PCI DSS Compliance in a Cloud Computing Environment. Part 2

Cloud computing

Cloud computing recently became a popular topic and has been adopted by many enterprises. The National Institute of Standards and Technology (NIST) has defined cloud computing as follows:  “Cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” [1]

1. Overview and history

According to Hamdaqa [2] cloud computing is based on two basic paradigms: virtualization, which abstracts the physical architecture and allows use of it as a software and atomic computing, which enables self-management of distributed systems

The basis of cloud computing is a notion of time sharing, [3] developed in the 1950s and allowed shared use of mainframes CPU time through terminal connection.

Later, the availability of cheap computers and high-bandwidth networks, coupled with development hardware virtualization technologies, resulted in the rapid growth of cloud computing [4], [5], [6].

2. Service and deployment models

Cloud service providers (CSPs) offer services, which could be divided into three main categories: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). There are also four types of cloud deployment models: Private Cloud, Public Cloud, Hybrid Cloud and Community Cloud. [7], [1] (Figure 1)


Figure 1- NIST Visual Model of Cloud Computing Definition [8]

Companies before making a decision on each type of cloud should weigh all benefits and limitations of each type in terms of cost and security, among others.

3. Challenges

Dillon, Wu, and Chang [9] identify the following challenges related to the adoption of cloud computing:

– Security

– Costing Model

– Charging Model

– Service Level Agreement

– What to migrate

However, the authors only briefly discuss each of these areas and focus mainly on the results of survey [10], not paying attention to such sensitive aspects of cloud computing as legal, privacy, compliance, governance, etc.

Zhang, Qi, Lu Cheng, and Boutaba [7] also present only a brief overview of cloud computing technology and discuss core research challenges. The paper does not develop new models or concepts, but instead only analyses current developments and trends.

Although the researchers touch on security issues in general, they focus mainly on basic issues with confidentiality, integrity and availability, failing to address and explore important problems such as compliance in depth.


[1]       Mell, and Grance (2011) “The NIST definition of cloud computing”. NIST special publication 800-145

[2]       Hamdaqa (2012). “Cloud Computing Uncovered: A Research Landscape”. Elsevier Press. p. 312. ISBN 0-12-396535-7

[3]       Strachey (1959). “Time Sharing in Large Fast Computers”. Proceedings of the International Conference on Information processing, UNESCO p. 336–341

[4]       “Cloud Computing: Clash of the clouds”. The Economist. (2009). http://www.economist.com/node/14637206?story_id=14637206

[5]        “Gartner Says Cloud Computing Will Be As Influential As E-business”. Gartner. http://www.gartner.com/newsroom/id/707508

[6]       Gruman (2008). “What cloud computing really means”.InfoWorld. http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031

[7]       Zhang, Cheng, Boutaba. (2010) “Cloud computing: state-of-the-art and research challenges.” Journal of Internet Services and Applications 1, p. 7-18.

[8]       NIST Visual Model of Cloud Computing Definition

[9]       Dillon, Wu, Chang (2010) “Cloud Computing: Issues and Challenges” 24th IEEE International Conference on Advanced Information Networking and Applications

[10]    IDC Survey (2009) http://blogs.idc.com/ie/?p=730