How to reap the benefits of Office 365 and stay PCI compliant

There can be no doubt that cloud technologies present organisations with a range of opportunities for competitive advantage Improved collaboration and operational flexibility are two of the most popular examples.

However, companies still perceive there to be gaps when it comes to cloud data security. Such issues are especially important for those organisations that need to demonstrate compliance.

Let’s take a business running Microsoft Office 365 that has to prove its credit card transactions are secure. Office 365 does have a range of service-level security capabilities, such as network protection from physical intervention or malware infections. Nevertheless its capabilities do not extend to providing sufficient visibility into activities and security controls to enable organisations to prove compliance with the PCI DSS standard.

In fact, Microsoft’s terms officially state that it does not take responsibility for making Office 365 PCI compliant. Microsoft’s PCI DSS Level 1 compliance claims applies only to its own ordering, billing and payment systems. It warns users that, “Office 365 services are not suitable for processing, transmitting, or storing PCI-governed data” and “customers should not use the Office 365 service to transmit or store [cardholder] data for their own use.”

More broadly, Gartner’s 'Clouds Are Secure: Are You Using Them Securely?' report predicts that, through 2020, almost 95 per cent of cloud security failures will be the customer’s fault. In other words, organisations that don’t have a proper strategy for cloud computing can easily fail to ensure data security, increasing their risk of compliance incidents and data loss. Little wonder that, from surveys I have seen, 65 per cent of companies are concerned about cloud security and 40 per cent are concerned about the loss of physical control over data in the cloud.

To be compliant in a cloud environment, organisations must be able to track effective permissions, spot overexposed data and identify any users with excessive privileges. In addition to visibility into any attempt at data tampering by external parties, the organisation must have the opportunity to see changes made by their own employees. One of the most significant threats posed by insiders is malicious or unintentional file sharing. At the same time it’s important to strike a balance between data protection and data access, lest users try to circumvent security measures by finding more convenient ways to share files.    

If you regularly deal with sensitive, tightly regulated data, you could be forgiven for thinking cloud technologies are simply off limits. The good news is that it’s possible to minimise potential threats with just a few simple steps. These steps allow you to continue with Office 365, regardless of the security limitations and still be PCI compliant. The key is to make sure Office 365 is outside the scope of your cardholder data environment (CDE).

Here are my top three tips for reaping the benefits of Office 365 while also ensuring data security:

1. Choose your data storage location wisely

Data security depends heavily on knowing where your data resides and how it is used. Although Microsoft has begun to disclose information about the country where data is stored and when it is transferred in Office 365, it still states: "The requirements of providing the services may mean that some data is moved to or accessed by Microsoft personnel or subcontractors outside the primary storage region. For instance, to address latency, routing data may need to be copied to different data centres in different regions. In addition, personnel who have the most technical expertise to troubleshoot specific service issues may be located in locations other than the primary location, and they may require access to systems or data for purposed [sic] of resolving an issue."

This statement means that there’s no 100 per cent guarantee that the data remains at certain location all the time, which can be an issue for passing PCI DSS audits, since you might be asked to show exactly how your data is used.    This being the case, the best way to reap the benefits of cloud technologies while meeting security requirements is to adopt a hybrid cloud strategy: storing and using cardholder data internally rather than in the cloud allows you can to maintain proper control over who attempts to access it.

2. Know where your sensitive data is

The PCI DSS standard demands secure transmission of cardholder data. This means ensuring that files and emails don’t contain cardholder data. Although Office 365 offers a set of data loss prevention tools, this might not be sufficient for preventing cardholder data from being occasionally processed or transferred outside the PCI-controlled environment.

To ensure proper control over your email system and file storage, it’s best to adopt additional solutions that can detect sensitive data in the content of emails, attachments and other files.

3. Enable visibility into sensitive data

PCI DSS Requirement 10 says that logging is required for every access event. Since cloud solutions increase the risk that your data may be accessed without your notice, it is impossible to prove to auditors that you know about every attempt to access your sensitive data. Therefore, again, storing cardholder data on premises might be a preferable option, because you have more flexibility in terms of security solutions.

For instance, some on-premises solutions provide user behaviour analytics (UBA) that analyse who did what, when and where across your IT infrastructure, helping to detect anomalies before a breach occurs. This technology can give you complete visibility across the entire IT infrastructure for PCI compliance, and notify you of any malicious changes that might cause a data leak.

In summary, if you are eager to take advantage of the many benefits of Office 365 or other cloud technologies, don’t let security and compliance concerns stand in your way. Rather, keep exploring your options and workarounds, as there are plenty of solutions that will help you strengthen security, streamline compliance and optimize your expenses. 

Alex Vovk is CEO and co-founder of Netwrix