Expert opinion

Why Outsiders Cannot Get Into Enterprise Class Data Center

4 minutes

Pavel Goryunov

One of our customers once noticed that the data center features a rather tough access procedure since he couldn’t come up to the rented servers but confirm identity and get accompanied by operations engineers.

However, the above is not our know-how. These are rules for data center providers certified for compliance with Payment Card Industry Data Security Standard (PCI DSS). It may seem that securing bank transactions doesn’t matter for commercial data center services. But actually, it does.

What is PCI DSS and why comply?

Some time ago, the world's largest payment service providers, including Visa and MasterСard, joined efforts to develop a standard for all those who process bank card transactions. In order to elaborate common industry requirements, the companies established the Payment Card Industry Security Standards Council. The first regulations were issued yet in 2004.

Although industry-specific at first sight, the standard is applied to not only to financial institutions, but also cloud providers since it is designed to ensure security compliance and end user protection. The standard is comprised of 12 sections covering all stages, from permit-based data center access to processing of transactions and storing of transaction history.

If a company supports Visa and MasterСard payments, say, in its online store and opts for the cloud, it should check whether the provider's data center meets all the PCI DSS requirements, and if it does not, refrain from such cooperation.

How to get certified?

The certificate is valid for one year only and is granted after inspection by an accredited auditor who has to be engaged again once the term expires.

The audit duration depends heavily on how many times the provider has undergone PCI DSS certification. It now takes our company 1-2 weeks on average to pass the audit, since we prepare for it on a regular basis and adhere to all the requirements, while our first certification required a lot effort and lasted several months.

PCI DSS covers technical and organizational issues related to not only the cloud and data center, but also the company as a whole. That is why our versatile team included technical experts in information security, cloud and data center specialists, representatives of the Internal Automation Department, etc. Such an event was a challenge not only because it was our first experience, but also because the data center underlies our proprietary cloud, which uses Open Source products.

In case of data centers and the cloud, our company is in charge of design, development and operation and therefore these three areas are under audit. PCI DSS consultants conduct problem interviews, check documents, and inspect the operation of systems and processes. One of the key certification stages is a penetration testing when white hat hackers try to break into virtual environment by imitating cyber criminals' actions. We carry out such pen testing in our cloud regularly in compliance with PCI DSS rules.

As already said, now it takes us five to seven days to pass the PCI DSS audit as we check all documentation beforehand and then just update it a little. However, during the year we try to reveal inefficient processes, external factors and new threats, e.g. Meltdown and Spectre (vulnerabilities in microprocessors) which can cause security issues.

Are customers to comply with the standard?

We could say, "No, they are not", and it would be a relief for some people, but this would not be true. The same requirements are applied to both a hosting platform and a client's virtual infrastructure. For instance, the standard requires payment details to be encrypted when transferred via public networks, and this can be done on client side only. The firewall requirements for both sides are different and imply different responsibilities.

Although the standard is clear and logical, making the company's existing infrastructure compliant may be a challenge since not all of the bottlenecks are seen at the first sight. In order to achieve adequate results, the areas of responsibility should be cleared defined for both the provider and the client.

The good news is that it is somehow easier to pass the procedure together with the provider. If its data center is already PCI DSS certified, it means that the provider has already taken all the necessary technical and organizational measures. In practice, this speeds up and simplifies the security audit for clients since some documents are already prepared.

The certification is mutually beneficial. The provider can demonstrate its maturity and gain an additional competitive advantage, while the client can access the service provider's expertise. This benefit is not so obvious, but the cloud and the data are subject to increasingly stringent regulations year over year. To make sense of the recommendations and legal requirements independently, the expertise and relevant specialists on staff are needed.

This is all because clouds and data centers are closely related to security matters that concern not only personal data (including even the phone number collected by dispatch services or feedback forms on websites), but also more serious categories, e.g. payment system details.

2 february 2022
Choosing the Securest IaaS
Infrastructure as a Service (IaaS) has been really taking off with the modest early rise of about 20% followed by a head-spinning increase of more than 40% during the pandemic. Cloud security is, however, open to debate, even despite experts' arguments that there is no reason for concern.
8 minutes
31 january 2022
Managed Services vs PaaS: Pros and Cons
The cloud market is trending towards simplifying solutions for end users. The most compelling evidence is PaaS, estimated to experience a 20-30% revenue growth over the past year. However, it's not a panacea at the moment.
5 minutes
28 december 2021
Why Do Companies Use Clouds? Evolution of customer needs over the past six months

The end of the year is the time to sum everything up, so we decided to analyze the most remarkable trends of the last two quarters. You might wonder "why this very period but not the whole year?" Here's the answer: starting with the second half of 2021, the worsening chip crisis has extended to almost all the economy sectors. Our research was aimed at evaluating the impact of the chip shortage on cloud business.

4 minutes
17 december 2021
How Business can Benefit from Microservices

When competition intensifies, time-to-market (TTM) begins to dominate. TTM is the time it takes to make any product or improvement available for sale. Actually, it can also be a feature that accelerates page loading, improves website and app usability, or increases cross-selling.

5 minutes
26 may 2021
How to Move to New Data Center and Avoid Losing Data?
Cloud services gain in popularity every year. In our estimates, some 70% of large Russian companies have used the cloud or other services based on commercial data centers, at least once. This consumption model has always been good for rapid data transfer from local to the provider’s infrastructure, enabling similarly fast service termination if it is not needed anymore.
4 minutes