Cloud computing provides organizations with a way to reinvent their IT systems, replacing legacy hardware with services that scale according to business needs. Nowadays, the cloud acts as a differentiator between the best and the worst businesses, but every day it becomes even more critical to take advantage of hosted infrastructure and software. While the benefits of the cloud are too numerous to count, there is a downside to public services: Organizations forfeit a level of control over data security.
For some, the lack of control doesn't matter, but to retailers, banks, financial services and many other firms in related sectors, cloud data security is a major concern. After all, any organization that deals with payment card data must comply with the Payment Card Industry's Data Security Standards. In brief, PCI Security Standards Council stated that sensitive, personally identifiable information and payment card data protection is a shared responsibility between cloud service providers and their customers, and this is especially true in hybrid environments - one of the most popular types of cloud deployment models.
"Leveraging the cloud and adhering to PCI DSS at the same time is a difficult thing to master."
Where's the data and who's protecting it?
Leveraging the cloud and adhering to PCI DSS at the same time is a difficult thing to master, as there are many considerations to worry about in regard to responsibility and management. Many cloud services are not compliant with PCI regulations, but once a compliant CSP is found, organizations must determine the scope of each others' responsibilities. Businesses will need to ask vendors for detailed information on data security and how it is conducted in their hosted environments. For example, is a CSP's encryption strong enough, what kind of systems is it using and how will intrusions be detected?
Furthermore, ComputerWeekly explained that PCI DSS 3.1 - the newest set of guidelines - requires organizations to map all of their data and the route that it takes through internal systems. The source highlighted the difficulty of mapping data in an era when information is generated every second, asserting that data must travel through firewalls, to mobile networks, into the cloud, between systems and so on. There is just too much data to protect throughout its lifecycle, and when it's traveling to hosted data centers, that sensitive information will be at its most vulnerable. It's up to data owners to ensure that everything is secure regardless of its location.
The solution
The PCI SSC recommended avoiding the cloud when it comes to payment card data, suggesting that organizations simply don't rely on cloud services, for backup, storage or computing, if the information involved could lead to a data breach. However, this is just not possible for some businesses nowadays.
The best solution to payment card data security lies in encryption. PCI DSS requires this practice, but organizations should go beyond those standards and choose a tool such as CloudMask. Simply put, even with shared responsibility, CSPs should not be trusted with personally identifiable information. CloudMask will encrypt payment data card before it is stored in the cloud, ensuring that vendors cannot access this information, even if they wanted to. This solution is easy to work with when mapping data as well, since CloudMask will guarantee that all data is encrypted while at rest and in transit.
With CloudMask, only your authorized parties can decrypt and see your data. Not hackers with your valid password, Not Cloud Providers, Not Government Agencies, and Not even CloudMask can see your protected data. Twenty-six government cybersecurity agencies around the world back these claims.
Watch our video and demo at www.vimeo.com/cloudmask
