PCI Security Standards Council and the Cloud Security Alliance issue guidance on scoping cloud environments

The PCI Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) on Thursday released a joint bulletin that explains the reasons why security pros need to focus more on properly scoping cloud environments.


According to the joint bulletin, data breach investigation reports continue to find that companies hit with payment data compromises are unaware that cardholder data was present on the compromised systems. They say proper scoping can ensure that companies are aware of the location of their data and that the necessary security controls are in place to protect that data. Improper scoping can result in vulnerabilities being unidentified and unaddressed, which hackers can exploit.

Properly scoping cloud environments has become an essential component to both holistic data governance and security in the cloud, said James Beecham, co-founder and CTO of ALTR. With more data moving to the cloud, Beecham said organizations need to look at where threats are originating from. Overwhelmingly, a large number of these threats are now credentialed access threats as a result of the popularity of multi-cloud environments, which can leave gaps in access management that create vulnerability.

“A more common approach to cloud data governance and security is enabling multi-factor authentication and having strong passwords that are rotated and changed frequently,” Beecham said. “Ideally these steps limit exposure and reduce the risk of cyberattacks. But this isn’t enough on its own. Approaching cloud data governance and security requires organizations to take full responsibility for both data and the people using it. They must have the ability to monitor, understand and know how data gets consumed. This is usually missing from cloud governance best practices — and it’s essential that organizations add it to their strategy.”