Accountability and responsibility for managing the various PCI DSS controls need to be clearly understood and agreed upon by both the customer and the cloud vendor. Specific roles may differ on a case-by-case basis depending upon a number of variables, including:
The cloud service models (IaaS, PaaS, SaaS) and deployment models (public, private, community, hybrid) selected by the customer
The reason the customer is using the cloud vendor and the range of PCI DSS requirements it is deploying in the cloud
The services and system components that the cloud vendor has validated within its own operations.
When payment card data is stored, processed or transmitted in the cloud, PCI DSS compliance will include validation of both the cloud vendor's infrastructure and the customer's use of it.
Before adopting a cloud service, customers should first verify that the cloud vendor has validated PCI DSS compliance, by asking questions such as:
When was the cloud vendor first validated for compliance? When was its most recent validation?
Which specific services provided by the cloud vendor were included in the validation, and which were not?
Which specific elements (facilities, components) of the cloud service were included in the validation, and which were not?
How does the cloud vendor ensure that customers cannot introduce non-compliant elements or bypass existing controls?
A cloud vendor claiming to have completed an independent PCI DSS assessment should be able to provide a customer an Attestation of Compliance and Report on Compliance that should include details regarding the specific services, components and facilities included in the assessment.
Just because the cloud service is PCI DSS-compliant doesn't automatically mean that the customer is compliant. The customer must still ensure that it's using the service in a compliant manner.
The final recommendations in the conclusion of the guidelines:
-DOCUMENT everything with your provider in written agreements - for example, SLAs/Terms of Service contracts, etc.
-REQUEST written assurances that security controls will be in place and maintained.
-REVIEW the service and written agreements periodically to identify if anything has changed.
Essentially say it all -- get it in writing, and continuously monitor compliance. For those who want to gain these skills, and learn more about cloud computing risk mitigation via contract negotiation and vendor management, the next session of my seminar Contracting for Cloud Computing Services will be held March 25-26, 2013, in Los Angeles. I look forward to seeing you there.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.