The objective of this post is to think over how the Guideline published byPCI Security Standards Council to clarify the compliance with PCI-DSS when using cloud computing services (" title="pdf del guideline" href="https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf" target="_blank">pdf) affect the ICT services security rating.

First, we would like to remember that actual security rating methodology includes special levels in confidentiality dimension to show compliance with PCI DSS. Those levels can be distinguished by the an asterisk (*), it means, services with a rating C*-- or higher are suitable to store, process or transmit cardholder data according to PCI DSS.

Once said this, we highlight the contributions that rating makes to those that, using cloud services, needs to comply with PCI DSS:

  • The guideline indicates the importance to identify all providers that participate in the service provision because it is essential to clarify the scope. Leet security methodology makes the rating of a service depends on all the providers in the supply chain. Therefore, a service with an 'X' rating implies that all the providers involved have, at least, that level.
  • Also related with the scope, the guideline highlight the need for the provider to clearly define what has been included in its compliance assessment. In this case, the methodology we propose obligues to make this check before calculating the rating, so the user can trust that if a service has a rating enough to manage cardholder data, all the relevant components have been evaluated.
  • One of the main principles of the document is the clear delimitation of responsibilities between user and provider. This aspect is essential in any cloud service so, for this reason, it is also included in the rating guide, making that rated services clarify that information as SLAs.
  • Finally, the guide also highlight the need for the vendor to provide mechanisms for the user to check ongoing compliance with PCI DSS. Related to this issue, the agreement between the rating agency and the provider, obligues the vendor to notify any incident that has o could affect the service rating (and hence its compliance with PCI DSS); in short, the agency is responsible of continuous monitoring on behalf of the client.
As summary, we have shown how the security rating of a provider provides mechanisms to the cloud computing users to ease them being compliant with PCI DSS.

You can follow us on twitter.com/leet_security

6 de marzo de 2013