简体繁体 English

SQL Azure是否符合PCI-DSS标准？

[英]Is SQL Azure PCI-DSS Compliant?

原文 2010-08-01 03:33:04 1 7 security/ cloud/ azure-sql-database/ pci-dss

If I were to use separate Windows Server that was PCI-DSS compliant, would I still be compliant if I had a SQL Azure hosting the backend? 如果我要使用符合PCI-DSS的单独Windows服务器，如果我有一个托管后端的SQL Azure，我是否仍然符合要求？ This is assuming that I'm compliant at the application layer, and that I'm only storing permitted values (like no CVV), etc. 这假设我在应用层是合规的，并且我只存储允许的值（如没有CVV）等。

7 个解决方案

AWS is now PCI DSS 2.0 Level 1 compliant, so the assumptions that Level 1 is not achievable by a cloud vendor is not correct: AWS现在符合PCI DSS 2.0 Level 1标准，因此云供应商无法实现Level 1的假设是不正确的：

http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/ http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/

In addition, Rackspace has also achieved PCI Level 1 compliance: 此外，Rackspace还实现了PCI Level 1合规性：

http://www.rackspace.co.uk/rackspace-home/media-centre/news/article/article/rackspace-enhances-security-with-pci-accreditation/ http://www.rackspace.co.uk/rackspace-home/media-centre/news/article/article/rackspace-enhances-security-with-pci-accreditation/

It is true that Microsoft has not yet achieved PCI compliance for Windows Azure. 确实，Microsoft尚未实现Windows Azure的PCI合规性。

It is likely that they are actively working on addressing any limitations in Windows Azure so that they will also be able to provide this service to their customers and remain competitive, but as of today they have not yet achieved PCI compliance. 他们可能正积极致力于解决Windows Azure中的任何限制，以便他们也能够为其客户提供此服务并保持竞争力，但截至目前，他们尚未实现PCI合规性。

Microsoft writes in the Azure Faq: 微软在Azure Faq中写道：

At commercial launch, Windows Azure will not have specific audit or security certifications. 在商业发布时，Windows Azure将不具有特定的审核或安全认证。 You can expect to see us pursue key certifications, such as the ISO27001, in the near future. 您可以期待我们在不久的将来寻求关键认证，例如ISO27001。 The Windows Azure Platform and Windows Azure apply the rigorous security practices incorporated in the Security Development Lifecycle (SDL) process. Windows Azure平台和Windows Azure应用了安全开发生命周期（SDL）过程中包含的严格安全实践。 SDL introduces security and privacy early and throughout the development process. SDL在整个开发过程中尽早引入安全性和隐私。 The Windows Azure Platform and Windows Azure also benefit from the security capabilities afforded by the Microsoft Global Foundation Services' (GFS) infrastructure. Windows Azure平台和Windows Azure也受益于Microsoft全球基础服务（GFS）基础架构提供的安全功能。 The GFS assurances are validated by external auditors on a regular basis and include a comprehensive security program that covers the entire delivery stack. GFS保证由外部审计师定期验证，并包括涵盖整个交付堆栈的全面安全计划。

Microsoft makes no claim regarding PCI standards for 3rd party hosting. Microsoft对第三方托管的PCI标准没有任何要求。 There are ways to develop cloud based applications to use 3rd party PCI data processers that may keep the cloud application itself out of scope. 有一些方法可以开发基于云的应用程序，以使用可能使云应用程序本身超出范围的第三方PCI数据处理器。

http://www.microsoft.com/windowsazure/faq/default.aspx http://www.microsoft.com/windowsazure/faq/default.aspx

choose "Licensing and Service Level Agreements" in the drop down then find the last paragraph "What industry audit and security certifications cover the Windows Azure Platform? Specifically, call out position on SAS70, ISO 27001, and PCI?" 在下拉列表中选择“许可和服务级别协议”，然后找到最后一段“哪些行业审计和安全认证涵盖Windows Azure平台？具体来说，在SAS70，ISO 27001和PCI上调出位置？”

Just an update on this question. 只是这个问题的更新。

As it stands currently, Windows Azure is indeed PCI DSS Level 1 compliant . 目前， Windows Azure确实符合PCI DSS 1级标准 。 See the following Windows Azure Trust Centre article for more information: Windows Azure Trust Center - Compliance 有关详细信息，请参阅以下Windows Azure信任中心文章： Windows Azure信任中心 - 合规性

Not sure of PCI-DSS Compliance status in Azure, but I will note that Azure and EC2S3 are not the same animals. 不确定Azure中的PCI-DSS合规性状态，但我会注意到Azure和EC2S3不是同一种动物。 Azure is a completely hosted infrastructure which exposes services and endpoints to offer application writers the ability to sit on a fully managed and monitored (including typical security constructs in place for the on-premise Server product) platform, and extend these services to the resident applications. Azure是一个完全托管的基础架构，它公开服务和端点，使应用程序编写者能够坐在完全托管和监控（包括适用于内部部署服务器产品的典型安全构造）平台上，并将这些服务扩展到驻留应用程序。

Considering the amount of time that Microsoft has spent with the PCI folks (from Vista on), I would be highly surprised if a PCI-DSS compliant application didn't maintain it's level of certification when extended to Windows Azure. 考虑到微软与PCI人员（从Vista开始）花费的时间，如果PCI-DSS兼容的应用程序在扩展到Windows Azure时没有保持其认证级别，我会非常惊讶。

Hope this helps. 希望这可以帮助。 The purpose wasn't to bash EC2S3, it was more to fill in the blamks on Azure. 目的不是打击EC2S3，更多的是填写Azure上的blamks。

Mr. Helper :-) 助手先生:-)

With PCI DSS it is important to remember that it is not just about storing, it's "store, process, or transmit." 对于PCI DSS，重要的是要记住它不仅仅是存储，而是“存储，处理或传输”。 If any of this happens in or through the cloud then the cloud becomes part of your cardholder data environment, thus in scope for PCI compliance. 如果在云中或通过云发生任何此类情况，则云将成为持卡人数据环境的一部分，从而符合PCI合规性。 Since it's a cloud that you don't control, there would be no way to verify compliance. 由于它是您无法控制的云，因此无法验证合规性。

No verification, no compliance. 没有验证，没有合规性。 Sorry. 抱歉。

Amazon announced PCI DSS Level 1 compliance on Dec 07, 2010 . 亚马逊于2010年12月7日宣布了PCI DSS 1级合规性。 My answer below is now incorrect. 我的答案现在不正确。

~~See http://www.mckeay.net/2009/08/14/cannot-achieve-pci-compliance-with-amazon-ec2s3/ .~~ ~~见 http://www.mckeay.net/2009/08/14/cannot-achieve-pci-compliance-with-amazon-ec2s3/ 。~~ ~~Amazon says you can't achieve PCI-DSS level 1 compliance on their infrastructure.~~ ~~亚马逊表示，您无法在其基础架构上实现PCI-DSS 1级合规性。~~ ~~The important lines are -~~ ~~重要的是 -~~

~~It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance.~~ ~~您可以使用EC2和S3在我们的AWS云中构建符合PCI 2级的应用程序，但您无法达到1级合规性。~~ ~~If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing;~~ ~~如果您有数据泄露，您自动需要符合1级要求，这需要现场审核;~~ ~~that is something we cannot extend to our customers.~~ ~~这是我们无法向客户提供的东西。~~

~~I haven't read Azure's documentation, but I am pretty sure they don't allow on-site auditing.~~ ~~我没有阅读Azure的文档，但我很确定他们不允许进行现场审核。~~ ~~Given that, the same conclusions would apply to Microsoft Azure as well.~~ ~~鉴于此，同样的结论也适用于Microsoft Azure。~~

Looks like AWS and Rackspace both have achieved some level of compliance (http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/, http://www.rackspace.co.uk/rackspace-home/media-centre/news/article/article/rackspace-enhances-security-with-pci-accreditation/ ), but Global Foundation Services (the infrastructure behind Microsoft Windows/SQL Azure, CDN, etc) has not (http://www.globalfoundationservices.com/security/). 貌似AWS和Rackspace都已经实现合规一定程度（http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/， http://www.rackspace.co.uk/ rackspace-home / media-center / news / article / article / rackspace-enhance-security-with-pci-accreditation / ），但Global Foundation Services（Microsoft Windows / SQL Azure，CDN等背后的基础设施）没有（http ：//www.globalfoundationservices.com/security/）。 I would not be surprised to see that GFS achieves some accredication in the near future, however. 但是，如果GFS在不久的将来获得一些认证，我不会感到惊讶。