By Application Security | Article Rating: |
|
February 27, 2013 11:00 AM EST | Reads: |
7,821 |

This month the Cloud SIG of the PCI Security Standards Council released supplemental guidelines covering cloud computing. We’re happy to see APIs included as a recognized attack surface. As this document makes clear, responsibility for compliance for cloud-hosted data and services is shared between the client and the provider. API providers moving to the cloud should pay close attention to this document: Section 6.5.5 covers Security of Interfaces and APIs, while Appendix D covers implementation considerations that include API-related topics. For cloud-hosted systems, an API gateway can simplify implementation, secure PII and PAN data in motion, provide compliance and ensure auditability in these areas.
The last paragraph of Section 6.5.5 reads:
APIs and other public interfaces should be designed to prevent both accidental misuse and malicious attempts to bypass security policy. Strong authentication and access controls, strong cryptography, and real-time monitoring are examples of controls that should be in place to protect these interfaces.
While Appendix D: PCI DSS Implementation Considerations asks:
- Are API interfaces standardized?
- Are APIs configured to enforce strong cryptography and authentication?
- How are APIs and web services protected from vulnerabilities?
- Are standardized interfaces and coding languages used?
- How is user authentication applied at different levels?
Using a service gateway can ensure that access controls, PII and PAN encryption, and monitoring are consistently applied and enforced for all APIs. This in turn reduces the likelihood that a single poorly-coded or overlooked API will compromise the entire system. Enhanced vulnerability protection is provided by a centralized point to turn away malicious exploits such as SQL injection or Cross-site scripting (XSS) attempts. This control point also provides data leak protection for data leaving the enterprise. The use of a gateway also allows the API provider to construct a consistent façade with standardized interfaces to be utilized for all exposed APIs and web services.
Another area where a gateway can help with PCI-DSS compliance is in containing audit scope via tokenization. One of the design considerations for protecting cardholder data asks:
Where are the “known” data storage locations?
Using a gateway that supports tokenization can limit PCI scope to the gateway device itself. The gateway can then be hosted on a higher-tier hosting platform (e.g. a Virtual Private Cloud) while allowing logic servers without access to cardholder data to be hosted on a more cost-effective, multi-tenant platform. A common model here is to tokenize PAN data as it enters the datacenter, minimizing scope impact, which can be done using proxy tokenization in the API gateway. This usage model is ideal for ecommerce retailers that accept credit card data over an HTML form post or other HTTP interface.
For help assessing tokenization option options, we have made available a Buyer’s Guide: Tokenization for PCI DSS. For the broader view covering other security gateway usage models, we are also sharing the Buyer’s Guide: Gateway Security. Finally, we’d refer readers to the Cloud Builders program’s Cloud Security Reference Architecture for some ready-made blueprints and cloud software management platforms.
The post New PCI DSS Cloud Computing Guidelines – Are you compliant? appeared first on Security [email protected].
Read the original blog entry...
Published February 27, 2013 Reads 7,821
Copyright © 2013 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Application Security
This blog references our expert posts on application and web services security.
Apr. 19, 2018 02:00 PM EDT Reads: 1,964 |
By Pat Romanski Apr. 19, 2018 01:45 PM EDT Reads: 1,090 |
By Pat Romanski Apr. 19, 2018 01:30 PM EDT Reads: 2,037 |
By Elizabeth White Apr. 19, 2018 01:30 PM EDT Reads: 1,486 |
By Liz McMillan Apr. 19, 2018 01:15 PM EDT Reads: 1,560 |
By Liz McMillan ![]() Apr. 19, 2018 12:45 PM EDT Reads: 3,562 |
By Pat Romanski ![]() Apr. 19, 2018 12:45 PM EDT Reads: 5,158 |
By Yeshim Deniz ![]() Apr. 19, 2018 12:30 PM EDT Reads: 1,614 |
By Yeshim Deniz Apr. 19, 2018 12:30 PM EDT Reads: 3,855 |
By Yeshim Deniz Apr. 19, 2018 12:15 PM EDT Reads: 4,765 |
By Liz McMillan ![]() Apr. 19, 2018 11:00 AM EDT Reads: 6,976 |
By Yeshim Deniz ![]() Apr. 19, 2018 08:30 AM EDT Reads: 1,798 |
By Yeshim Deniz Apr. 19, 2018 08:30 AM EDT Reads: 2,968 |
Dion Hinchcliffe Joins @CloudEXPO NY Faculty | @ExpoDX #CIO #IoT #IIoT #FinTech #DevOps #SmartCities By Liz McMillan Apr. 19, 2018 08:15 AM EDT Reads: 2,425 |
By Yeshim Deniz Apr. 19, 2018 08:00 AM EDT Reads: 2,968 |
By Yeshim Deniz Apr. 19, 2018 07:45 AM EDT Reads: 2,416 |
By Pat Romanski ![]() Apr. 19, 2018 06:00 AM EDT Reads: 5,723 |
By Pat Romanski Apr. 19, 2018 05:30 AM EDT Reads: 1,675 |
By Yeshim Deniz ![]() Apr. 19, 2018 05:15 AM EDT Reads: 1,797 |
By SmartBear Blog ![]() Apr. 19, 2018 03:45 AM EDT Reads: 1,778 |