Is a Private Cloud Solution to PCI?

October 14th, 2010

Enterprises at the early stages of cloud adoption are deploying private clouds and internal cloudlets, which can be thought of as local access points and logical divisions of their own larger infrastructure.  Private clouds are characterized by scalability through virtualization but the actual physical infrastructure is kept local to the Enterprise.  This provides scalability and capital cost reduction but does not incur lack of control normally associated with moving data and processing to the cloud.

In this architecture, a gateway can be used to create an internal virtual application perimeter from the existing Enterprise information systems to the Enterprises’ own internal cloud.  This type of architecture also works as a precursor and testing ground for a hybrid cloud deployment when the actual physical resources live off-site to the Enterprise.  In this environment, the gateway can be used to enforce attribute based access control, authentication and data protection policies required for PCI DSS and other compliance standards.

Gateways could be firewalls, but they lack the sophistication of logging, identity management, accounting and reporting that will be required to meet the demands of PCI DSS and other standards.  This gateway “product” is quickly evolving from several major vendors and may become the stepping stone for large and more pervasive cloud deployments in the future.  As PCI compliance becomes more complex and as those standards evolve, the “gateway” appliance approach seems to have credible merit.

Let Daniel L. Ruggles and the team at PM Kinetics, LLC help you navigate the complexities of IT Governance, Cloud Computing, Sourcing & Capital Planning, Vendor Management, IT Security, and Infrastructure planning & execution.  For more information on our technical consultancy services, contact or call PM Kinetics today at (678) 528-7399.