Cloud Computing and PCI Compliance

Here is a topic that is starting to gain traction with a lot of organizations.  However, it is a solution that is fraught with danger, particular when it comes to PCI compliance.

First, we need to define cloud computing.  Cloud computing is essentially defined as being similar to grid computing in that it leverages the computing power of multiple CPUs to execute applications.  As usual, what goes around comes around.  If cloud computing sounds familiar, the best analogy I can give is the old mainframe.  Only instead of a single system with multiple CPUs, we are using virtual technology and one or more instances of Windows, Linux, UNIX, etc.

Where the cloud computing model starts to go awry is in how it is implemented.  In order to keep costs low, cloud computing environments typically run one copy of an application in a single environment as multiple instances.  In this scenario, multiple organizations will be using an application like Oracle Financials, but each organization is running as its own instance on the same virtual machine.  To make matters worse, their data are being stored in the same Oracle database instance but, obviously, in different tables.

A lot of you are now saying, so what?  The “so what” is in the lack of segregation between organizations.  If your organization is using Oracle Financials as a PCI in-scope application and there are other organizations running their applications on the same logical system, then your application and theirs are all in-scope.  Do you think that those other organizations are going to be cooperative to have your auditors examine their organization and applications?  Probably not.

Okay, so we will require our application to be logically separated from other organizations.  While you can do that, you are now looking at the ASP model of computing and you are not going to get the cost advantage of cloud computing.

As a side note.  The media have reported recently on a number of cases where one of the organizations in the cloud was conducting something illegal and law enforcement raided the data center and took all of the cloud computers involved as well as disk and tape storage as evidence.  Organizations that were not involved were effectively put out of business as their systems were now evidence.  In a number of these cases, the organizations attempted to get their portion of the systems released and were rebuffed by the courts.  So, keep this in mind when you start looking at cloud computing.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


October 2009
« Sep   Nov »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,981 other followers


%d bloggers like this: