.svg)
Why Outsiders Cannot Get Into Enterprise Class Data Center
One of our customers once noticed that the data center features a rather tough access procedure since he couldn’t come up to the rented servers but confirm identity and get accompanied by operations engineers.
However, the above is not our know-how. These are rules for data center providers certified for compliance with Payment Card Industry Data Security Standard (PCI DSS). It may seem that securing bank transactions doesn’t matter for commercial data center services. But actually, it does.
What is PCI DSS and why comply?
Some time ago, the world's largest payment service providers, including Visa and MasterСard, joined efforts to develop a standard for all those who process bank card transactions. In order to elaborate common industry requirements, the companies established the Payment Card Industry Security Standards Council. The first regulations were issued yet in 2004.
Although industry-specific at first sight, the standard is applied to not only to financial institutions, but also cloud providers since it is designed to ensure security compliance and end user protection. The standard is comprised of 12 sections covering all stages, from permit-based data center access to processing of transactions and storing of transaction history.
If a company supports Visa and MasterСard payments, say, in its online store and opts for the cloud, it should check whether the provider's data center meets all the PCI DSS requirements, and if it does not, refrain from such cooperation.
How to get certified?
The certificate is valid for one year only and is granted after inspection by an accredited auditor who has to be engaged again once the term expires.
The audit duration depends heavily on how many times the provider has undergone PCI DSS certification. It now takes our company 1-2 weeks on average to pass the audit, since we prepare for it on a regular basis and adhere to all the requirements, while our first certification required a lot effort and lasted several months.
PCI DSS covers technical and organizational issues related to not only the cloud and data center, but also the company as a whole. That is why our versatile team included technical experts in information security, cloud and data center specialists, representatives of the Internal Automation Department, etc. Such an event was a challenge not only because it was our first experience, but also because the data center underlies our proprietary cloud, which uses Open Source products.
In case of data centers and the cloud, our company is in charge of design, development and operation and therefore these three areas are under audit. PCI DSS consultants conduct problem interviews, check documents, and inspect the operation of systems and processes. One of the key certification stages is a penetration testing when white hat hackers try to break into virtual environment by imitating cyber criminals' actions. We carry out such pen testing in our cloud regularly in compliance with PCI DSS rules.
As already said, now it takes us five to seven days to pass the PCI DSS audit as we check all documentation beforehand and then just update it a little. However, during the year we try to reveal inefficient processes, external factors and new threats, e.g. Meltdown and Spectre (vulnerabilities in microprocessors) which can cause security issues.
Are customers to comply with the standard?
We could say, "No, they are not", and it would be a relief for some people, but this would not be true. The same requirements are applied to both a hosting platform and a client's virtual infrastructure. For instance, the standard requires payment details to be encrypted when transferred via public networks, and this can be done on client side only. The firewall requirements for both sides are different and imply different responsibilities.
Although the standard is clear and logical, making the company's existing infrastructure compliant may be a challenge since not all of the bottlenecks are seen at the first sight. In order to achieve adequate results, the areas of responsibility should be cleared defined for both the provider and the client.
The good news is that it is somehow easier to pass the procedure together with the provider. If its data center is already PCI DSS certified, it means that the provider has already taken all the necessary technical and organizational measures. In practice, this speeds up and simplifies the security audit for clients since some documents are already prepared.
The certification is mutually beneficial. The provider can demonstrate its maturity and gain an additional competitive advantage, while the client can access the service provider's expertise. This benefit is not so obvious, but the cloud and the data are subject to increasingly stringent regulations year over year. To make sense of the recommendations and legal requirements independently, the expertise and relevant specialists on staff are needed.
This is all because clouds and data centers are closely related to security matters that concern not only personal data (including even the phone number collected by dispatch services or feedback forms on websites), but also more serious categories, e.g. payment system details.
