CipherCloud has issued a PCI Council guidance on cloud security that outlines shared responsibility for security between the provider and the customer. It also lays out new responsibilities for the customer.
Cloud information protection solution vendor CipherCloud released a guidance on cloud security based on requirements set out by PCI Council. The guidance, which lays responsibility for cloud security on both the part of the cloud provider and the customer, details the five steps necessary to achieve PCI DSS compliance in the cloud.
That's an easier breakdown when compared to the 52-page cloud security guidance issued by PCI Council, but of course, that's what CipherCloud has been aiming to do with cloud-based encryption and security -- make it simple. In the last several months, CipherCloud has been beefing up its team and its financial backing to continue to expand its security offerings, which are mostly focused around encryption in the cloud.
With the launch of its five-step program to good cloud security, the company also laid out new responsibilities of the customer to protect their cardholder data. According to CipherCloud, customers "need to understand and have a level of oversight and visibility into their cloud provider's security functions." That means there's no more sitting on the sidelines and expecting that cloud providers are doing all the work to keep data secure.
The five steps outlined by CipherCloud are:
- Ensuring cloud encryption of cardholder data. Naturally, CipherCloud recommends using its own gateway to encrypt sensitive pieces of cardholder information in real time before it's sent to the cloud.
- Giving customers control over encryption keys. CipherCloud noted that customers should retain encryption key control, placing responsibility directly in their hands. According to the company, this is in sharp contrast to other approaches in which the cloud provider retains control. CipherCloud says that's a big "no-no." If it's put in the hands of the customer, then they remain secure even if the cloud provider is compromised.
- Manage keys appropriately. Just as a gun owner should store firearms in a different place than the ammunition, so too should customers store and manage encrypted data independently. Additionally, it shouldn't be accessible by the cloud provider.
- Customers should have full sovereignty and legal compliance. Cloud operations are dynamic, so it's important to know where and how data is being stored. Storing some data in foreign countries is a breach of regulatory requirements. Some nations also reserve the right to examine data as they see fit. If it's encrypted, though, chances are that data is safe even if there is a breach, whether by hackers or law enforcement.
- Restrict business cardholder data to a need-to-know basis. One of the first steps to maintaining security is to ensure only people who need access to information or data in an organization have access to it. Unauthorized personnel at the end-customer, as well as the cloud provider itself, should not have access to this data.
"These new PCI Cloud guidelines are very helpful," said Pravin Kothari, founder and CEO of CipherCloud. "They provide very important clarifications to cloud customers as to their responsibility for protecting their cardholder data in the cloud, as well as defining clear steps for customers that have been hesitant to adopt the cloud on how to do so."