PCI and the Cloud
-
Upload
cloudpassage -
Category
Technology
-
view
556 -
download
2
Transcript of PCI and the Cloud
![Page 1: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/1.jpg)
PCI and the Cloud
Dave Shackleford, CTO, IANS
Andrew Hay, Chief Evangelist, CloudPassage
8/29/2012
Hashtag - #PCIcloud
![Page 2: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/2.jpg)
Copyright © 2012 IANS. All rights reserved. 2
Who We Are
Dave ShacklefordSVP of Research & CTO at IANS
Andrew HayChief Evangelist at CloudPassage, Inc.
Interact with us on Twitter using the #PCIcloud hashtag
![Page 3: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/3.jpg)
Copyright © 2012 IANS. All rights reserved. 3
Introduction
• There are lots of questions about PCI in cloud environments…but few answers to date
How will compliance be affected with
various cloud configurations?
What should we look for in PCI-
compliant providers?
How can I satisfy the security and control requirements?
Can I even be PCI compliant in the cloud?
What does a ‘PCI Compliant’ cloud even mean?
What am I responsible for in Private/Public/Hybrid clouds?
Will my existing technical controls work in cloud?
![Page 4: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/4.jpg)
Copyright © 2012 IANS. All rights reserved. 4
It’s Not All Doom and Gloom
• Yes, you can be PCI compliant in the cloud!
• You will likely need some different tools and processes
• Not all providers are created equal!
• There is no “silver bullet” – but the responsibility is still yours
![Page 5: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/5.jpg)
Copyright © 2012 IANS. All rights reserved. 5
Survey Results: Compliance & Standards
• What standards or regulatory compliance mandates apply to your cloud project(s)?
GLBA
FISMA
COPPA
Cloud Audit
CIPA
CoBIT
ISO
SOX
HIPAA
PCI DSS
0.0% 20.0% 40.0% 60.0% 80.0% 100.0%
5.3%
5.3%
5.3%
5.3%
5.3%
15.8%
31.6%
36.8%
42.1%
84.2%
![Page 6: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/6.jpg)
Copyright © 2012 IANS. All rights reserved. 6
A Little About Cloud Types
Private Cloud / Hybrid Staging
US Public Cloud Provider
Legacy Datacenter / Colo
DB App Server
Auth Server
DBLoad Balancer
EU Public Cloud Provider
DB App Server
App Server
Load Balancer
DB App Server
App Server
App Server
DB App Server
App Server
App Server
Auth Server
Auth Server
![Page 7: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/7.jpg)
Copyright © 2012 IANS. All rights reserved. 7
Survey Results - Environments
• Which of the following cloud hosting environments are leveraged by your project(s)?
A private Platform-as-a-Service (PaaS)
A private cloud hosted in your own data center
A public, multi-tenant Platform-as-a-Service (PaaS)
A public, multi-tenant cloud provider
A private cloud hosted and/or operated by an external provider
16.7%
27.8%
33.3%
38.9%
44.4%
![Page 8: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/8.jpg)
Copyright © 2012 IANS. All rights reserved. 8
Who is responsible for Security?
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
AWS Shared Responsibility Model
“…the customer should assume responsibility and management of, but not limited to, the guest operating system…and associated application software...”
“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.”
Amazon Web Services: Overview of Security Processes
![Page 9: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/9.jpg)
Copyright © 2012 IANS. All rights reserved. 9
General Notes on Cloud Service Providers (CSPs)
• Compliance concerns will vary depending on whether CSP is SaaS, PaaS, IaaS
• CSPs should be on the card brands’ “approved list”
• PCI compliance shouldbe in contract
![Page 10: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/10.jpg)
Copyright © 2012 IANS. All rights reserved. 10
What Else to Look For: CSPs
• Evidence of audit and attestation – combination of “PCI Compliance” and perhaps SSAE 16
• Cloud SLAs and contract provisions• Who is responsible for what? This should be
clear!
• You cannot outsource your compliance status!
• But you CAN take steps to secure the requirements under your control
![Page 11: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/11.jpg)
Copyright © 2012 IANS. All rights reserved. 11
Requirement Areas 1-3
PCI DSS Requirement Cloud Concerns and Comments
1: Install/maintain firewall configs 1. Data flow is important2. Host-based firewalls may make the
most sense3. Hardware and some network may be
up to the CSP2: Vendor defaults 1. Virtualization templates can help
(once they are secured properly)2. CSP audit data may be needed3. Always check for inappropriate
settings3: Protect stored data 1. Options will depend on data storage
type2. Cloud storage platforms may have
their own options
Protect the perimeter, internal, and wireless networks.
Secure payment card applications.
Protect stored cardholder data.
![Page 12: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/12.jpg)
Copyright © 2012 IANS. All rights reserved. 12
Requirement Areas 4-6
PCI DSS Requirement Cloud Concerns and Comments
4: Encrypt data in transit 1. VPN connections to/from cloud environment
2. Leverage SSL connections5: Use and update anti-malware 1. Ensure anti-malware is built into
templates for deployment
6: Develop/maintain secure systems and apps
1. Build security into apps and VM templates in the cloud
2. Be wary of provisioning and “cloud bursting”
Secure payment card applications.
Monitor and control access to your systems.
Protect stored cardholder data.
![Page 13: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/13.jpg)
Copyright © 2012 IANS. All rights reserved. 13
Requirement Areas 7-9
PCI DSS Requirement Cloud Concerns and Comments
7: Restrict access to Cardholder Data (CHD) by “Need to Know”
1. Leverage any role-based controls (e.g. Amazon IAM and others)
2. Build controls into cloud systems and manage normally (if possible)
8: Use unique IDs for accessing PCI systems
1. Proper configuration management and role/group management are required
9: Restrict physical access 1. This is entirely on the CSP – similar to a hosting environment
Monitor and control access to your systems.
Monitor and control access to your systems.
Monitor and control access to your systems.
![Page 14: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/14.jpg)
Copyright © 2012 IANS. All rights reserved. 14
Requirement Areas 10-12
PCI DSS Requirement Cloud Concerns and Comments
10: Track and monitor access to CHD 1. Will your CSP provide any logs? If so, which ones?
2. Send your own logs to a central log server in the cloud or elsewhere
11: Test PCI systems and processes 1. Test your cloud assets – this may require a different coordination level with the CSP
2. Ask for CSP test reports if relevant12: Maintain information security policies 1. Update any/all policies that may have
ties to the new cloud-based assets.
Monitor and control access to your systems.
Monitor and control access to your systems.
Finalize remaining compliance efforts, and ensure all controls are in place.
![Page 15: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/15.jpg)
Copyright © 2012 IANS. All rights reserved. 15
Survey Results: Audit
• How many times has your cloud project been audited for adherence to the compliance standards above?
66.7%
9.5%
23.8%
NeverOnceMore than three times
![Page 16: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/16.jpg)
Copyright © 2012 IANS. All rights reserved. 16
Survey Results: Controls
• What cloud security technologies did your auditors expect you to have deployed?
Firewalls & Access control 78.6%
SIEM/LM 71.4%WAF 71.4%Multi-factor authentication 64.3%
Database encryption 57.1%Network encryption 57.1%NIDS 57.1%
Patch management 57.1%
Disk encryption 42.9%
HIDS 35.7%Configuration monitoring 35.7%
FIM 35.7%
Code scanning 35.7%
![Page 17: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/17.jpg)
Copyright © 2012 IANS. All rights reserved. 17
Survey Results: Who Audited?
• Who performed your cloud compliance audit (big four, small firm, QSA)?
6.7% 6.7%6.7%
13.3%
66.7%
A large accounting firm (e.g. one of the “big four”)
A large technology integrator or technical consulting firm
A smaller firm specializing in informa-tion security technology
A smaller firm specializing in general risk management, governance and compliance
Internal/self audit
![Page 18: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/18.jpg)
Copyright © 2012 IANS. All rights reserved. 18
How Do I Secure Servers in the Cloud?
Dynamic firewall & access control
Server account visibility & control
Server compromise & intrusion alerting
Server forensics and security analysis
Configuration and package security
Integration & automation capabilities
Servers in hybrid and public clouds must be self-defending with highly automated controls like…
![Page 19: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/19.jpg)
Copyright © 2012 IANS. All rights reserved. 19
Mapping Compliance to the Cloud
![Page 20: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/20.jpg)
Copyright © 2012 IANS. All rights reserved. 20
Firewalling Without Network Control
![Page 21: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/21.jpg)
Copyright © 2012 IANS. All rights reserved. 21
Traditional Datacenter (DC) Firewalling
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
dmz dmz
corecore
Firewall
Firewall
!
www-4
![Page 22: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/22.jpg)
Copyright © 2012 IANS. All rights reserved. 22
Moving to the Cloud
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
dmz dmz
corecore
Firewall
Firewall
![Page 23: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/23.jpg)
Copyright © 2012 IANS. All rights reserved. 23
Moving to the Cloud
dmz dmz
corecore
Firewall
Firewall
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
public cloud
![Page 24: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/24.jpg)
Copyright © 2012 IANS. All rights reserved. 24
Moving to the Cloud
DB
Load Balancer
App Server
App Server
Auth Server
DB
Load Balancer
DB
public cloud
![Page 25: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/25.jpg)
Copyright © 2012 IANS. All rights reserved. 25
Moving to the Cloud
public cloud
Load Balancer
App Server
App Server
DB Master
!
!
![Page 26: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/26.jpg)
Copyright © 2012 IANS. All rights reserved. 26
Dynamic Cloud Firewalling
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
DB Master
FW
![Page 27: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/27.jpg)
Copyright © 2012 IANS. All rights reserved. 27
Dynamic Cloud Firewalling
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
App Server
FW
![Page 28: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/28.jpg)
Copyright © 2012 IANS. All rights reserved. 28
Dynamic Cloud Firewalling
public cloud
App Server
IP
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
App Server
FW
![Page 29: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/29.jpg)
Copyright © 2012 IANS. All rights reserved. 29
Dynamic Cloud Firewalling
public cloud
App Server
IP
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
![Page 30: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/30.jpg)
Copyright © 2012 IANS. All rights reserved. 30
Lessons to Learn
Whatever firewall options you have, use them
Make sure your firewall rules are updated quickly and automatically
Plan for the future, because you will be multi-cloud
![Page 31: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/31.jpg)
Copyright © 2012 IANS. All rights reserved. 31
Securing Highly Dynamic Servers
![Page 32: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/32.jpg)
Copyright © 2012 IANS. All rights reserved. 32
Traditional DC Operations Model
private datacenter
Capacity is mostly static
Servers are long-lived
Security risk on servers is mitigated by network defenses
www-3 www-4www-2www-1www-1
!www-2
!www-3
!www-4
!
![Page 33: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/33.jpg)
Copyright © 2012 IANS. All rights reserved. 33
Cloud Operations Model
www
Capacity is highly dynamic
www wwwwww
wwwwwwwwwwwwwww
Gold Master
![Page 34: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/34.jpg)
Copyright © 2012 IANS. All rights reserved. 34
Cloud Operations Model
Capacity is highly dynamic
Servers are short lived
wwwwww-2
!wwwwwwwww
www
Gold Masterpublic cloud
![Page 35: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/35.jpg)
Copyright © 2012 IANS. All rights reserved. 35
Cloud Operations Model
www
Gold Master
www wwwwww
!www
!
Capacity is highly dynamic
Servers are short lived
www
!
![Page 36: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/36.jpg)
Copyright © 2012 IANS. All rights reserved. 36
Cloud Operations Model
Gold Master
Capacity is highly dynamic
Servers are short lived
Gold Master updates are rolled out incrementally
www
!www
!www wwwwww
wwwwwwwwwwww
www
www
!www
![Page 37: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/37.jpg)
Copyright © 2012 IANS. All rights reserved. 37
Cloud Operations Model
Gold Master
Capacity is highly dynamic
Servers are short lived
Gold Master updates are rolled out incrementally
wwwwww-1
!www-2
!wwwwwwwww
wwwwwwwwwwwwwww
!www
What does server security mean
in this environment?
![Page 38: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/38.jpg)
Copyright © 2012 IANS. All rights reserved. 38
Ensuring Cloud Server Integrity
wwwwww-1
!www-2
!wwwwwwwww
![Page 39: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/39.jpg)
Copyright © 2012 IANS. All rights reserved. 39
Ensuring Cloud Server Integrity
Scan for misconfigurations due to deployment or debugging issues
wwwwww-1
!www-2
!wwwwwwwww
?
![Page 40: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/40.jpg)
Copyright © 2012 IANS. All rights reserved. 40
Ensuring Cloud Server Integrity
Scan for misconfigurations due to deployment or
debugging issues
wwwwww-1
!www-2
!wwwwwwwww
? ?!
Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly
![Page 41: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/41.jpg)
Copyright © 2012 IANS. All rights reserved. 41
Ensuring Cloud Server Integrity
Scan for misconfigurations due to deployment or
debugging issues
Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly
wwwwww-1
!www-2
!wwwwwwwww
? ?! !
Monitor business code for unintended or malicious changes
![Page 42: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/42.jpg)
Copyright © 2012 IANS. All rights reserved. 42
Ensuring Cloud Server Integrity
www-3www-1
!www-2
!www-4www-2www-1
? ?! !
Scan for misconfigurations due to deployment or debugging issues
Ensure software packages are up-to-date and watch
for remote exploits that must be patched quicklyMonitor business code for unintended or malicious
changes
Automate
management and monitoring of these
critical operational security points
![Page 43: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/43.jpg)
Copyright © 2012 IANS. All rights reserved. 43
Lessons to Learn
Embrace the flexibility of the cloud; re-think operations
Secure your server integrity by keeping images up-to-date and monitor closely for changes
Know what areas of security you are responsible for and automate them heavily
![Page 44: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/44.jpg)
Copyright © 2012 IANS. All rights reserved. 44
Best Practices
• Read and understand what your provider does, and what you are responsible for, with regards to PCI
• When moving servers outside your data center, ensure that they are hardened and compliant before they are exposed to the public
• Start with public cloud, PCI everywhere else is relatively easy!
• Focus on securing the tenets of PCI that you can control
![Page 45: PCI and the Cloud](https://reader038.fdocuments.us/reader038/viewer/2022110204/55d5107abb61eb6d2e8b4603/html5/thumbnails/45.jpg)
Copyright © 2012 IANS. All rights reserved. 45
Thank You & Questions
Dave Shackleford
CTO, IANS
Andrew Hay
Chief Evangelist, CloudPassage
Follow us on Twitter:twitter.com/ians_securitytwitter.com/cloudpassage
www.cloudpassage.com/pci-kit