Compliance is the most significant issue confronting organizations looking at a move into the cloud. There's good reason for the hesitation compliance issues engender. Some regulations and standards are simply incompatible with the shared virtualization systems and shared hosting environments that make up most cloud infrastructures. An organization can address most of these concerns through the use of hybrid infrastructures.
I personally run into the most questions around PCI compliance in the cloud. The question is, "Can you be PCI-compliant in the cloud?" While I don't have any authority to certify anyone as PCI-compliant, I can offer up a number of recommended architectures that should provide PCI compliance for pure-cloud infrastructures.
The best way to make PCI compliance work is not to handle credit card data. The best way not to handle credit card data is to leverage a cloud-based system like Zuora or Aria to process your credit card data for you. These systems provide both API-based mechanisms for executing transactions and will host your credit card transaction page as an iframe or other relevant technology. If they host your credit card transaction page, you never touch any credit card data with any of your own technology.
A large number of organizations executing transactions on the Internet need PCI level 4 compliance. The key to level 4 compliance is to avoid storing credit card data. If you are executing one-time transactions, you can accomplish this objective by submitting transactions via web services directly to a credit card processing gateway without storing that data anywhere locally. This processing can be done inside the cloud or outside the cloud.
The challenges begin when you need to store credit card data. Again, a cloud provider of billing systems like Zuora or Aria will help you manage secure storage of credit cards in the cloud without forcing you to develop your own credit card storage systems. They will store the credit card data and manage any recurring transactions for you.
Where the cloud will fail you is a scenario in which you elect to store credit card data yourself. In that situation, you must minimally achieve level 2 compliance. Unfortunately, level 2 compliance is probably not attainable on shared, virtualized servers like those that make up the Amazon cloud. Your systems storing credit card data would therefore need to be on servers outside the cloud or in dedicated virtualized environments like those offered by Rackspace and GoGrid.
However you approach credit card management, you also need to make sure you are taking appropriate precautions for your front-end systems that tools like enStratus automate for you, including:
- Appropriate use of encryption
- Host intrusion detection
- Keep credentials outside of the cloud
- Secure your web applications