Thursday, March 5, 2009

And so begins everyone's claim for Cloud Compliance

Today's blog entry at Mosso Blog

Cloud Sites, Mosso|The Rackspace Cloud’s Flagship offering, is officially the very first cloud hosting solution to enable an Internet merchant to pass PCI Compliance scans for both McAfee’s PCI scans and McAfee Secure Site scans.

While I am all about helping companies meet compliance with whatever technology they are trying to implement there are some facts that seem a little skewed here.

1) They only passed the ASV scan. A scan of the external facing ip addresses as required by requirement 11.2.b. This is great but it's not PCI DSS compliance - it is in fact only one very small piece.
11.2.b Verify that external scanning is occurring on a quarterly basis in accordance with the PCI Security Scanning Procedures, by inspecting output from the four most recent quarters of external vulnerability scans to verify that: Four quarterly scans occurred in the most recent 12-month period; and The results of each scan satisfy the PCI Security Scanning Procedures (for example, no urgent, critical, or high vulnerabilities); The scans were completed by an Approved Scanning Vendor (ASV) qualified by PCI SSC.
2) They aren't processing credit cards - they call an Authorize.net API (SSL wrapper and encryption) and let credit cards flow through to someone else's non-cloud network. Their marketing material shows the API. It sure is neat but again we are still only talking about a piece of the PCI DSS compliance. I am happy that you are not storing credit cards.

3) I don't believe they would be able to PASS an onsite assessment for a RoC but since it looks like they are only a L3 merchant - a SAQ is all they need to fill out.

So why don't I believe they could pass?

Until someone can present a clear picture of the demarc point between the application, virtualization and the physical layers and the controls offering protection between those layers; no QSA will be able to say they are compliant. I have discussions just about the idea of a demarc point between the Dom0/DomU. We haven't even begun to drill into the other layers.

So in this case the merchant's argument might be that they are using a shared hosting provider: (language borrowed from multiple posts in SPSP forum)

A shared hosting refers to a hosting service where many hosted servers reside in a date center connected to the Internet. In shared hosting, the provider is generally responsible for managing servers, installing server software, security updates, technical support, and other aspects of the service.

PCI compliance is the responsibility of the organization who owns the data. In a shared hosting environment where it is truly shared hosting and the client can upload whatever they want, then the client is responsible for ensuring they are using a hosting provider that meets their needs. Simply having merchants that house data in a hosting environment does not impose the requirements upon the hosting provider. There are two basic paths here. 1) the merchants need to ensure they are using a hosting provider that complies with the PCI DSS or 2) the merchants need to ensure they can manage their own systems in accordance with PCI DSS.

I haven't met a Shared Hosting provider yet who is willing to accept the liability of PCI DSS compliance in the cloud - this isn't to say that they aren't all working towards it. So this leaves the merchant responsible for managing their own system - and we fall back to my Dom0/DomU comment and the current problems with providing enough evidence of compliance.

Most QSA's are struggling with the idea of virtualization in general - they either get stuck on the 1 service per server or their view of virtualization is based on their use of VMware or Parallels. QSAs are going to have to either take deep dives into Architecture or they are going to fail companies all over the place.

Finally as I said at CloudCamp last weekend - want to be compliant in the cloud today, treat all information that is stored in the cloud with the highest level of encryption, then it only becomes random bits and it doesn't matter if you suffer a breach.

40 comments:

Lucas said...

Merchants are those with merchant accounts for accepting credit card payments. In the context here, Rackspace is not a merchant.

The PCI_HowTo.pdf that they have recommends the use of Authorize .NET with the SIM API. Using the SIM API, card data never touches the merchant's systems. The customer is directed to a hosted checkout page on auth .net and the results come back to the merchant site with any cardholder data masked. If the SIM API is used, the merchant can use SAQ A to meet Visa CISP validation requirements. For due-diligence, they just need to ensure that Authorize .NET is PCI DSS compliant in their contracts.

But the problem here is that it’s recommended.

If the merchant web site uses a payment processing procedure where their site touches cardholder data, they are in scope of PCI DSS. At this point, Rackspace potentially can be considered a Service Provider or what Visa calls a Third Party Agent (TPA). It is ultimately the merchant’s responsibility to be compliant to the PCI DSS for ALL REQUIREMENTS. They can do this directly with things they can control, including the web application security of all software they run (eg. Shopping cart software). Anything outside of their control such as server OS maintenance and physical security of the server needs to be included in the merchant’s contract with Rackspace. Getting a copy of Rackspace’s SAQ or ROC (Report on Compliance) is not enough! If card data from a merchant’s processing web site gets compromised because Rackspace gets compromised, the merchant will get the fines due to the chain of contractual liability. It won’t matter if Rackspace was validated. It is up to the merchant to be able to turn around and sue to recover damages from Rackspace at that point.

小酸 said...

Give a fool enough rope and he will hang himself........................................

愛的理由 said...

Everyone fastens where there is gain.........................................

三八 said...

我們不是因為快樂而歌唱,而是唱歌使我們快樂..............................

身材維持 said...

GOOD........................................

原諒 said...

若對自己誠實,日積月累,就無法對別人不忠了。........................................

念強 said...

聰明的人喜歡猜心 雖然每次都猜對了卻失去了自己的心 ..................................................

夏文宏 said...

沒有友情,人生何樂? ..................................................

楊DodieSeaver0202 said...

原來這世上能跟你共同領略一個笑話的人竟如此難得........................................

ZenaT_Pinter2284 said...

先告訴自己希望成為什麼樣的人,然後一步一步實踐必要的步驟。........................................

志源 said...

Well done!........................................

婉耿賢耿賢亞 said...

真正的友誼,有如健康失去時,始知其價值........................................

GusF_Finkbeiner1209 said...

凡是遇到困擾的問題,不要把它當作可怕的,討厭的,無奈的遭遇,而要把它當作歷練、訓練和幫助。

韋于倫成 said...

人生之中,比冒險更危險的一件事:不去冒險。 ....................................................

LudivinaLe88787 said...

85cc免費影城 21sex美女視訊交友 日本avdvd女優xxx383美女寫真 sex520-嘟嘟成人 後宮視訊 閃亮天使520視訊聊天室 a片線上試看85cc 小園春夢現代文學小說 辣妹視訊免費體驗 情人輔助品成人網站做愛自拍偷拍 免費線上觀賞卡通影片 69性殿 4u成人-sex s383視訊玩美女人 免費視訊聊天1768 0204 視訊交友 微風成人論壇 hi 5 tv 影音聊天室 ut視訊聊天室 蔡依林性感影片 38girl視訊交友 dudu sex免費 aa 片試看 tvnet0204 我愛你視訊美女拳 比基尼av辣妹影片 383movie成人影城 免費影音下載hibb 免費視訊辣妹av1688 網心之悸動聊天室 無碼女優,免費色情電影 av969 免費短片 視訊妹迷愛聊天 免費色咪咪視訊網pc交友 avshow成人情色網 一本道 a片 東京熱免費試看短片a aa片免費看 免費視訊聊天 辣妹性愛文學 日本視訊 免費視訊辣妹性愛巴士 南部聊天室情人視訊網 成人影片下載383movie影城 美眉1768 meet520 com 視訊聊天997 sex888movie影城免費a片 伊莉論壇 兼職援交米克綜合論壇 聊天室找一夜 情色性愛貼圖,人妻 視訊聊天室angeltong 百事台南視訊

韋于倫成 said...

keep update, please..bless you!!........................................

俊茹 said...

性愛的台灣本土性愛影片性愛遊性愛文性愛性交免費色情網頁免費色情影片看免費色遊戲網免費色請影片免費免下載ava片線上看免費免下載a片免費免會員色情影片免費男女做愛影片免費男女影片免費色情狂看免費色情成影片免費色情卡通線上看免費成年人短片免費成年人線上短片免費成年人線上影片免費成短片免費色小遊戲免費色文章免費色片分享免費色片電影直播免費色片線上直播免費色卡通動畫短片免費色卡通漫畫免費色動畫免費色情片圖片火辣視訊薄紗主播網友自拍露點圖視訊交友交友104速配網

adkinsra said...

時時刻刻抵抗誘惑,就是一種勝利。 ....................................................

張孟勳 said...

It is no use crying over spilt milk...................................................................

志名 said...

仇恨是一把雙刃劍,傷了別人,也傷了自己..................................................................

麗芬 said...

天下父母心-時時孝順你的父母~~.................................................................

孫陽泉 said...

死亡是悲哀的,但活得不快樂更悲哀。......................................................................

王瑞 said...

喜歡你的部落格,留言請您繼續加油.................................................................

湘均湘均 said...

向著星球長驅直進的人,反比踟躕在峽路上的人,更容易達到目的。............................................................

11吳dennismattie俊易 said...

向著星球長驅直進的人,反比踟躕在峽路上的人,更容易達到目的。............................................................

JasonBirk佳琪 said...

rain before seven; fine before eleven.............................................................

志穎志穎 said...

有用的才華若不用,便如同日晷儀放在陰暗之中............................................................

宥妃宥妃 said...

享受你自己的生活,不要與他人相比。.......................................................

楊儀卉 said...

Practice what you preach...................................................

吳婷婷 said...

每日都有新日光,每日都有新希望。..................................................

琬安琬安 said...

問聲好~~ 祝福您的blog愈來愈熱鬧!............................................................

戴昀黃慧婷德 said...

心中醒,口中說,紙上作,不從身上習過,皆無用也。..................................................

DaniloM_W志竹olff0615 said...

Riches serve a wise man but command a fool.............................................................

黃沈貞儀吉軍 said...

人不能像動物一樣活著,而應該追求知識和美德............................................................

承王蓁 said...

活是一種鍛鍊靈魂的東西..................................................................

新吳順 said...

文章不求沽名釣譽,率性就是真的..................................................................

倪平 said...

愛情不是慈善事業,不能隨便施捨。......................................................................

于庭吳 said...

喜歡你的部落格,留言請您繼續加油............................................................

佳陳容 said...

來替你打氣,加油A_A................................................

盛春成 said...

人因夢想而偉大,要堅持自己的理想哦!............................................................