The Payment Card Industry (PCI) Security Standards Council has finally released an updated set of security guidelines for merchants, this one addressing the role and use of cloud.
When PCI requirements were first unveiled, cloud service providers (CSP) weren’t on anyone’s radar. The guidelines were intended for merchant data centers, but as those data repositories started migrating to the cloud, things became more complex – and more unclear. The PCI council was forced to adapt and clarify its guidelines so that merchants know their level and range of responsibility versus the cloud provider’s responsibility when it comes to data security. (Sound familiar?) Included in the newly clarified rules are answers to questions about encryption, system configuration and access control, just to name a few.
This issue for PCI is similar to that of solution providers working with CSPs – understand and delineating who is really responsible for data security. The channel has been bickering back and forth, and now this PCI announcement follows on the heels of last month’s HIPAA clarifications that focus on cloud and healthcare privacy. It appears we’re working slowly toward some formal legal standings on this issue.
From the PCI DSS Cloud Computing Guidelines, released February 2013:
A strategy for shared governance and communication should be established between client and CSP (Cloud Service Provider) to enable clear communication of all aspects of the relationship from operational performance to security risk management and issue resolution. Reporting and monitoring mechanisms should be made available to client organizations to provide assurance that effective governance is applied by the CSP.
The HIPAA mandate includes similar language, stressing that CSPs handling healthcare data on behalf of clients must undergo HIPAA audits and have policies and procedures in accordance with the HIPAA security guidelines.
For the channel, having major security and government agencies starting to establish rules around the responsibility of CSPs (and solution providers) for safeguarding data and communicating with customers is a double-edged sword. On one hand, it starts to answer the questions that have been swirling around for some time. On the other hand, it may mean some vendor partnership start to crumble if a CSP isn’t willing to invest the resources to be in compliance with such standards. The challenge for now is simply staying aware of these standards, and opening conversations with your vendors about their intentions.