CloudStack itself can never be PCI *compliant*... only a company can be. CloudStack can certainly be part of the technical architecture for an IT environment (or service provider environment) that is being audited for overall organizational compliance.
A service provider that offers a CloudStack-based cloud is also, similarly, unable to really offer "compliance" for their customers. They are only able to fulfill certain aspects of the required set of controls, and support their customers during the PCI audit process *of their customers*. There really isn't a silver bullet here... you have to have your own answers for how the required controls are implemented (and for many, there is an infinite number of possible implementation designs). As for the docs for a "cloud" environment, check out: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf Keep in mind that it will absolutely depend on how things are being audited. Is the "CloudStack Cloud" external to the org trying for compliance? If so, the doc above would be the right choice for where to start. Is the CloudStack environment controlled by the org attempting compliance? If so, it's likely a combination of the Cloud Guidelines and the Virtualization supplemental info. Your best bet is to work with someone that knows the PCI process, and gets how the controls are typically evaluated by the various auditors. I've been through this before, and I can tell you that even the auditors are different in their understanding of the guidelines. -chip On Thu, Apr 24, 2014 at 08:49:30AM -0400, Tim Mackey wrote: > The real problem is in defining what is "in-scope" and "out-of-scope", and > avoiding "mixed-mode". This document ( > https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf) > provides a pretty good read of the suggested rules of the road for > virtualization, but I'm not aware of a similar doc covering cloud. Things > like network typologies can mess stuff up quite quickly, and its probably > best to involve the customer's PCI QSA in the design. A couple months back > I was asked to comment on a pure XenServer environment for mixed-mode > operations and the customer accepted solution required both VLANs and OVS > policy definition to secure cardholder data and meet the QSA goals. Read > that as "it's quite complicated and prone to opinions rather than hard > standards" > > -tim > > > On Thu, Apr 24, 2014 at 8:34 AM, Sebastien Goasguen <run...@gmail.com>wrote: > > > > > On Apr 22, 2014, at 5:52 AM, Uwe Kastens <kiste...@googlemail.com> wrote: > > > > > Hi there, > > > > > > > > > That would be interesting for me as well > > > > > > Kind Regards > > > > > > Uwe > > > > > > > > > > > > 2014-04-21 19:31 GMT+02:00 Upendra Moturi <upendra.mot...@sungardas.com > > >: > > > > > >> Hello Team, > > >> > > >> Has anyone worked on making cloudstack PCI compliant. > > >> Can you please point me some documentation. > > >> > > > > Haven't worked on it and over my head, but that's a big question. I > > actually asked a friend on twitter :) > > The answer was interesting "CloudStack can facilitate PCI compliance but > > not *be* PCI compliant" > > > > -sebastien > > > >
