Although I have panned Gartner for hyping Amazon standards in the past, congratulations might be in order for Amazon’s recent PCI DSS certification announcement.
Maybe.
Amazon has a PCI DSS Level 1 Compliance FAQ that has been written in an odd way — to convince us of several key points.
They say they did not have to get certified, but they did it anyway. Good for them.
AWS, as a service provider, does not directly manage cardholder environment (and therefore, unlike merchants, does not require certification). AWS provides a secure environment that has been validated by a QSA, allowing merchants to establish a secure cardholder environment and to achieve their own certification, having confidence that their underlying technology infrastructure is compliant.
Got that? AWS is “unlike merchants”. They did not get certified beyond a minimum level of infrastructure that you would have to certify yourself, which also theoretically makes them far less cloud-ish. Cloud-esque? Cloud-y? They are just a service provider. The ball of responsibility (to establish a secure cardholder environment) will be thrown by Amazon into your court when you say PCI-me. In other words, you say hot potato, they say…”have confidence in your potato”.
The bottom line appears to be that you are going to do the same work you would have done before, even as an Amazon customer, but now they want you to feel that you can do it with confidence because they have allowed a QSA to certify them. This could have value (i.e. less paperwork, reduced audit time) but from where does it really come, this confidence?
Maybe you want to read their report. AWS’ compliance validation was completed and submitted on November 30, 2010 but is not yet public let alone approved by the Security Standards Council (SSC). That’s a tough start.
…customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification…. All merchants must manage their own PCI certification. For the portion of the PCI cardholder environment deployed in AWS, your QSA can rely on our validated service provider status, but you will still be required to satisfy all other PCI compliance and testing requirements that don’t deal with the technology infrastructure, including how you manage the cardholder environment that you host with AWS.
Perhaps you only wanted to use Amazon infrastructure as a service (IaaS), but that kind of begs the question of why go to Amazon instead of a competitor who specializes in infrastructure.
Amazon says in their FAQ over and over that you can rely on them. It really seems to mean that if you need PCI they will downgrade you to an infrastructure-only customer (e.g. uncloud-able) rather than treat you like a full platform or even software customer.
With that in mind it is hard not to notice how Amazon infrastructure customers must face a certain exception.
They will not give you physical access to assess their security.
Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center?
No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.
I get confidence from the word extensive. Another good word is thorough. Exhaustive? Comprehensive? But I digress…customers of Amazon do not get to verify the work performed by the Amazon QSA, and do not get to review the physical security of their data centers (at least not directly).
Requirement 9.1 of PCI DSS 2.0 says “Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment.” Perhaps it soon will add “…unless you have a service provider who has been certified, and then you should just rely on them”
There will be no merchant verification of the existence of physical security controls at Amazon. The one option offered is to rely on the work of their QSA, but we have to keep in mind that their QSA’s review was limited in nature because AWS positions itself to be only a service provider for PCI customers.
All that being said, on the one hand I can see why infrastructure providers ask for sympathy. They argue that it is exhausting to have every customer come on-site to demand access and time for compliance reviews. It may be a burden with thousands of customers. On the other hand, if they had controls working properly the reviews would require very little resources on their part. In fact, I have spent many hours in on-site audits helping providers see things that their auditors did not catch. Some were appreciative because one customer ends up paying for an assessment that benefits all their customers. The burden becomes proportional to how well security is managed; those that complain and refuse access most likely have the most to worry about.
Amazon’s position thus sounds a lot like a restaurant that tells customers they are not allowed to see or ask anything about the kitchen because a food inspector has that role. Does that give you confidence?
Maybe it’s just me, but I find it hard under those terms to give congratulations to the chef.
Update: The McKeay blog has a prior official statement from Amazon in August of 2009:
We are excited to hear about your interest in moving to EC2. We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data.
That is a reference to the PCI DSS 2.0 Requirement, that a service provider must acknowledge responsibility for cardholder data security.
12.8.2 Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data.