"the auditors are different in their understanding of the guidelines" - that's the tricky bit. PCI DSS is more of a guidance than a rigid and defined set of rules. True, there are rules but many are open to interpretation. There have been many arguments over whether or not shared infrastructure can be truly segmented and this extends not only to hypervisors but also to networking technologies such as VLANs and MPLS where multiple organisations share a common medium. The PCI Council have tried to address some of these issues with what they call 'information supplements' but they're still not 100% prescriptive.
There is also the concept of a 'compensating control' where, should you not be able to satisfy a requirement, you may be able to put other controls in place which satisfy the intent of the original control. This is not a good way to do it but could help as a last resort. If you are acting as a service provider, you should probably work with a QSA to put together your AOC and to document as much as possible so that should a client's QSA come calling, you have everything in place to hand over. Basically, there's little to stop Cloudstack being part of an in-scope cardholder data environment but how you do it may be. As has already been mentioned, there no silver bullet to certify a technology as compliant, only the company can be compliant and this is ultimately the end customer, not the service provider. -----Original Message----- From: Chip Childers [mailto:[email protected]] Sent: 24 April 2014 14:57 To: [email protected] Subject: Re: Cloudstack with PCI compliance CloudStack itself can never be PCI *compliant*... only a company can be. CloudStack can certainly be part of the technical architecture for an IT environment (or service provider environment) that is being audited for overall organizational compliance. A service provider that offers a CloudStack-based cloud is also, similarly, unable to really offer "compliance" for their customers. They are only able to fulfill certain aspects of the required set of controls, and support their customers during the PCI audit process *of their customers*. There really isn't a silver bullet here... you have to have your own answers for how the required controls are implemented (and for many, there is an infinite number of possible implementation designs). As for the docs for a "cloud" environment, check out: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf Keep in mind that it will absolutely depend on how things are being audited. Is the "CloudStack Cloud" external to the org trying for compliance? If so, the doc above would be the right choice for where to start. Is the CloudStack environment controlled by the org attempting compliance? If so, it's likely a combination of the Cloud Guidelines and the Virtualization supplemental info. Your best bet is to work with someone that knows the PCI process, and gets how the controls are typically evaluated by the various auditors. I've been through this before, and I can tell you that even the auditors are different in their understanding of the guidelines. -chip On Thu, Apr 24, 2014 at 08:49:30AM -0400, Tim Mackey wrote: > The real problem is in defining what is "in-scope" and "out-of-scope", > and avoiding "mixed-mode". This document ( > https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp > _v2.pdf) provides a pretty good read of the suggested rules of the > road for virtualization, but I'm not aware of a similar doc covering > cloud. Things like network typologies can mess stuff up quite > quickly, and its probably best to involve the customer's PCI QSA in > the design. A couple months back I was asked to comment on a pure > XenServer environment for mixed-mode operations and the customer > accepted solution required both VLANs and OVS policy definition to > secure cardholder data and meet the QSA goals. Read that as "it's > quite complicated and prone to opinions rather than hard standards" > > -tim > > > On Thu, Apr 24, 2014 at 8:34 AM, Sebastien Goasguen <[email protected]>wrote: > > > > > On Apr 22, 2014, at 5:52 AM, Uwe Kastens <[email protected]> wrote: > > > > > Hi there, > > > > > > > > > That would be interesting for me as well > > > > > > Kind Regards > > > > > > Uwe > > > > > > > > > > > > 2014-04-21 19:31 GMT+02:00 Upendra Moturi > > ><[email protected] > > >: > > > > > >> Hello Team, > > >> > > >> Has anyone worked on making cloudstack PCI compliant. > > >> Can you please point me some documentation. > > >> > > > > Haven't worked on it and over my head, but that's a big question. I > > actually asked a friend on twitter :) The answer was interesting > > "CloudStack can facilitate PCI compliance but not *be* PCI > > compliant" > > > > -sebastien > > > >
