Portable Security: Moving From Brick and Mortar to the Cloud
Cloud computing has radically changed the way that companies do business. Small companies are able to leverage economics of scale that would otherwise be unavailable to them. Larger companies are able to introduce operational efficiencies in geographically dispersed networks and architectures. Employees are able to access important files regardless of their location and it enables collaboration among offices and employees that may not be in the same location. Both categories of companies can take advantage of virtually unlimited storage capacity.
The electronic payments industry, as did many other verticals, quickly realized that the cloud could be beneficial. Relatively small investments could return increasingly large profits. Companies began offering what is often referred to as “cloud payments.” These SaaS gateways allow companies to develop payment processing capabilities without having to host anything internally. This allows smaller merchants to get up and running quickly and it allows larger merchants to recognize some operational efficiencies that might not otherwise be available. Cloud payment providers can connect to multiple processors to ensure up-time and connectivity, while the merchant need only to connect the cloud provider.
Moving to the cloud, though, may lead some to question the relative security of that solution, as opposed to the old-fashioned payment systems firmly planted on solid ground. Payment security is a requirement regardless of the genesis of the transaction. Whether the payment takes place at a register or through the “cloud” the mandate to protect the data does not change. At the end of the day, all payments are subject to the Payment Card Industry Data Security Standards. Whether the responsibility for that compliance falls to the merchant or to the service provider may depend on the implementation of the payment system, but the fact remains that the transaction itself must be protected. Unfortunately it is often the case that organizations believe that different acceptance methods may not require the same level of security. This has become especially apparent in the realm of mobile payments.
The fact is that companies are moving from traditional network environments to mobile computing and cloud computing. The temptation is to create a separate security policy for each of these environments. Creating these layers of policies for each environment, can make security more difficult. Experience has shown that adding complexity has the potential for increasing vulnerabilities. So how do companies take advantage of the multiple options available to them without scrimping on security? The answer is in developing portable security policies.
The phrase “portable security policies” in this instance does not refer to policies related to portable devices, rather to policies that can be implemented across computing environments. Whether that environment is comprised of traditional network components or resides in the cloud, these security policies follow. From a pure policy perspective that sounds fairly reasonable. From a technology perspective, that can be difficult to achieve. Portable security requires that policies be technology neutral. That is what becomes so difficult about maintaining security across heterogeneous platforms.
The question then is, if we are moving computing (and particularly payments) to the cloud, what factors should the decisioning process include, from a security perspective?
What are the relevant security and privacy policies that merchants must have in place to have a clear understanding of their own security and privacy policies, as well as those of their cloud provider? Explicitly understanding how a merchant would protect the data were it stored in their own environment helps to set the criteria for selecting a cloud provider that can support these policies. Additionally, merchants should ensure that they clearly understand the security and privacy policies of the prospective provider. Nothing should be assumed in terms of what the provider’s policies might mean.
Some cloud providers are just that—cloud providers. They only offer storage or computing capabilities and rely on their users to secure their own data. In this instance, merchants should be prepared to create and implement a detailed cloud security plan and work with vendors that are able to support cloud computing environments. This is important not only for maintaining security, but also for determining an accurate return on investment. If a merchant has to invest heavily in security infrastructure just to move into the cloud, that cost may outweigh the benefit.
This question is particularly important if the merchant is planning to store or transmit any sensitive data through the cloud environment. Personally Identifiable Information, Protected Health Information or Cardholder data in the cloud must be protected and it must be determined where the liability resides – with the data owner or with the entity that is storing the data. In the payment card industry, merchants using a compliant, validated and registered service provider are protected from liability under the PCI DSS. Regardless, it is important for merchants to clarify this question before contracts are signed. For PII and PHI data this may be delineated in legislations but it is important to discuss this with the potential cloud provider.
In payments the idea of cloud computing is not necessarily new, though the terminology is. Merchants have been outsourcing their payment functions for years. More recently, with the advent of P2PE and tokenization, merchants now realize the security advantages of “cloud” payments. More often than not, though, the cloud is more closely associated with mobile payments. Opinions vary widely on the security of the cloud with respect to payments. Forbes Magazine published an article in February 2012 entitled “Mobile Payments: Life is More Secure in the Cloud.” Two months later, in April, the same magazine published an article called “Mobile Payments: Why the Cloud Life is More Insecure.” It should be noted that the second article was written as a response to the first, but the point remains the same. Two experts in mobile and digital wallets have a radically different view on how secure the cloud is with respect to mobile payments.
This has certainly said before (I know that it’s been said by this author ad nauseum,) but it certainly bears repeating – new technologies must always be evaluated not just on the business benefits they may provide, but also with an eye towards the impact that new technology can have on compliance and security postures. Cloud computing and cloud payments certainly can bring tremendous advantages, but these must be weighed against potential new vulnerabilities. If a move to the cloud is being considered, a visit to the Cloud Security Alliance may be worthwhile. The CSA is a not-for-profit industry alliance whose mission is to promote best practices for securing cloud environments.
It is also important to do your due dilligence when using a cloud payment provider. Ensuring that the provider is a PCI DSS validated and a registered service provider can save organizations a great deal of trouble with respect to compliance. The important thing to remember is that while these new technologies may be convenient, they should always support your compliance, security and privacy posture. If they introduce liability to your position, the costs of the cloud may outweigh the benefits.
Dr. Heather Mark, PhD is the Senior Vice President for Market Strategy at ProPay, Inc. ProPay is a leading provider of complete, end-to-end payment security solutions. Dr. Mark can be reached at firstname.lastname@example.org.