Also "SaaS" Can Become "PaaS" If You're Not Careful


The PCI Security Standard Council finally released its PCI DSS Cloud Computing Guidelines this month, and the Guidelines are not kind to Platform as a Service (PaaS) solutions, or to Software as a Service (SaaS) solutions that behave like PaaS.  In the document, the Council stuck to the usual definition of IaaS (Infrastructure as a Service), PaaS and SaaS, but it opened its dreaded "in scope" umbrella widest over PaaS.


The following chart, adapted from the Guidelines, uses three colors to indicate whether it is the client's responsibility, the cloud service provider's responsibility, or both parties' responsibility to prove compliance to each of the twelve PCI DSS requirements.


Shared responsibility for PCI DSS compliance (i.e., "Both") extends across 11 of the 12 possible requirements for PaaS, 9 of 12 for IaaS and 4 of 12 for SaaS.


PaaS solutions are particularly thorny from a security auditor's perspective because both the CSP and client contribute code, scripts or workflows that govern the movement and processing of data.   For example, a PaaS solution could have a base SaaS application that handles contact information plus a PaaS layer (e.g., Web services) that allows clients to integrate into their backend systems.


IaaS solutions have several shared areas of responsibility, but the lines of delineation between client and cloud service provider are clear from a security auditors' perspective.  For example, requirement #1 (firewall) could be broken up into a "Do you have a secure firewall?" question posed to the CSP, and a "Do you have a secure set of firewall rules?" question posed to the client.


SaaS solutions have the fewest number of shared areas of responsibility, but almost any degree of integration,such as centralized authentication or automated data transfer, threatens to convert a SaaS solution into a PaaS solution in the eyes of a security auditor.  In fact, the Guidelines include special discussion of "Hybrid Clouds" and other common deployment models that blur the lines between SaaS and PaaS.


Addressing PCI DSS Concerns with SolarWinds Technology


SolarWinds® software, including Log & Event Manager, Firewall Security Manager, DameWare® Remote Support, and Serv-U® Managed File Transfer (MFT), is frequently deployed on top of IaaS to provide PCI DSS compliant solutions.  SolarWinds software is also often used to power, monitor or manage industry- and workflow-specific SaaS solutions from leading vendors and on-premises installations around the world. Additional information about how SolarWinds helps organizations of all sizes achieve PCI DSS compliance can be found below.