The cloud may be nebulous, but the security of your valuable data assets should be clearly defined.
We’re all seeing a continued movement of services in to the cloud, especially in the Infrastructure-as-a-Service (IaaS) arena. The security issues around cloud computing seem, to us at least, to be similar to the traditional issues – hardening, secure access, patching, vulnerability management, protecting data assets and so on.
The difference in the cloud is the speed and ease with which new server instances can be provisioned, and the level of expertise needed to do so.
If you fail to securely configure and manage your template images (AMIs, in Amazon-speak), expect these failures to be propagated throughout your infrastructure; rapidly, and by people who have no idea why this could be a problem. Look out too, for a new take on an old problem. If you own physical storage media, you can physically destroy it. What about cloud storage? How can you be sure that your data has been removed when your virtual servers are no longer needed?
The PCI compliance impact here is obvious – security failures at the template level will:
- Extend the scope of your CDE
- Expose the business to increased risk of data loss (be it card data or any other valuable data)
- Increase the costs of remediation as the number of insecure or non-compliant images proliferate
As has always been the case in security, prevention is better (and cheaper) than cure.
Cloud IaaS providers need to provide appropriate tools, documentation and training in these areas. Consumers need to translate existing security processes, roles and know-how and apply these to the cloud environment. At a high level, this needs to include:
- Definition of secure/compliant base images
- Fit-for-purpose hardening of instances based upon those images
- Ongoing maintenance of active instances
- Maintaining an inventory of active instances
- Secure and verifiable removal of instances when no longer needed
In many ways, the cloud is new, powerful and provides consumers with unprecedented levels of control and flexibility. It may hide physical detail from the consumer, but it is still real infrastructure; quick and easy to deploy, with the same underlying security concerns that we had before.
Check our our short video presentation, “Penetration Testing & The Cloud”:
Sample PCI DSS Penetration Testing Policy
Sample PCI Penetration Testing Procedures