Cloud Computing Security – A brief overview of Threats, Vulnerabilities, and Countermeasures

Threats

In 2013 the Cloud Security Alliance released a report, which identifies and describes 9 significant threats to Cloud computing [3]. This report was conducted through a survey of experts and intends to help companies in their Risk assessment. The Cloud Security Alliance (CSA) is one of the first nonprofit organizations that have tried to set up standards for best practices for secure cloud computing. They further try to offer guidance and security education.

The identified threats are listed in accordance to their severity:

1. Data Breaches: Data breaches occur when sensitive information of a company falls into the hands of its competitors and cloud computing introduces new ways of attack [1,3].

2. Data Loss: Data Loss can happen in several ways and is a terrifying thought for businesses. Accidental deletions by the CSP or physical catastrophes are examples of possible ways of loosing data in the cloud. Another example is if the consumer encrypts the data before uploading it to the cloud but then looses the encryption key [1, 3].

3. Account or Service Traffic Hijacking: There are different ways an account can be hijacked such as social engineering. If an attacker is able to get access to an account he can access, for example, sensitive data, manipulate it, and also redirect transactions [3, 9].

4. Insecure APIs: Services provided by CSPs can be accessed through APIs and therefore the security of the cloud depends also highly on the security of these APIs.  Weak credentials, insufficient authorization checks and insufficient input-data validation are some problems that can arise with APIs [3, 9].

5. Denial of Service (DoS): Cloud System Resources are being overused by an attacker, which prevent users from being able to access their data or applications [1, 3].

6. Malicious insiders: This threat refers to the fraud, damage or theft of information and misuse of IT resources caused from inside the CSP [3, 9].

7. Abuse of Nefarious Use:  CSP are known to have weak registration processes and therefore can give easy access to attackers. Possible impacts include decoding and cracking of passwords and executing malicious commands [1, 3].

8. Insufficient due diligence: Some companies do not have the right resources and understanding of the cloud environment to correctly evaluate the risk associated with responsibilities. Some implications can be contractual issues and operational and architectural issues [3].

9. Shared Technology Vulnerabilities: This threat can occur in all service models and refers to the fact that a single vulnerability could compromise the entire provides cloud [3].

Vulnerabilities in the Cloud

Vulnerability is the second factor companies have to consider when assessing the risk of migrating data to the cloud. Even though many types of vulnerabilities exist, when identifying them it is important to make sure they are cloud specific.

What makes a Vulnerability cloud specific?

According to the research conducted in [5] there are several criteria, which can be met by a vulnerability to make it cloud specific.

  • Virtualization, service- oriented architecture and cryptography are examples of core technologies of cloud computing. A Vulnerability is cloud specific if it is frequent and fundamental to these core technologies.
  • Elasticity, resource pooling and pay-as-you go mode are example on the other hand of cloud characteristics [4]. A Vulnerability is cloud specific if its root cause is in one of those characteristics.
  • Another criteria that makes a vulnerability cloud specific is if it hard to implement existing security controls to cloud innovations.
  • The last criteria they mention is that it has to be frequent in established state-of-the-art cloud services

Knowing what makes a vulnerability cloud specific one can then identify vulnerabilities in the cloud. The paper [1] has identified in total 7 major vulnerabilities of cloud computing:

1 Session Riding and Hijacking: This vulnerability is related to web applications weaknesses. Session Hijacking is unauthorized access is gained through a valid session key [8]. Session riding on the other hand is when the attacker sends commands to a web application by tricking the user open an email or to visit a malicious website [1].

2. Reliability and Availability of Service: This vulnerability takes into consideration that cloud computing is not perfect. More and more service are built on top of cloud computing infrastructures. In case of a failure a large amount of Internet based services and applications may stop working. The paper [1] give the example of an event in 2008 when Amazon’s Web Service cloud storage infrastructure went down for several hours. This caused data loss and access issues.

3. Insecure Cryptography: One of the fundamental problems in cryptography is the random generation of numbers. If numbers used in cryptographic algorithm are not truly random flaws can be found easily. The Virtual machines used on the cloud do not have enough sources of entropy and are therefore susceptible to attacks [1].

4. Data Protection and Portability: This vulnerability addresses the questions of what happens with the sensitive data in case of contract termination or in case the CSP goes out of business [1].

5. Virtual Machine Escape: This vulnerability refers to the possibility of breaking out of a virtual machine and interacting with the host operating system. Given that many virtual machine can exist in the same location increases the attack surface for the attacker [1].

6 Vendor Lock-in: The vulnerability lies in companies being dependent on the CSP they have initially chosen. Inconsistencies between CSPs and lack of standards make it hard for companies to switch providers [1].

7. Internet Dependency: Cloud Computing is very much dependent on the Internet. Users usually access services through web browsers. Some critical operation such as Healthcare systems needs to be up and running 24 hours. The question arises in situations where the Internet is not reliable [1].

Countermeasures

 Having identified the risks of cloud computing it is then possible to assess which data or applications should be migrated and how much security is needed. Further, it is possible to come up with countermeasures or safeguards to mitigate these risks. Countermeasures may come in various forms such as policies, procedures, software configurations, and hardware devices [4].

For the threats and vulnerabilities mentioned in this report there exist countermeasures that can help mitigate the risk. Papers such as [6], [3], and [9] give possible solutions to these risks. Some of them are for example Identity and access management guidance for the threat of account or service hijacking [6]. The CSA has issued a report to provide a list of best practices such as separation of duties and identity management [2]. For the threat of data leakage for example the main countermeasure is encryption [8, 6].

Even though there are many countermeasures that have been identified a good practice for companies is to have a good Service Level agreement (SLA) with the CSP. SLAs are the only legal agreement between client and service provider and should cover aspects such as security policies and their implantation and also should discuss legal issues in case of misuse of services [7]. The CSA further has come up with a framework that can assist in looking at the aspects of Governance, Risk and Compliance (GRC) in a company’s IT policy when adopting a new solution. Their framework assists in assessing Clouds provided by CSPs against established best practices and standards.

We have looked at Threats and Vulnerabilities and come to conclude that there are still several issues to cloud computing that need to be solved. Therefore, it is only understandable that companies still view cloud computing skeptical and do not adopt it as an option without consideration. Companies themselves should ensure through service level agreements that they get the security they need. Further we are able to see through organizations such as the Cloud Security Alliance that there are efforts in trying to create standards and help companies in choosing the right provider.

References

[1]       Bamiah, Mervat Adib, and Sarfraz Nawaz Brohi. “Seven Deadly Threats and Vulnerabilities in Cloud Computing.” International Journal of Advanced Engineering Sciences and Technologies (IJAEST) (2011).

[2]       Brunette, Glenn, and Rich Mogull. “Security guidance for critical areas of focus in cloud computing v2. 1.” Cloud Security Alliance (2009): 1-76.

[3]       Cloud Security Alliance, “The Notorious Nine Cloud Computing Top Threats in 2013”, Cloud Security Alliance, 2013, [Online]

[4]       Dahbur, Kamal, Bassil Mohammad, and Ahmad Bisher Tarakji. “A survey of risks, threats and vulnerabilities in cloud computing.” In Proceedings of the 2011 International Conference on Intelligent Semantic Web-Services and Applications, p. 12. ACM, 2011.

[5]       Grobauer, Bernd, Tobias Walloschek, and Elmar Stocker. “Understanding cloud computing vulnerabilities.” Security & Privacy, IEEE 9, no. 2 (2011): 50-57.

[6]       Hashizume, Keiko, David G. Rosado, Eduardo Fernández-Medina, and Eduardo B. Fernandez. “An analysis of security issues for cloud computing.” Journal of Internet Services and Applications 4, no. 1 (2013): 5.

[7]       Kandukuri, Balachandra Reddy, V. Ramakrishna Paturi, and Atanu Rakshit. “Cloud security issues.” In Services Computing, 2009. SCC’09. IEEE International Conference on, pp. 517-520. IEEE, 2009.

[8]       Munir, Kashif, and Sellapan Palaniappan. “Secure Cloud Architecture.” Advanced Computing: An International Journal (ACIJ), 4 (1), 9-22. (2013).

[9]       Yu, Ting-ting, and Ying-Guo Zhu. “Research on Cloud Computing and Security.” In Distributed Computing and Applications to Business, Engineering & Science (DCABES), 2012 11th International Symposium on, pp. 314-316. IEEE, 2012.

Privacy

Defining privacy is a difficult task.

No definition of privacy is possible, because privacy issues are  fundamentally matters of values, interests, and power – Alan Westin as  reported in Gellman (1997, p.194)
Privacy, however, is a concept in disarray. Nobody can articulate what it  means – Daniel Solove (2009,p.1)
It is not possible to give a unique, unitary definition of privacy that covers  all the diverse privacy interests  – Judith W. DeCew (1997, p.61)
Privacy is a value so complex, so entangled in competing and  contradictory dimensions, so engorged with various and distinct meanings,  that I sometimes despair whether it can be usefully addressed at all  – Robert C. Post (2001, p.2087)

I want to share with you several videos on privacy.

  • Short documentary: Why Privacy Matters
  • A mock up of ordering pizza by phone to show how peoples behaviour can be tracked.
  • A training video produced by the UK Information Commisioner’s Office on Data Protection Act, – Lights are on

Finally, Javvad explores the difference between security and privacy:

Governance, Risk and Compliance in the Cloud research project

cloudaudit_logocai_logo_clipped

ccm-logoctp-logo

A major UK-based telecommunications company proposed to conduct a joint research  with MSc Information Security students at UCL.

The use of cloud computing as a way of providing and consuming on-demand, pay-as-you-consume ICT service has revolutionised the industry.  Services like Amazon EC2 have seen a huge increase in its revenue. However, currently it is the Small and Medium Enterprises (SMEs) that are leading the way in the use of these public Infrastructure as a Service (IaaS) offerings. 

The company envisages that as these services become more mature and secure, they will be adopted and used by more “traditional” enterprises like the finance, health and government sector.

Governance, Risk and Compliance (GRC) plays a very important role in the IT policies of these institutions and as such, for any solution to be adopted by them, these aspects of the IT policies will have to be considered.  Several initiatives have been started to address this issue. The Cloud Security Alliance’s  GRC Stack is one of the most mature and accepted initiative in this area. It consists of four main stacks – Cloud Controls Matrix, Consensus Assessments Initiative, Cloud Audit and Cloud Trust Protocol.

It was very interesting to participate in the series of workshops to investigate how  this framework would impact and be used by the company. This helped me to learn a lot about the telecoms industry and the way they are adopting cloud technologies in a secure way.

Risk management and compliance tools

Citicus

Citicus MOCA – iPhone/iPad tool that enables you to complete a criticality assessment in minutes, anywhere, anytime, using a highly-respected technique that has been successfully applied to many thousands of assessments over the last decade.  In essence, this highlights the maximum credible loss to your organisation if the worst happens to an asset (e.g. theft, fire, flood, malfunction).

Control Systems Security Program (CSSP) – free tool that provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.

If you struggle to comply with HIPAA, the NIST HIPAA Security Toolkit Application can help you better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess implementations in operational environment.

Information security e-learning

The Internet gives us unlimited opportunities to educate ourselves. Here I want to share with you some free resources, which can help you understand information security concepts better.

1. For those of you who want to familiarize yourself with ISO 27001 standard  I recommend free e-learning course

“The purpose of this course is to enable information security practitioners to successfully implement an ISO 27001 compatible information security management system in their respective organizations. This course is made freely available to interested candidates and is modeled on ISO 27001 Lead Implementer courses.” (c) ISQ

2. Designing and Executing Information Security Strategies course provides you with opportunities to integrate and apply your information security knowledge. Following the case-study approach, you will be introduced to current, real-world cases developed and presented by the practitioner community. You will design and execute information assurance strategies to solve these cases. A term-long capstone project leads you through an actual consulting engagement with a local organisation  adding experience to your resume before you even complete the program.

3. Stanford University provides free online cryptography courses.

Basic

“This course explains the inner workings of cryptographic primitives and how to correctly use them. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption and basic key-exchange. Throughout the course students will be exposed to many exciting open problems in the field.” (c) Dan Boneh

Advanced

“The course begins with constructions for digital signatures and their applications.   We will then discuss protocols for user authentication and zero-knowledge protocols.    Next we will turn to privacy applications of cryptography supporting anonymous credentials and private database lookup.  We will conclude with more advanced topics including multi-party computation and elliptic curve cryptography” (c) Dan Boneh

4. One-hour seminar by Xeno Kovah (Mitre) on rootkits highlights the few weaknesses in detection methodologies and many weaknesses in tools

5. Using buffer overflows

– Understanding the Stack – The beginning of this video explain Intel x86 function-call conventions when C code is compile

– Buffer Overflow Exploitation Megaprimer for Linux video series

6. Series of videos introducing wireless networking and the application of penetration testing tools to WLANs

PCI DSS Compliance in a Cloud Computing Environment. Part 3

According to the statistical survey [1] security is one of the main concerns for enterprises when making the decision to outsource their applications and infrastructure to the cloud computing environment

The inability to clearly identify where the sensitive data is stored and how it is processed is a major concern of many companies.

The problem becomes more serious when the enterprise processes cards payments and has to comply with regulatory requirements, such as PCI DSS. A need for compliance of the infrastructure with regulatory requirements plays an important role when having to decide whether to move applications or infrastructure to the cloud.

This chapter will identify specific requirements for PCI DSS compliance in a cloud computing environment and will look at research done in the field of continuous auditing.

1. PCI DSS compliance and virtualization

Virtualization, which serves as a foundation for cloud computing, introduces new unique types of risks that must be taken into consideration when deciding on adopting cloud computing in cardholder data environment. [2]

To address these concerns and to achieve PCI DSS compliance in such environment, PCI Security Standards Council issued “PCI DSS Virtualization Guidelines,” providing an example of how scope and responsibility may differ by type of cloud service (Figure 1) [2]

cloud{responsibility

Figure 1 – Area of responsibility by type of cloud service [2]

In their supplement guidance PCI Security Standards Council also focuses on following risks [2]:

– Vulnerabilities in the Physical Environment Apply in a Virtual Environment

– Hypervisor Creates New Attack Surface

– Increased Complexity of Virtualized Systems and Networks

– More Than One Function per Physical System

– Mixing Virtual machines of Different Trust Levels

– Lack of Separation of Duties

– Dormant Virtual Machines

– Virtual machines Images and Snapshots

– Immaturity of Monitoring Solutions

– Information Leakage between Virtual Network Segments

– Information Leakage between Virtual Components

For each risk they provide a set of recommendations, specifically covering compliance aspects of the cloud computing environment.

2. Continuous compliance monitoring in cloud computing environment

Ensuring the compliance of outsourced business processes to regulatory requirements is one of the key problems in the deployment of cloud computing environment [3],  [4]

Some research has been done in the field of developing models to automate the process of continuous auditing in order to ensure adherence to regulatory requirements.

Building on Speeter’s research [5], Chieu, Viswanathan, and Gupta in their work [6], push the concept further and not only provide solutions on gathering information on network and server configuration, but also provide a tool to automate this process and use collected evidence for assurance purposes.

The researchers acknowledge all possible benefits of cloud computing, but mention that “the steps of validating the configuration and security of the target workload for compliance and assuring its quality may be complex and very time consuming.” Emphasizing the difficulties of the validation process when performed manually, the authors present the design of an automation system (Figure 2) to carry out the validation of configuration on target cloud services for compliance [6].

cloud_scheme_app

Figure 2 – Architecture of the automation system for service activation [6]

The authors describe in detail how to use the presented system to collect and verify all collected evidences and ensure adherence with the regulatory requirements in the cloud computing environment. This development makes a large practical contribution, and supports various operating systems and middleware stacks. It also was deployed in shared private enterprise cloud (IBM SmartCloud Enterprise Plus [7]. However, authors acknowledge that the developed system “lacks the flexibility to support the diverse private cloud environments in which different back-end tools may have to be integrated.” [6] Allowing such flexibility may result in wider adoption and use for practical purposes, such as automation of PCI DSS compliance checks.

Acknowledging the contribution of Breaux and Antón’s research [8] Accorsi and Sato claim that there is still no sufficient research results to support creation of a uniform way of expressing the compliance requirements [9]. Moreover, in their paper, the researchers emphasize the absence of tools for automating certification procedures, and that the “multitude of regulations and contractual rules increases the complexity of checking compliance” [9].

The authors analyze some regulatory requirements and develop nine common categories. They then focus on workflows and create Petri net [10], [11], [12], [13] representation of these categories. They use the developed model to check the compliance of a given business process in relation to a given requirements. In case of non-compliance, the developed model gathers necessary evidence and points out to the problem.

Unlike Sadiq, Governatori, Namiri [14], who focus only on a single legislation, Accorsi and Sato present their categorization using several different legislations, which may be beneficial for cloud service providers who need to comply simultaneously with many different regulations. However, in their research, the authors analyze mainly business process design issues and only several legislations, ignoring, for example, PCI DSS and, more importantly, many requirements which may be specific for this legislation.

Hizver and Chiueh in their paper [15] tackle another side of automated compliance monitoring – discovering credit card flow, which is a pre-requisite to the implementation of PCI DSS.

Their research has valuable practical application, because in order to comply with PCI DSS requirements, merchants must understand how credit card data flows in their information technology infrastructure and must document it. This may result in problems with out-of-date and difficult to maintain documentation of this flow when infrastructure changes.

To avoid manual effort, the authors develop a tool that can discover payment card data flow from distributed systems in an automated manner. The foundation of the tool is virtual machine introspection technology [16].

Researchers present and thoroughly analyze the developed tool and show evidence that it can fulfill its purpose, despite the fact that communications between distributed systems are encrypted.

Conclusion

Existing issues with compliance monitoring prevent companies from outsourcing their application and infrastructure to a third party cloud computing environment [17] and slow down the process of realization of the cloud computing potential [19].

Although some positive results are achieved in the field of identifying problems with cloud computing and compliance, more research should be done in the field of automation of continuous monitoring for PCI DSS requirements in a cloud computing environment. Models should be developed and tested to allow companies to ensure their adherence with requirements not only of application, but also of external environment, especially if outsourced to third parties.

References

[1]       IDC Survey (2009) http://blogs.idc.com/ie/?p=730

[2]       PCI DSS Virtualization Guidelines (2011) https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf

[3]       ENISA (2009)” Cloud computing—benefits, risks and recommendations for information security”. European Network Information and Security Agency

[4]       Cloud Security Alliance (2013)” Top threats to cloud computing”

http://www.cloudsecurityalliance.org/

[5]       Speeter, Framba, Duncan, Talla, Bullis, (2006) “Configuration management system and method of discovering configuration data”, US Patent Pub. No. 20060179116

[6]       Chieu, Viswanathan, Gupta (2012) “Automation System for Validation of Configuration and Security Compliance in Managed Cloud Services”

[7]       IBM SmartCloud, http://www.ibm.com/cloud-computing/us/en/

[8]       Breaux, Antón (2008) “Analyzing regulatory rules for privacy and security requirements”. IEEE Trans Software Eng 34(1) p.5–20

[9]       Accorsi, Sato (2011) “Automated Certification for Compliant Cloud-based Business Processes” DOI 10.1007/s12599-011-0155-7

[10]    Murata (1989) “Petri nets: properties, analysis and applications”. Proc IEEE 77(4 :p.541–580

[11]    van der Aalst (1998) “The application of Petri nets to workflow management”. Journal of Circuits, Systems, and Computers 8(1): p.21–66

[12]    Katt, Zhang Hafner (2009)” Towards a usage control policy specification with Petri nets”. Springer LNCS 5871: p.905–912

[13]    Huang, Kirchner (2009)” Component- based security policy design with colored Petri nets”. Springer LNCS 5700: p.21–42

[14]    Sadiq, Governatori, Namiri (2007) “Modeling control objectives for business process compliance. Business process management”. Springer LNCS 4714: p.149–164

[15]    Hizver, Chiueh (2011) “Automated Discovery of Credit Card Data Flow for PCI DSS Compliance”,  30th IEEE International Symposium on Reliable Distributed Systems

[16]    Garfinkel, Rosenblum (2003) “A virtual machine introspection based architecture for intrusion detection,” Proc. Network and Distributed Systems Security Symposium,, p. 191-206.

[17]    Chow, Golle , Jakobsson  Staddon, Masuoka, Molina (2009) “Controlling data in the cloud: outsourcing computation without outsourcing control”. In: Proc ACM workshop on cloud computing security. ACM, New York, pp 85–90

[18]    Etro (2009) “The economic impact of cloud computing on business creation, employment and output in Europe”. Review of Business and Economics 54(2):p.179–218

PCI DSS Compliance in a Cloud Computing Environment. Part 2

Cloud computing

Cloud computing recently became a popular topic and has been adopted by many enterprises. The National Institute of Standards and Technology (NIST) has defined cloud computing as follows:  “Cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” [1]

1. Overview and history

According to Hamdaqa [2] cloud computing is based on two basic paradigms: virtualization, which abstracts the physical architecture and allows use of it as a software and atomic computing, which enables self-management of distributed systems

The basis of cloud computing is a notion of time sharing, [3] developed in the 1950s and allowed shared use of mainframes CPU time through terminal connection.

Later, the availability of cheap computers and high-bandwidth networks, coupled with development hardware virtualization technologies, resulted in the rapid growth of cloud computing [4], [5], [6].

2. Service and deployment models

Cloud service providers (CSPs) offer services, which could be divided into three main categories: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). There are also four types of cloud deployment models: Private Cloud, Public Cloud, Hybrid Cloud and Community Cloud. [7], [1] (Figure 1)

NIST_cloud

Figure 1- NIST Visual Model of Cloud Computing Definition [8]

Companies before making a decision on each type of cloud should weigh all benefits and limitations of each type in terms of cost and security, among others.

3. Challenges

Dillon, Wu, and Chang [9] identify the following challenges related to the adoption of cloud computing:

– Security

– Costing Model

– Charging Model

– Service Level Agreement

– What to migrate

However, the authors only briefly discuss each of these areas and focus mainly on the results of survey [10], not paying attention to such sensitive aspects of cloud computing as legal, privacy, compliance, governance, etc.

Zhang, Qi, Lu Cheng, and Boutaba [7] also present only a brief overview of cloud computing technology and discuss core research challenges. The paper does not develop new models or concepts, but instead only analyses current developments and trends.

Although the researchers touch on security issues in general, they focus mainly on basic issues with confidentiality, integrity and availability, failing to address and explore important problems such as compliance in depth.

References

[1]       Mell, and Grance (2011) “The NIST definition of cloud computing”. NIST special publication 800-145

[2]       Hamdaqa (2012). “Cloud Computing Uncovered: A Research Landscape”. Elsevier Press. p. 312. ISBN 0-12-396535-7

[3]       Strachey (1959). “Time Sharing in Large Fast Computers”. Proceedings of the International Conference on Information processing, UNESCO p. 336–341

[4]       “Cloud Computing: Clash of the clouds”. The Economist. (2009). http://www.economist.com/node/14637206?story_id=14637206

[5]        “Gartner Says Cloud Computing Will Be As Influential As E-business”. Gartner. http://www.gartner.com/newsroom/id/707508

[6]       Gruman (2008). “What cloud computing really means”.InfoWorld. http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031

[7]       Zhang, Cheng, Boutaba. (2010) “Cloud computing: state-of-the-art and research challenges.” Journal of Internet Services and Applications 1, p. 7-18.

[8]       NIST Visual Model of Cloud Computing Definition

[9]       Dillon, Wu, Chang (2010) “Cloud Computing: Issues and Challenges” 24th IEEE International Conference on Advanced Information Networking and Applications

[10]    IDC Survey (2009) http://blogs.idc.com/ie/?p=730

PCI DSS Compliance in a Cloud Computing Environment. Part 1

The main purpose of this article series is to survey the research that have been done in areas of PCI DSS compliance and recent developments of cloud computing. It gives an overview of basics of cloud computing, PCI DSS and specific compliance issues when dealing with outsourcing applications and infrastructure to third parties.

Nowadays many companies changed the way they doing business with the development of cloud computing. An ability to outsource application or entire infrastructure to the third parties allows businesses to take advantage of rapid and highly scalable deployment of services with little or no information technology expertise. Unfortunately, many enterprises are slow to adopt cloud computing because of information security compliance issues. Companies are skeptical about moving their sensitive information outside their own control perimeter, and see their main obstacle as an inability to check whether outsourced infrastructure and applications are in conflict with existing rules and regulations, such as PCI DSS.

The Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) is a standard that organizations must follow if their business involves processing, storing, and transmitting cardholder data. The main purpose of this standard is to provide requirements to ensure security of payment card data

1. Overview and history

PCI DSS was developed by PCI Security Standards Council, an open global forum formed in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. [1].

Historically, the companies in this forum developed their own programs, but because they shared similar goals they decided to align their requirements and created PCI DSS.

The birth of PCI DSS created many discussions in the industry.

For example, PCI Council General Manager Bob Russo thinks that PCI DSS gives stakeholders “the opportunity and flexibility to work with Qualified Security Assessors (QSA) to determine appropriate security controls within their environment that meet the intent of the PCI standards.” [2]

Furthermore, Bruce Schneier says that, “Regulation – SOX, HIPAA, GLBA, the credit-card industry’s PCI, the various disclosure laws, the European Data Protection Act, whatever – has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously, and sells more products and services.” [3]

2. PCI DSS requirements compliance

PCI DSS consists of on six high-level objectives and twelve requirements (Table 1) [4]

Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor supplied defaults for system passwords and other security parameters
Protect card holder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program 5. Use and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
Implement strong access control measures 7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain and information security policy 12. Maintain a policy that addresses information security for all personnel.

Table 1 – PCI DSS Requirements and Security Assessment Procedures [4]

Compliance with PCI DSS requirements is enforced through contract agreements and may include fines and higher processing fees. To ensure compliance of services providers and merchants with PCI DSS requirements, special assessments are carried out. Such assessments usually utilize a sampling methodology to demonstrate compliance in target systems.

However, assessment procedure depends on the level of the merchant (it may require the completion of a Self-Assessment Questionnaire or on-site assessment) (Table 2) [5]

Category Criteria Requirements
Level 1 Any merchant that has suffered a hack or an attack that resulted in an account data compromise
Any merchant having more than six million total combined MasterCard and Maestro transactions annually
Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
Annual Onsite Assessment
Quarterly Network Scan
Level 2 Any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually Annual Self-Assessment
Onsite Assessment at Merchant Discretion
Quarterly Network Scan
Level 3 Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually Annual Self-Assessment
Quarterly Network Scan
Level 4 All other merchants Annual Self-Assessment
Quarterly Network Scan

Table 2 – Merchant Level and Validation Requirements (MasterCard version) [5]

PCI DSS requirements assessment procedure depends on merchant’s annual number of transactions and past breach history.

3. Implementing the PCI DSS

Companies face many challenges and difficulties when implementing PCI DSS requirements. According to Michael Jones, CIO of Michaels’ Stores, PCI DSS requirements “are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve ‘Requirements’ for PCI compliance. In fact there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation.” [6]

Rees identifies the following challenges of PCI DSS compliance [7]:

– Understanding scope

– Understanding of card data flow

– Organizational

– Technological

– Third party management

Bonner, O’ Raw and Curran in their paper [8] present a good analysis of application adherence with PCI DSS requirements. Researchers address such issues as maintaining legacy systems and their difficulties to implement PCI DSS requirements properly. They discuss several existing solutions such as using web services to “wrap” older legacy systems [9]. However, in their opinion, neither of these approaches directly addresses the problem of PCI DSS compliance.

The authors developed a prototype (Figure 1) and showed how to implement controls to achieve PCI DSS compliance in the application.

 system

Figure 1 -. Experimental System Overview [8]

The researchers thoroughly describe their prototype, present some experiments, and tackle the problems of masking payment card data and cryptographic key management while storing such data.

However, in their research they focus solely on adherence with requirements of developed application, completely ignoring environment in which this piece of software operates.

Despite the fact that this paper contributes to the field of secure software development, and emphasizes some application PCI DSS compliance issues, one should remember that environment plays an important role in achieving compliance for business overall

References

[1]       PCI Security Standards Council  https://www.pcisecuritystandards.org/

[2]       Russo (2009). “Letter to NRF”. PCI Council. https://www.pcisecuritystandards.org/pdfs/statement090615_letter_to_nrf.pdf

[3]       Schneier (2008) “Bruce Schneier reflects on a decade of security trends”. http://www.schneier.com/news-049.html

[4]       PCI DSS Requirements and Security Assessment Procedures, Version 2.0 p. 5

[5]       Merchant Level and Validation Requirements (MasterCard version) http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html

[6]       Jones (2009). “Testimony of Michael Jones before the emerging threats cybersecurity and science and technology subcommittee “. Congress of the United States.

Click to access 20090331142012-77196.pdf

[7]       Rees (2010) “Computer Fraud & Security” Volume 2010, Issue 12, p. 14–116

[8]       Bonner, O’ Raw, Curran (2011) “Implementing the Payment Card Industry (PCI) Data Security Standard (DSS)”.

[9]       Steed (1996) “Encapsulating Legacy Software for Use in Client/Server Systems”. Proceedings of the Third Working Conference on Reverse Engineering. Monterey, CA: p.104-119