2Do Ask, Do Tell
3Know Your Data
Not all data is meant for the cloud. “Ideally, you should limit the exposure and scope of where payment card data resides and moves in your systems and confine that data accordingly to the most heavily protected element of your network, with all the PCI DSS controls in place,” advises Bob Russo, general manager of the PCI Security Standards Council. “If you put payment data into the cloud – you are opening up that entire cloud to the scope of a PCI QSA assessment.”
4Minimize the Scope of the Project
5Use Secure Images
6Segregate Systems and Networks
“Ensure that your firewall, IPS and IDS protect each of your virtual machines separately,” advises Todd Thiemann, senior director of data center security at Trend Micro. “Especially in a public cloud environment, the other virtual machines running on the same physical hardware should be considered hostile, and the firewall at the cloud provider’s perimeter cannot help you here.” Deploying your own host-based firewall/IDS/IPS also offers portability if you decide later to change cloud service providers, he says.
7User Management and Provisioning
Companies need to secure and manage privileged administrative users in both virtualized and cloud environments because excessive entitlements can be a serious weakness. This is usually complicated by virtual server sprawl and the use of public cloud services, says Matthew Gardiner, director of security and compliance for CA. User rights should be restricted by a least-privileges approach.
8Monitor Your Environment
With the ability to dynamically activate and deactivate cloud systems, logging and monitoring becomes critical. Make sure a strong correlated log monitoring solution is in place to monitor your systems. Better yet, take advantage of the innate benefits of cloud computing and go with a provider that can provide this service within your cloud.
9Logging and Auditing
Virtualization vendors have tools to help organizations meet this requirement. Companies should ensure all audit trails have tight access controls that are maintained for virtual infrastructure components such as management utilities and the host. Audit trails should be secured so they cannot be altered.