2009年8月20日木曜日

A PCI-Compliant Cloud? Not at Amazon

PCI-DSS(クレジットカードのオンライントランザクションのセキュリティに関する業界規格)に対して、Amazon Web Serviceが準拠していない、という私的に関する情報。 
 
Amazonではこの件について自社サイトで説明を行っており、厳密に言うと、PCI Level 1は出来ないが、Level 2は実装可能、と述べている。 
 
Amazonに限らず、PCIのようなセキュリティ規格をサポートしていないCloud Computingベンダーは数多い。 僅かにTeremarkやSavvis等のEnterprise 向けのホスティング業者がサポートを表明しているが、PCI以外にもセキュリティ規格は他にも多く、全体をカバーするのは実質的には難しい。 

There's an ongoing debate about the ability of cloud computing services to meet enterprise regulatory compliance requirements, including the Payment Card Industry Data Security Standard (PCI DSS) standard that is essential for e-commerce. Martin McKeay at the Network Security Blog recently highlighted the admission by one of the most popular cloud services, Amazon Web Services, that it does not support the highest levels of PCI compliance.

"From a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant," an Amazon representative told a customer in an exchange that was posted on an AWS web forum. A key issue is that PCI auditors are unable to inspect Amazon's data centers. (Read on for additional information from Amazon on this issue).

McKeay's post has prompted a fresh round of discussion of cloud computing's ability to support PCI DSS, even as recent data breaches have raised questions about the value of PCI compliance.

"PCI compliance doesn't automatically make a site safe," writes Lori McVittie of F5 Networks. "Lack of PCI compliance doesn't make EC2 unsafe, either. It means it isn't compliant with the policies designated by the PCI council for handling credit card transactions and sensitive data. And, if we look past the hand-waving, we'll find that Amazon admits you can't build a PCI Level 1 compliant application using EC2 and S3, but you can build a PCI Level 2 compliant application."

Amazon's admission may not make it unsafe, but the way in which it was revealed is a reminder of why confusion persists about support for key compliance standards by some cloud services. Amazon's ability to support PCI for its cloud computing customers has been questioned before, and was typically met with a vague statement about Amazon's "commitment to provide a secure, world-class cloud computing environment." This time the question was posed in a forum thread. Amazon didn't respond directly on the thread, but the customer posted an email response.

UPDATE: Amazon spokesperson Kay Kinton has followed up with some comments and perspective on this discussion. "It's important to recognize that PCI compliance is dependent on how a particular merchant uses a hosted solution like AWS and should not be linked to the overall security of AWS' services," Kinton writes. "Under the PCI Data Security Standard, merchants regardless of their size are independently responsible for complying with PCI when they collect, process or store credit card information. When using a shared hosting service, like AWS, where the merchant controls what credit card information touches the service, the merchant is responsible for using the services in a manner that permits them to be PCI compliant, such as the proper use of encryption and key management. Therefore, it is possible for a merchant to use Amazon EC2 and Amazon S3 and meet PCI compliance standards depending on their specific implementation.

"For customers who don't have the expertise, time or otherwise don't want responsibility of managing a fully compliant payments application, the customer can use our web service for payments, the Amazon Flexible Payments (Amazon FPS), or use solutions offered by Amazon Payments (such as Checkout by Amazon)," Kinton adds. "While these solutions address the specific needs for some customers, it does not mean that it is the only means of using Amazon Web Services in a completely compliant manner."

Amazon is an important player in cloud computing, but its capabilities aren't representative of all cloud services. As we've previously noted, several providers say they have achieved certifications for customers using cloud platforms. These include Terremark Worldwide (TMRK) which describes its Enterprise Cloud platform as "certified as PCI DSS Compliant," and Savvis Inc. (SVVS), which offers a version of its just-in-time utility computing platform that is customized for online retailers and includes PCI solutions. For further reading, see Cloud Computing and PCI Security, a review of the topic by Michael Dahn of the PCI Blog. Dahn compares the current debate to earlier concerns about compliance in a virtualized environment.

Meanwhile, security publications have noted a recent incident in which a PCI-compliant provider, web host Network Solutions, suffered an intrusion and data breach that compromised more than 4,300 customer sites and approximately 573,928 individuals' credit card information.