Magazine article American Banker

Cloud Computing Security Rules Put Responsibility on Users

Magazine article American Banker

Cloud Computing Security Rules Put Responsibility on Users

Article excerpt

Byline: Penny Crosman

The PCI Security Standards Council, the payment card security standards forum based in Wakefield, Mass., has published guidelines for protecting sensitive data in the cloud. Although the advice was written to protect card information, the same principles could be applied to any data stored remotely.

The PCI Data Security Standard Cloud Computing Guidelines are detailed and spell out who -- client or cloud service provider -- has responsibility for what types of security precautions. For instance, installing and maintaining a firewall to protect cardholder data would be a shared responsibility between client and provider under infrastructure-as-a-service and platform-as-a-service cloud configurations. But for software-as-a-service, in which the cloud provider hosts software delivered over the web, the firewall would be the sole responsibility of the provider, the PCI Council has decided.

An overarching theme of the guidelines is that users of cloud services should not lean on their cloud providers for security. "Cloud security is a shared responsibility between the cloud service provider and its clients," the report states.

"As they should, the rules put some onus on the cloud service provider and some on the client," observes Anton Chuvakin, research director at Gartner. "In general, a client has more responsibilities and the document reflects that correctly."

Many companies adopting cloud services have relied on their cloud providers to take care of PCI compliance, notes Pravin Kothari, CEO and founder of CipherCloud, a San Jose company that provides encryption for cloud computing arrangements. "This guidance is an eye opener for these people, because it clearly says that clients cannot blame cloud providers. The client is still responsible for ensuring the cardholder data is secure."

PCI DSS rules in general are intended to protect cardholder data from theft or illegal use, primarily through the use of encryption. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.