In a lot of ways, 2013 has been a pivotal year for PCI compliance in the cloud. As recently as a few years ago answers to compliance questions for cloud environments were more than a little murky, typically regressing into endless debates on how to define “cloud” in the first place. Compared to where we were as an industry then, 2013 has ushered in the age enlightenment.
In February, PCI Council finally pushed guidance for ensuring compliance in several types of cloud environments. At nearly 50 pages it’s more of a self-published novella than clarification, but it’s a major milestone nevertheless. The biggest question – “Can you be PCI compliant in the cloud” – has been answered. Yes, you can.
Businesses unwilling to wait for the PCI council to catch up with the real world have been finding their own way for years of course, but now the uncertainty of picking just the right QSA or a cloud provider that understood security have been greatly reduced. Take a random walk through a set of cloud providers – Rackspace, Peak 10, Amazon for instance – and you find a lot of PCI resources that provide common sense answers, and in some cases a set of services to handle most of the heavy lifting.
Things are notably better, but ask anyone going beyond merely replicating their deployment in a legacy data center and you won’t hear about the “age of enlightenment” for PCI compliance. A more accurate assessment of our current state is just beyond the point where you get deer in the headlights looks when the topic comes up.
What will be the next pressure point? Heady topics like auto-scaling, deployment automation and usage based billing. Security has been largely exempt from dealing with these issues, in no small part because uncertainty of compliance in the cloud provided a convenient cover, but expect that ability to deal with elastic environments becomes a major issue in 2014.
Challenge here is much more technological than an issue of governance, and its exactly the area where security people will have a difficult time meeting business demands. After all, computing, storage and networking have been disrupted to the core by “software defined” movements, while security industry has escaped largely unscathed. What happens when your newly PCI compliant cloud deployment auto-scales to meet surging customer demand, leaving your security infrastructure in the dust?
We’ll be discussing cloud, security, compliance and more at Cloud Connect in Chicago on October 21-23rd.
Misha Govshteyn is the Vice President of Emerging Products at Alert Logic and will be a featured speaker during the Cloud Security and Risk Summit at Cloud Connect Chicago.