Are cloud payments secure?
“Cloud Payments” aren’t a new trend. The drive to improve the customer payments experience combined with a need for more mobile payment options have meant payment systems have been moving steadily to the cloud. One of the latest trends in this move is the migration of banking and payment processing systems to private clouds. Private clouds are dedicated clouds managed by cloud providers not shared with others. This movement has helped coin the term “payment as a service”.
Given the nature of payment data, and the critical need to secure it from a data breach, it raises the question, is payment data transferred in the cloud secure? Similar to many issues related to security, the right answer is, it depends on the implementation and sustained management of a robust security plan in conjunction with global best practice and security standards.
In general, it is recognised that cloud security is better than on-premise deployments. This is due to what is commonly known as “intelligence of the crowd”. Cloud providers being specialists can manage known security threats. However, they are still prone to many security issues including people, process and technology related failures that can be both intentional and accidental.
As per Cloud Security Alliance, the top threats to cloud computing are:
- Data loss or leakage
- Account or service hijacking
- Insecure interface
- Denial of service
- Malicious insider
- Data breaches
- Abuse of cloud services
- Insufficient due diligence
- Insecure virtual machine (VM) migration
Therefore, it is crucial to manage these threats for secure cloud deployments. However, cloud deployments mean dependency on a third party for your security needs. This kind of dependency has resulted in what Amazon Web Services (AWS) calls “shared responsibility model”. Shared responsibility splits security into two parts, “security of the cloud” and “security in the cloud”. Security of the cloud is the responsibility of the cloud providers. Security in the cloud is the responsibility of the payment systems.
Both of these need to be extremely secure for the overall security of the system. Here we look at both these aspects in detail.
Security of the Cloud:
Security of the cloud deals with all of the infrastructures such as hardware, routers, switches and DNS, software provided by the cloud, operating systems and middleware as part of the cloud and the physical security of the cloud farms.
These are a few critical things your cloud provider should have or be able to provide.
- Compliances: The cloud should be certified for payment processing standards such as PCI DSS compliance, ISO 27018 (protecting PII) and Australian Prudential Regulation Authority (APRA) Standards (Prudential standards for financial services institutions).
- Infrastructure Security: Internet-based attacks such as DNS poisoning, Denial of Service should be handled smoothly, and there should be no outage as a result of these.
- People and Process: The cloud provider’s organisation should be certified for enterprise-wide security such as ISO 27001. They should conduct regular audits, scans and have a robust incidence management system in place. Employees and other personnel should be well trained, and allocated responsibilities for data securing should a breach occur.
- Physical Security: The infrastructure should be managed securely with stringent access control, 24*7 monitoring and other industry best practices.
- Application Security: All the software that supports cloud should be written under a stringent SDLC (secure development life cycle) environment.
- Data Security: Cloud provider should support data security for both data at rest as well as data in transit. This includes sophisticated tokenisation for payment data.
- Security Infrastructure: They should provide robust software for payment systems use for their applications. These include among other firewalls, IAM, log management, backups, Certifying Authorities and support for forensics.
Security in the Cloud :
First and foremost, when moving payment systems to the cloud, the cloud service providers must provide robust “security of the cloud” measures. Payment processors also need to follow a similar security plan to the cloud providers. Amongst these measures, there are a few additional responsibilities. They include:
- Configuring the security infrastructure such as firewalls and IAM.
- Application(software) security for all code related payment systems including mobile and web clients.
- Customer data management (for both data at rest and data in motion scenarios)
- Keeping data secure can be achieved by,
- Tokenisation of all critical data.
- Data masking at all touchpoints.
- Strong encryption.
- PCI DSS and compliance after strong encryption. (level 1 preferably)
- Compliance in line with local legislation and APRA standards.
- Keeping data secure can be achieved by,
- Educating end users or customers about account takeover.
Mis-configurations are a primary cause of many hacks. Therefore utmost care needs to be taken when configuring the security infrastructure of the cloud for your application. Administrators need to be well trained, and security policies should be in place to address access control and segregation of duties.
Application security is the core of the payment systems security and needs to be addressed with the highest priority. Setting up secure SDLC, training developers in secure coding and regular application scans are critical for secure payment application.
Customer data management is the crux of this discussion, and the complete responsibility for it lies with payment systems vendor. It is very important to invest in robust tokenisation, security compliance, strong encryption, and masking systems, as they will protect the data.
If you follow the measures mentioned above, the consensus amongst experts is that data security is much better in cloud deployments compared to on-premise deployments. Cloud providers such as AWS, Google and Microsoft spend billions to keep the clouds secure which cannot be matched by an individual organisation. On top of this, cloud models provide faster reach to market, lesser maintenance overhead and ease of use to end customers when combined properly with service level PCI DSS compliance. And this represents a compelling service proposition.