On Jan. 1, the second version of the PCI Data Security Standard takes effect. Interpretation of the version currently in force, 1.2.1, has prompted implementers to keep distinct functions on physically separate systems, each with its own random access memory, CPUs, and storage, thus imposing a tangible separation of parts. PCI didn't require this, because the first regulation was written before the notion of virtualization became prevalent. But the auditors of PCI, who pass your system as PCI-compliant, chose to interpret the regulation as meaning physically separate.
As of Jan. 1, segregation in the form of separate virtual machines may be a legitimate implementation of a credit card transaction system.
"It recognizes virtualization as a valid technology," said Chris Richter, VP of security products and services at Savvis, a managed service and cloud services provider. "Under PCI 2.0, functions may be virtualized and run on the same shared host," he said in an interview Wednesday.
This is not the same as saying PCI 2.0 gives the go-ahead to credit card data moving into the cloud. Recognizing virtualization as a widespread and necessary technology was a big step forward in the regulation, and of course it would seem to follow that many virtualized workloads using transactions can be moved to the cloud and run there. But PCI 2.0 says nothing about operations in the public cloud. It doesn't even say anything about private clouds or hybrid clouds. It remains silent on the subject.
Knowing the conservative nature of the regulation, I said last May, as my book, Management Strategies For The Cloud Revolution came out, that transactions could be made safe in the cloud, but changes in the compliance regulations would have to occur before they'd take place there. For that reason, I find it interesting that the PCI Security Standard Council has taken its first step in making the changes necessary, even if they fall short in this iteration.
At the same time, several well-informed members of the council's technical body, the special interest group on virtualization, have published a white paper, "PCI-Compliant Cloud Reference Architecture." This is a bold move and ahead of even where the 2.0 regulation allows most implementers to go.
Even after Jan. 1, there will be no clouds capable of conducting PCI-compliant transactions, changed regulation or no. As noted before, the 2.0 regulation recognizes virtualization, but not the cloud, and keeps some of the established notions that the application tier must be physically separate from the database tier, which must be separate from the web tier. If you're running your workload in the public cloud, such as Amazon's EC2 (operating in the web tier), you have three strikes against you before you adjust to the new regulation.
So how can a subgroup of members of the PCI special interest group bring out a proposed PCI-compliant cloud reference architecture? Well, says Richter, one of its members, it wanted to illustrate how virtual machines could be used and separation achieved within the intent and purpose of the present regulation. If you set up firewalls and security measures between your servers in the cloud, it's conceivable you're meeting the regulation, if someday the qualified security assessors (QSAs) -- the auditors who determine PCI compliance -- choose to interpret the regulation that way.
Richter acknowledges more changes in the wording of the regulation are likely to be necessary before QSAs will be willing to risk their reputations and livelihoods in giving their stamp of approval to the use of credit card data in the cloud. But the shift in direction is clear. The first step down a necessary path has been taken.
The white paper, by the way, was written not only by a cloud service provider but also by contributors from Cisco, VMware, Hytrust, and QSA firm Coalfire. It makes for interesting reading. Richter emphasizes the council's special interest group has not issued the paper; its authors, however, all happen to be members of the SIG. Likewise, the PCI Security Standard Council has not ratified the paper. It's meant as an early roadmap, a pointer, into what until now has been a featureless no-man's land: cloud computing as a shared facility where secure transactions may take place.
We are three years away from another revision to the PCI standard. Don't expect to see the words "PCI-compliant" and "cloud" in a council-sanctioned document before 2013. But that day is coming.