity of systems and the security of data: hackers are growing more sophisticated as defenses evolve, and keeping abreast of current threats can mean the difference between prevention and disaster.
Antivirus and malware protection should be a critical component of your cloud security strategy. In addition to installing antivirus software on all your endpoints, look for a cloud-integrated antivirus and malware detection solution to detect malicious software as it enters, exits, and even travels through the cloud so that potentially infected content can be quarantined before it affects anything else. Additionally, keep your antivirus solution updated and document all activity to satisfy Requirement 5.2, which mandates that organizations maintain their antivirus mechanisms by keeping them current, performing periodic scans, and generating audit logs.
These are just three of the ways that a thoughtful cloud security implementation can help maintain PCI compliance. What are some other benefits cloud security can offer to compliance-minded CISOs? Let us know your thoughts in the comments.