PCI DSS cloud computing guidelines strike discord among would-be adopters

IntroAlthough some experts think a recent report on cloud computing security compliance helps clarify how data can safely live in the cloud, others say it could confuse or even scare off cloud computing adopters. The report on PCI DSS cloud computing security, written by the Payment Card Industry (PCI) Security Standards Council, could influence adopters already stymied by confusion about compliance. "Cloud computing is a form of distributed computing that has yet to be standardized," the report states in its executive summary. One expert said the report sets a dark tone from the start. "There is no standard yet, and you're basically led to believe that going to the cloud is fraught with danger," said Chris Steffen, principal technical architect at Kroll Factual Data and a Microsoft MVP on cloud and datacenter management. The report also suggests that keeping credit card holder data out of the cloud completely is the most effective way to keep a cloud environment out of scope. These statements could have some inexperienced cloud computing clients and their auditors running scared, Steffen said, and might lead auditors to hatch up draconian interpretations. "If you want a truly secure computer, take it off the network, encrypt everything, make sure you have quadruple-factor authentication to get into the thing, and then you're still only as secure as the person using it," Steffen said. Users need to balance usability with reason when it comes to computer security, he added. The report offers matrices for delineating responsibility for elements of the PCI Data Security Standard (DSS) between cloud computing clients and cloud service providers. Even so, there still are ambiguities that will create confusion, said Carl Brooks, an analyst at Boston-based 451 Research. For instance, Requirement 9 under PCI DSS requires that clients restrict physical access to cardholder data, "a basic PCI requirement since dinosaur times," Brooks said. The guidance simply states that the cloud service provider manages this requirement, but it depends on the particular CSP as well as the distribution of data across different locations. "What does that actually, practically mean?" Brooks questioned. "Who is getting sued and/or arrested when cardholder data gets loose?"