CipherCloud Unveils Steps to Achieve PCI Cloud Data Security Standard
CipherCloud Unveils Steps to Achieve PCI Cloud Data Security Standard
On the heels of PCI Council's guidance for cloud and SaaS,CipherCloud provides
in-depth strategy for protecting data in the cloud
SAN JOSE, Calif., Feb. 9, 2013 (GLOBE NEWSWIRE) -- Today, CipherCloud, the
leader in cloud information protection, announced five steps for achieving PCI
DSS compliance in the cloud to complement the PCI Council's newly released
cloud computing guidelines for organizations that store, process or transmit
cardholder information in any cloud environment including SaaS, PaaS, IaaS and
hosted email. The Council's 52-page guidance calls for shared responsibility
between cloud providers and cloud customers, including banks, merchants,
service providers, and payment processors to ensure that cardholder data is
protected and PCI-DSS compliant.
While the document advocates shared responsibility between cloud providers and
customers, the recommendation lays out new security responsibilities for cloud
customers to protect their cardholder data according to applicable PCI DSS
requirements. It also specifies that customers need to understand and have a
level of oversight and visibility into their cloud provider's security
functions.
In the absence of these new guidelines, cloud customers assumed that the cloud
provider satisfied many of the PCI requirements and they started to rely on
cloud providers to take care of most of the PCI requirements. This new
guidance is an eye-opener as it clarifies that cloud customers cannot shift
responsibility to their cloud providers. Cloud customers are still responsible
for ensuring their cardholder data is secure.
Under the new guidelines, cloud customers who have been hesitant to go to the
cloud now have clear guidance and choices: encrypt their cardholder data
before sending it to cloud to minimize PCI scope, send their unencrypted
cardholder data to the cloud and thus extend the PCI DSS scope to the cloud
service, or refrain from sending their cardholder data to the cloud.
CipherCloud's recommendations for safeguarding cardholder and payment
information and complying with the new PCI Cloud security guidelines include:
-- Cloud Encryption of Cardholder Data: As noted by the PCI Council, "ensuring
that clear-text account data is never accessible in the cloud may also assist
to reduce the number of PCI DSS requirements applicable to the cloud
environment." This can be achieved by applying the CipherCloud gateway to
encrypt sensitive pieces of cardholder information transparently in real time
before they are sent to the cloud using operations-preserving encryption and
tokenization that do not impact the usability of the applications.
-- Customers Retain Encryption Key Control: With CipherCloud's approach
encryption key management remains in the hands of the cloud customers. This
contrasts sharply with other approaches in which the cloud provider retains
control over the keys that can decrypt cardholder information. This ensures
that payment information remains secure even if a cloud provider is
compromised.
-- Key Management: The keys need to be stored and managed independently from
the encrypted data. At a minimum they should be maintained in a completely
separate network segment, and preferably not accessible by the cloud provider.
-- Full Data Sovereignty and Legal Compliance: Due to the dynamic nature of
cloud operations, it may not be known in which country the information is
actually stored and whether it's accessible by foreign authorities and system
administrators. This may result in concerns over data ownership and potential
conflicts between domestic or international jurisdictional and regulatory
requirements. By encrypting the data before sending it to the cloud, cloud
customers using CipherCloud can be assured that no information will be shared,
even with law enforcement, without their direct involvement.
-- Restrict Business Card Holder Data On Need-to-Know Basis: By exclusively
controlling the decryption keys, the data owner can be confident that all data
access is controlled by their own authorized personnel and will comply with
the organization's internal need-to-know policies. No one at the cloud
provider can access the information.
"These new PCI Cloud guidelines are very helpful," said Pravin Kothari,
founder and CEO of CipherCloud. "They provide very important clarifications to
cloud customers as to their responsibility for protecting their cardholder
data in the cloud, as well as defining clear steps for customers that have
been hesitant to adopt the cloud on how to do so."
CipherCloud has more than 1.2 million users and protects more than 100 million
customer records around the globe. CipherCloud's 256-bit encryption gateways
protect data in the cloud and put control of the encryption keys in the hands
of the customer, ensuring that organizations retain control over data in
transit and at-rest in the cloud.
About CipherCloud
CipherCloud, the leader in cloud information protection, provides cloud
encryption and tokenization gateways to enable organizations to securely adopt
cloud applications by eliminating concerns about data privacy, residency,
security, and regulatory compliance. CipherCloud's ground breaking gateway
encrypts sensitive information in real time, before it's sent to the cloud,
using operations-preserving encryption and tokenization technology without
impacting usability or the application in any way.
The CipherCloud product portfolio supports popular cloud applications
out-of-the-box such as Salesforce, Force.com, Chatter, Google Gmail, Microsoft
Office 365, and Amazon AWS. Additionally, CipherCloud Connect AnyApp and
Database Gateway enable organizations to extend data protection to hundreds of
third-party cloud and private cloud applications and databases.
CipherCloud is backed by premier venture capital firms including Andreessen
Horowitz, Index Ventures, and T-Venture, the venture capital arm of Deutsche
Telekom. For more information, visit www.ciphercloud.com and follow us on
Twitter @ciphercloud.
CONTACT: Deb Montner
Montner & Associates, Tech PR
203-226-9290
dmontner AT montner.com
dmontner@montner.com
CipherCloud
Sponsored Links
Advertisement
Advertisements
Sponsored Links
Advertisement
Rate this Page