Read time: 04 minutes 22 seconds

Customers and Cloud Service Provider (CSP) share the responsibility of security and compliance. Thus, the organization would have the freedom to have architect their security and compliance needs, according to the services they utilize from the CSP and the services they intend to achieve. CSP has the responsibility to provide services securely and to provide physical security of the cloud. If, however, a customer opts for Software-as-a-service, then the CSP provides standard compliance. Still, the organization has to check if it meets its regulations and compliance levels to strive to achieve. All Cloud services (such ad different forms of databases) are not created equal. Policies and procedures should be agreed upon between CSP and client for all security requirements and operations responsibility.

Let’s dive into particular compliance and regulations maintained within the industry.

PCI DSS on Cloud

Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards formed in 2004 to secure credit and debit card transactions against data theft and fraud. PCI DSS is a set of compliance, which is a requirement for any business.

Let’s suppose payment card data is stored, processed, or transmitted to a cloud environment. In that case, PCI DSS will apply to that environment and will involve validation of CSP’s infrastructure and the client’s usage of that environment.

PCI DSS Requirement Responsibility assignment for management of controls
IaaS PaaS SaaS
Install and maintain a firewall configuration to protect cardholder data Client and CSP Client and CSP CSP
Do not use vendor-supplied default for system passwords and other security parameters Client and CSP Client and CSP CSP
Protect stored cardholder data Client and CSP Client and CSP CSP
Encrypt transmission of cardholder data across an open, public network Client Client and CSP CSP
Use and regularly update anti-virus software or programs Client Client and CSP CSP
Develop and maintain secure systems and applications Client and CSP Client and CSP Client and CSP
Restrict access to cardholder data by business need to know Client and CSP Client and CSP Client and CSP
Assign a unique ID to each person with computer access Client and CSP Client and CSP Client and CSP
Restrict physical access to cardholder data CSP CSP CSP
Track and monitor all access to network resources and cardholder data Client and CSP Client and CSP CSP
Regularly test security systems and processes Client and CSP Client and CSP CSP
Maintain a policy that addresses information security for all personnel Client and CSP Client and CSP Client and CSP

GDPR

General Data Protection Regulation (GDPR) is the core of Europe’s digital privacy legislation. “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information,” said Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed in December 2015.GDPR applies to all companies, which collect and process EU resident’s data. Non-EU companies would need to appoint a GDPR representative and be held liable for all fines and sanctions. Critical Requirements of GDPR are:

  1. Lawful, fair, and transparent processing

  2. Limitation of purpose, data, and storage

    Collect only necessary information and discard any personal information after processing is complete

  3. Data subject rights

    A customer can ask what data an organization has on them and the intended use of the data.

  4. Consent

    Organizations must ask for the consent of the customer if personal data is processed beyond legitimate purposes. The customer can also remove consent anytime they wish.

  5. Personal data breaches

    Based on the severity and regulatory, the customer must be informed within 72 hours of identifying the breach.

  6. Privacy by Design

    Organizations should incorporate organizational and technical mechanisms to protect personal data in the design of new systems and processes

  7. Data Protection Impact Assessment

    Data Protection Impact Assessment should be conducted when initiating a new project, change, or product.

  8. Data transfers

    Organizations have to ensure personal data is protected and GDPR requirements are respected, even if a third party does it

  9. Data Protection Officer

    When there is significant personal data processing in an organization, the organization should assign a Data Protection Officer.

  10. Awareness and training

    Organizations must create awareness among employees about crucial GDPR requirements

To achieve GDPR on the cloud, we need to take these additional steps

  • Organizations should know the location where the data is stored and processed by CSP
  • Organizations should know which CSP and cloud apps meet their security standards. Organizations should take adequate security measures to protect personal data from loss, alteration, and unauthorized processing.
  • Organizations should have a data processing agreement with CSP and cloud apps they shall be using.
  • Organizations should only collect necessary data that it would need and should limit the processing of personal data any further.
  • Organizations should ensure that data processing agreement is respected, and personal data is not used for other purposes by CSP or cloud apps.
  • Organizations should be able to erase data at will from all data sources in CSP.

Conclusion

Regulations and Compliances depend on the country organizations operate in. It is essential to research CSP and the regulations and compliance they are following. You can find more information about the CSPs on their respective websites:

If an organization fails to abide by the set of regulations applicable in the country or region. In that case, they may face fines and may lose the ability to operate in that country.

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Payment Card Industry Data Security Standards (PCI DSS) are a set of security standards formed in 2004 to secure credit and debit card transactions against data theft and fraud. PCI DSS is a set of compliance methods, which are a requirement for any business.

Let’s suppose payment card data is stored, processed, or transmitted to a cloud environment. In that case, PCI DSS will apply to that environment and will involve validation of the CSP’s infrastructure, and the client’s usage of that environment.

PCI DSS Requirements:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied default for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across an open, public network
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Table of Contents

Today more than ever, organizations have a need for high level security of their data and the keys that protect that data. The lifecycle of cryptographic keys also requires a high degree of management, thus automation of key lifecycle management is ideal for the majority of companies. This is where Hardware Security Modules, or HSMs, come in. HSMs provide a dedicated, secure, tamper-resistant environment to protect cryptographic keys and data, and to automate the lifecycle of those same keys. But what is an HSM, and how does an HSM work?

What is an HSM?

A Hardware Security Module is a specialized, highly trusted physical device which performs all major cryptographic operations, including encryption, decryption, authentication, key management, key exchange, and more. HSMs are specialized security devices, with the sole objective of hiding and protecting cryptographic materials. They have a robust OS and restricted network access protected via a firewall. HSMs are also tamper-resistant and tamper-evident devices. One of the reasons HSMs are so secure is because they have strictly controlled access, and are virtually impossible to compromise.

For these reasons and more, HSMs are considered the Root of Trust in many organizations. The Root of Trust is a source in a cryptographic system that can be relied upon at all times. The strict security measures used within an HSM allow it to be the perfect Root of Trust in any organization’s security infrastructure. Hardware Security Modules can generate, rotate, and protect keys, and those keys generated by the HSM are always random. HSMs contain a piece of hardware that makes it possible for its computer to generate truly random keys, as opposed to a regular computer which cannot create a truly random key. HSMs are also generally kept off the organization’s computer network, to further defend against breach. This means an attacker would need physical access to the HSM to even view the protected data.

Types of HSMs

There are two main types of Hardware Security Module:

  1. General Purpose: General Purpose HSMs can utilize the most common encryption algorithms, such as PKCS#11, CAPI, CNG, and more, and are primarily used with Public Key Infrastructures, cryptowallets, and other basic sensitive data.
  2. Payment and Transaction: The other type of HSM is a payment and transaction HSM. These types of HSM are created with the protection of payment card information and other types of sensitive transaction information in mind. These types of Hardware Security Module are narrower in the types of organizations they can work within, but they are ideal to help comply with Payment Card Industry Data Security Standards (PCI DSS).

Compliance

As HSMs are used so often for security, many standards and regulations have been put in place to ensure Hardware Security Modules are properly protecting sensitive data. The first of these regulations is the Federal Information Processing Standard (FIPS) 140-2. This a standard that validates the effectiveness of hardware performing cryptographic operations. FIPS 140-2 is a federal standard in both the USA and Canada, is recognized around the world in both the public and private sectors, and has 4 different levels of compliance.

  • Level 1, the lowest level, focuses on ensuring the device has basic security methods, such as one cryptographic algorithm, and it allows the use of a general purpose model with any operating system. The requirements for FIPS 140-2 level 1 are extremely limited, just enough to provide some amount of security for sensitive data.

  • Level 2 builds off of level 1 by also requiring a tamper-evident device, role-based authentication, and an operating system that is Common Criteria EAL2 approved.

  • Level 3 requires everything that level 2 does along with tamper-resistance, tamper-response, and identity-based authentication. Private keys can only be imported or exported in their encrypted form, and a logical separation of interfaces where critical security parameters leave and enter the system. FIPS 140-2 level 3 is the most commonly sought compliance level, as it ensures the strength of the device, while not being as restrictive as FIPS 140-2 .

  • Level 4 is the most restrictive FIPS level, advanced intrusion protection hardware and is designed for products operating in physically unprotected environments.
    Another standard used to test the security of HSMs is Common Criteria (ISO/IEC 15408). Common Criteria is a certification standard for IT products and system security. It is recognized all around the world, and come in 7 levels. Like FIPS 140-2, level 1 is the lowest level, and level 7 is the highest level.

The final standard is the Payment Card Industry PTS HSM Security Requirements. This is a more in-depth standard, focusing on the management, shipment, creation, usage, and destruction of HSMs used with sensitive financial data and transactions.

Advantages to HSMs

Hardware Security Modules have a number of benefits including:

  • Meeting security standards and regulations
  • High levels of trust and authentication
  • Tamper-resistant, tamper-evident, and tamper-proof systems to provide extremely secure physical systems
  • Providing the highest level of security for sensitive data and cryptographic keys on the market
  • Quick and efficient automated lifecycle tasks for cryptographic keys
  • Storage of cryptokeys in one place, as opposed to several different locations

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk