Cloud Tenant PCI-DSS Dilemma

There is a dilemma for all tenants of a public or private cloud: Scope. Tenants want everything to be in scope. Cloud Service Providers (CSP) want to limit scope to the bare minimum. What does it mean for a Cloud to be ‘PCI Compliant’, and why is this a requirement for some tenants? The real issue is, what is in scope for PCI-DSS while your data is in the cloud, and how can you as the tenant meet those requirements? Remember, in the cloud, scope becomes a huge issue and a dilemma for the tenant, mainly because they may not know the scope of the cloud provider’s audit and may never find it out. So what is this scope issue and can it be fixed?

There are a growing number of cloud services that will fall under the jurisdiction of PCI-DSS, from public cloud customer-facing web sites with order forms to cloud-based storage where those records, workloads, and other personal identifiable information (PII) is stored. So yes, PCI-DSS must include Data Protection (Virtualization Backup) as well as Cloud Computing and your local virtual or private cloud environment. PCI-DSS spans the entire spectrum of hybrid cloud security. Currently, others have claimed the following:

• IaaS: The CSP is responsible for everything below the hypervisor including its own management processes, but the tenant is responsible for everything above the hardware.
• SaaS: The CSP is responsible for everything through the app but not the tenant’s data.
• PaaS: The CSP is responsible for the ‘stack’ but not the final application and not the tenant’s data.
• Recovery as a Service (RaaS): The CSP is only responsible for its portal and the underlying disk infrastructure, and the tenant is responsible for the data.

There is a common thread throughout all these: the CSP is NOT responsible for customer data. But PCI-DSS is all about protecting the data, which implies that the tenant is responsible for all data needs.

The PCI-DSS Dilemma

The real issue here is, how is the PII data protected at rest, but also in motion? This implies that the CSP’s hardware, which the data travels through (physical switches, storage fabrics, compute nodes), also comes into scope. But this is an area that the tenant cannot normally audit to ensure PCI-DSS is followed.
Yet, the CSP has done an audit, and it can be referenced. But this is misleading as the scope of that audit is the CSP’s own handling of PII, and the tenant workloads are not necessarily considered PII (unless the cloud provider signs up to treat such data as PII).  Given this, the scope of the CSP audit is much different than where the tenants data resides, runs, and moves around the environment.
However, we need to also consider End User Computing devices, which are used to access PII every day. Do these devices, and the wireless networks to which they are connected, fall into scope as well? What happens if these devices also connect to foreign (as in not approved) clouds?  Do those connections now come into scope? PII traveling through AT&T or Verizon from my iPad would be encrypted, but you would have to prove such encryption if this was the modus operandi for the end users.

Concluding Thoughts

There are some interesting concepts around PCI-DSS audits that pertain to cloud services that include data protection, which makes me wonder if the audits for CSPs are scoped properly. I think not; I think PCI-DSS has to rule on this, but should treat all data in a cloud as being PII unless otherwise told. This way, we can properly rely on CSP audits of underlying levels. But I also think the new clouds for data protection are wide open and generally out of scope for current PCI-DSS audits; they should not be. What are your thoughts?