Cloud Computing and PCI Compliance

Here is a topic that is starting to gain traction with a lot of organizations.  However, it is a solution that is fraught with danger, particular when it comes to PCI compliance.

First, we need to define cloud computing.  Cloud computing is essentially defined as being similar to grid computing in that it leverages the computing power of multiple CPUs to execute applications.  As usual, what goes around comes around.  If cloud computing sounds familiar, the best analogy I can give is the old mainframe.  Only instead of a single system with multiple CPUs, we are using virtual technology and one or more instances of Windows, Linux, UNIX, etc.

Where the cloud computing model starts to go awry is in how it is implemented.  In order to keep costs low, cloud computing environments typically run one copy of an application in a single environment as multiple instances.  In this scenario, multiple organizations will be using an application like Oracle Financials, but each organization is running as its own instance on the same virtual machine.  To make matters worse, their data are being stored in the same Oracle database instance but, obviously, in different tables.

A lot of you are now saying, so what?  The “so what” is in the lack of segregation between organizations.  If your organization is using Oracle Financials as a PCI in-scope application and there are other organizations running their applications on the same logical system, then your application and theirs are all in-scope.  Do you think that those other organizations are going to be cooperative to have your auditors examine their organization and applications?  Probably not.

Okay, so we will require our application to be logically separated from other organizations.  While you can do that, you are now looking at the ASP model of computing and you are not going to get the cost advantage of cloud computing.

As a side note.  The media have reported recently on a number of cases where one of the organizations in the cloud was conducting something illegal and law enforcement raided the data center and took all of the cloud computers involved as well as disk and tape storage as evidence.  Organizations that were not involved were effectively put out of business as their systems were now evidence.  In a number of these cases, the organizations attempted to get their portion of the systems released and were rebuffed by the courts.  So, keep this in mind when you start looking at cloud computing.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

October 2009

%d bloggers like this: