Confidentiality: Typically, we handle confidentiality through the usage of technologies such as Encryption and access Control. We can still encrypt, but imagine what happens to a large data set. It has to be sent, or assembled, in the Cloud, remain there in an encrypted form, and be transferred to us, for processing.
Once the data is at our location, we have to decrypt it, perform the operations needed, then re-encrypt and resend to the Cloud. Doable – yes. The performance tax here is huge. While today’s routers and servers no longer have their performance brought down to 1/6th by encryption (a loss of 84%), we still pay a heavy price.
Figure 4: Lifecycle of Encrypted Data
Let us state once more: Having the data unencrypted at any point in the storage or transfer process exposes it to unauthorized disclosure. Unauthorized exposure, of course, is the opposite of any good security or compliance requirements, such as PCI or HIPAA. Even Amazon, with inherit interest in providing such services, announced that their Cloud is not PCI compliant nor intended for such work:
Thank you for contacting Amazon Web Services. Our payment system is PCI compliant and it is an “alternative payment processing service” meaning your users re-direct to our platform to conduct the payment event using their credit cards or bank accounts. The benefit for you is that we handle all the sensitive customer data so you don’t have to. If you haven’t looked at it, I highly suggest you check out the features and functions of our Flexible Payment Service and our Payment Widgets ( http://aws.amazon.com/fps).
As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers. This seems like a risk that could challenge your business; as a best practice, I recommend businesses always plan for level 1 compliance. So, from a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant. It is quite feasible for you to run your entire app in our cloud but keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time.
Try the following as an example: Suppose you have a volume of credit-card bearing transactions that you must preserve for a period of one year. And let’s assume that the data is in SQL form. If so, the steps needed would include:
Exporting the relevant tables
Encrypting these files with suitable encryption
Uploading the encrypted files to your cloud “bucket”
Storing the data in the cloud, in an encrypted form