For many organizations considering a move to the cloud for business-critical operations, PCI DSS compliance is a major concern. Cloud computing offers a number of competitive advantages that simply can’t be denied. But businesses must make sure their cloud data protection strategies ensure compliance. Luckily, a simple solution exists to solve many common cloud data security issues that impact PCI DSS compliance. Here are three of those issues, and how to solve them.
1. Data protection anywhere in the cloud
PCI DSS 3.0’s Requirement 3.4 stipulates that PAN be rendered unreadable “anywhere it is stored” through measures like strong cryptography. Cloud computing can make that a challenge. Backup and disaster recovery processes at cloud service providers (CSPs) often result in the duplication of data, and copies may be moved around within and across data centers and geographic regions.
The solution: Choose a cloud data protection solution that catches and encrypts all sensitive information on the fly, at the point of transmission, in accordance with your organization’s security and compliance policies. By acting as a gateway through which all protected information must pass before it heads to the cloud, CipherCloud’s cloud information protection platform does just that. This way, your data will remain protected no matter how many copies are made or where they go.
2. Data protection in unstructured formats
Cloud computing platforms help to unify your operations and create new avenues for collaboration and communication. As your employees chat and trade information in the cloud, however, are they running the risk of violating PCI DSS? Requirement 4.2 forbids the sending of unprotected PANs through “end-user messaging technologies” like instant message. Unfortunately, the unstructured formats of instant messages and emails can make protecting the data within them a challenge without the right solution.
The solution: Choose a cloud data protection solution that integrates with your CSP’s services and applications to ensure that all protected data is detected and encrypted before it’s shared. CipherCloud’s cloud information protection platform works within Salesforce Chatter, Gmail, and other popular cloud environments to detect and protect PANs and other sensitive data on the fly, even in unstructured formats like instant messages. That way, business can continue as usual without endangering PCI DSS compliance.
3. Encryption key control
As you can see, encryption should form a large part of your PCI DSS compliance toolkit. But with encryption comes the need for encryption keys, and not all cloud encryption solutions are created equal. Some will enable the CSP or encryption service providers to have access to your company’s keys. The greater the number of people with access to your encryption keys, the greater the chance that you’ll run afoul of Requirement 3.5, which makes organizations responsible for protecting encryption keys “against disclosure and misuse.”
The solution: Choose a cloud data protection solution that gives your company exclusive access to, and control of, your encryption keys. Your CSPs shouldn’t have them. Neither should your encryption providers. The fewer the people with access to your encryption keys and the more control you can exercise over those keys, the safer you’ll be. CipherCloud has long believed that enterprises should retain full control over their encryption keys for maximum cloud data security.
When it comes to PCI DSS compliance, what cloud data security issues do you worry about? Tell us in the comments.