It looks like it’s been a busy couple of weeks for the Council! We saw their release of the eCommerce guidelines, which had some good nuggets while missing the key point of understanding the contracting process for scoping. Now we have the release of the Cloud Guidance, the latest SIG to conclude and publish a report. Read this post, then check out StorefrontBacktalk’s post, then go download the document.

King Cloud, by akakumo

King Cloud, by akakumo

First, let’s highlight the good stuff. There are some great charts that attempt to give examples on how responsibilities might be allocated depending on your setup. Go through these as a benchmark, but instead of taking their defaults as gospel, validate them with your CSP using Appendix C. They reference the NIST SP800-144 quite a bit which is great. We know that there is solid guidance in that SP, so having them build from that foundation is not a bad thing. There is also an extensive reference list at the bottom of the document for additional reading. There are some GREAT nuggets in there. Appendix D is also great as it helps with supplying discovery questions for those trying to understand where they sit.

Now for the not so good. First off, the SIG’s guidance in section 4.5 to essentially avoid the cloud is short sighted and foolish. It’s reminiscent of Digital being stuck in the mini and IBM believing that Big Iron is the only platform to use. Readers of this document inherently know that it wouldn’t apply to them if they didn’t use cloud services, so it’s simply a waste of space. What would have been helpful would be better guidance with examples of how companies are doing it well.

Secondly, the whole concept of a shared infrastructure was only addressed by way of “LOOK OUT!” The community needs better guidance on how to deal with multi-tenancy as a reality of how businesses operate and grow.

The Storm is Coming, by innoxiuss

The Storm is Coming, by innoxiuss

Along those lines, the document suggests dedicated infrastructure as a solution to this problem. We are in a day an age when we can build controls into the underlying infrastructure and show it to be compliant such that a mixed-mode type of operation can work just fine in the face of PCI DSS. The mere fact that they suggest standing up separate infrastructure as a way to leverage cloud demonstrates their lack of understanding of why companies deploy cloud infrastructure in the first place.

Finally, they didn’t even mention SCAP, which is a promising technology that companies and assessors could use in real time to determine the compliance status of a set of services supplied by a CSP. If the controls are actually in place by the CSP, they should have no issue exposing SCAP to you for this purpose.

Ultimately, much like the eCommerce guidance, it is simply a guidance document that has some beneficial tools mixed with neutered advice on how to make things operate in the real world. It’s worth a read, but certainly talk with your QSA and CSP on how you can leverage these technologies and comply with PCI DSS.

This post originally appeared on BrandenWilliams.com.