The PCI Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) on Thursday released a joint bulletin that explains the reasons why security pros need to focus more on properly scoping cloud environments.

PCI SSC and the CSA define scoping as the “identification of people, processes, and technologies that interact with or could otherwise impact the security of payment data or systems. When using cloud security for payments, this responsibility typically gets shared between the customer and the cloud service provider.”

According to the joint bulletin, data breach investigation reports continue to find that companies hit with payment data compromises are unaware that cardholder data was present on the compromised systems. They say proper scoping can ensure that companies are aware of the location of their data and that the necessary security controls are in place to protect that data. Improper scoping can result in vulnerabilities being unidentified and unaddressed, which hackers can exploit.

The PCI SSC has been relatively slow to offer guidance for PCI merchants wanting to use cloud platforms, but it’s great to get some much-needed clarity, said Mark Kedgley, CTO of New Net Technologies, now a part of Netwrix.

“Defining the responsibilities shared by the cloud service provider, payment processor, and merchant has presented a complex problem, although standard security best practices apply no matter what an IT environment looks like,” Kedgley said.

Properly scoping cloud environments has become an essential component to both holistic data governance and security in the cloud, said James Beecham, co-founder and CTO of ALTR. With more data moving to the cloud, Beecham said organizations need to look at where threats are originating from. Overwhelmingly, a large number of these threats are now credentialed access threats as a result of the popularity of multi-cloud environments, which can leave gaps in access management that create vulnerability.

“A more common approach to cloud data governance and security is enabling multi-factor authentication and having strong passwords that are rotated and changed frequently,” Beecham said. “Ideally these steps limit exposure and reduce the risk of cyberattacks. But this isn’t enough on its own. Approaching cloud data governance and security requires organizations to take full responsibility for both data and the people using it. They must have the ability to monitor, understand and know how data gets consumed. This is usually missing from cloud governance best practices – and it’s essential that organizations add it to their strategy.”

John Morgan, CEO at Confluera, added that scoping and assessing risk in the cloud has become a must, and they are happy to see this level of attention being called out. Cloud environments are getting more complex – so complex that if an attacker wants in, Morgan said they will get in with the right amount of motivation, even with common best practices implemented.

“Scoping to create a solid plan, and using preventative security is a great start, but ultimately complexity has gotten to the point where we must assume a breach will occur and have the tools in place to detect and stop it fast before it does any damage, Morgan said. “It’s crucial that cloud scoping includes a plan to have a detection and response solution purpose-built for the cloud to stop cyberattacks.”

In light of so much news around supply chain attacks and accidental data exposures, organizations need to get better about patching vulnerabilities and knowing where their “crown jewels” are, said Sean Nikkel, threat intelligence analyst with Digital Shadows. This means addressing the access people and services have as well as tracking potential third-party exposures, Nikkel said.

“The holistic approach that PCI-CSA discusses needs to be fully considered if you’re hosting critical data in the cloud,” Nikkel said. “If there are gaps from not fully implementing some of these controls, organizations need to figure out how to address the gaps or reconsider putting that kind of information in the cloud. Every bad guy with an internet connection will try to get into the castle walls, from criminals to nation-states, so the odds are stacked against the blue teams out there. In the same vein, organizations with data in the cloud shouldn’t also shoot themselves in the foot by not using all of the tools and best practices available to them.”