by Ariel Silverstone

Clearing the Cloud Part II | A Ray of Sunshine On A Cloudy Day || Cloud Computing Security (2)

Jan 13, 2010

Continuing with my article of last month, let's continue discussion Controls in Cloud Security:

Continuing with my article of last month, let’s continue discussion Controls in Cloud Security:  

Losing one control typically mandates an increase in the other controls. Here, we have another set of problems.    Let us explore the remaining controls:

  • Confidentiality: Typically, we handle confidentiality through the usage of technologies such as Encryption and access Control.   We can still encrypt, but imagine what happens to a large data set.   It has to be sent, or assembled, in the Cloud, remain there in an encrypted form, and be transferred to us, for processing.

    Once the data is at our location, we have to decrypt it, perform the operations needed, then re-encrypt and resend to the Cloud.   Doable – yes. The performance tax here is huge. While today’s routers and servers no longer have their performance brought down to 1/6th by encryption (a loss of 84%), we still pay a heavy price.

Figure 4: Lifecycle of Encrypted Data

Figure 4: Lifecycle of Encrypted Data

Let us state once more: Having the data unencrypted at any point in the storage or transfer process exposes it to unauthorized disclosure. Unauthorized exposure, of course, is the opposite of any good security or compliance requirements, such as PCI or HIPAA. Even Amazon, with inherit interest in providing such services, announced that their Cloud is not PCI compliant nor intended for such work:


Thank you for contacting Amazon Web Services. Our payment system is PCI compliant and it is an “alternative payment processing service” meaning your users re-direct to our platform to conduct the payment event using their credit cards or bank accounts. The benefit for you is that we handle all the sensitive customer data so you don’t have to. If you haven’t looked at it, I highly suggest you check out the features and functions of our Flexible Payment Service and our Payment Widgets (

As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers. This seems like a risk that could challenge your business; as a best practice, I recommend businesses always plan for level 1 compliance. So, from a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant. It is quite feasible for you to run your entire app in our cloud but keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time.


Cindy S.

Amazon Web Services

Figure 5: From here

Figure 6: Encryption in Cloud Case Study

Try the following as an example: Suppose you have a volume of credit-card bearing transactions that you must preserve for a period of one year.   And let’s assume that the data is in SQL form.   If so, the steps needed would include:

  1. Exporting the relevant tables
  2. Encrypting these files with suitable encryption
  3. Uploading the encrypted files to your cloud “bucket”
  4. Storing the data in the cloud, in an encrypted form
  5. Downloading it, while encrypted
  6. Decrypting the data
  7. Importing the data, and finally
  8. Processing it

 Come visit me at!