PCI and the Cloud                          Dave Shackleford, CTO, IANS                          Andrew Hay, Chief Evangeli...
Who We Are Dave Shackleford                                        Andrew Hay SVP of Research &                           ...
Introduction• There are lots of questions about PCI in cloud  environments…but few answers to date      How will complianc...
It’s Not All Doom and Gloom• Yes, you can be PCI  compliant in the cloud!• You will likely need some  different tools and ...
Survey Results: Compliance & Standards• What standards or regulatory compliance  mandates apply to your cloud project(s)? ...
A Little About Cloud Types                                                                                                ...
Survey Results - Environments • Which of the following cloud hosting   environments are leveraged by your project(s)?A pri...
Who is responsible for Security?AWS Shared Responsibility Model                                                           ...
General Notes on Cloud Service Providers (CSPs)• Compliance concerns will vary depending on  whether CSP is SaaS, PaaS, Ia...
What Else to Look For: CSPs• Evidence of audit and attestation – combination  of “PCI Compliance” and perhaps SSAE 16• Clo...
Requirement Areas 1-3PCI DSS Requirement                                                    Cloud Concerns and Comments1: ...
Requirement Areas 4-6PCI DSS Requirement                                                     Cloud Concerns and Comments4:...
Requirement Areas 7-9PCI DSS Requirement                                                     Cloud Concerns and Comments7:...
Requirement Areas 10-12PCI DSS Requirement                                                    Cloud Concerns and Comments1...
Survey Results: Audit• How many times has your cloud project been  audited for adherence to the compliance  standards abov...
Survey Results: Controls• What cloud security technologies did your  auditors expect you to have deployed?Firewalls & Acce...
Survey Results: Who Audited?• Who performed your cloud compliance audit (big  four, small firm, QSA)?                     ...
How Do I Secure Servers in the Cloud?   Servers in hybrid and public clouds must be   self-defending with highly automated...
Mapping Compliance to the Cloud             Copyright © 2012 IANS. All rights reserved.   19
Firewalling Without Network Control              Copyright © 2012 IANS. All rights reserved.   20
Traditional Datacenter (DC) Firewalling             Auth               DB                  DB                DB           ...
Moving to the Cloud             Auth               DB                  DB                DB            Server             ...
Moving to the Cloud             Auth               DB                  DB                DB            Server             ...
Moving to the Cloud             Auth              DB                  DB                DB            Server            Lo...
Moving to the Cloud                 Load                Balancer        App                       App       Server        ...
Dynamic Cloud Firewalling                      Load                     Balancer                                 FW       ...
Dynamic Cloud Firewalling                      Load                                Load                     Balancer      ...
Dynamic Cloud Firewalling                      Load                                Load                     Balancer      ...
Dynamic Cloud Firewalling                      Load                                Load                     Balancer      ...
Lessons to LearnWhatever firewall options you have, use themMake sure your firewall rules are updatedquickly and automatic...
Securing Highly Dynamic Servers             Copyright © 2012 IANS. All rights reserved.   31
Traditional DC Operations Model             www-1          www-2              www-3               www-4              !    ...
Cloud Operations Model                                 www                www             www   www     www  Gold Master  ...
Cloud Operations Model                                www               www-2                                             ...
Cloud Operations Model                                www                 www     www                                  !  ...
Cloud Operations Model                                www                 www             www   www     www               ...
Cloud Operations Model                              www-1                               www                www-2          ...
Ensuring Cloud Server Integrity                       www-1                        www                www-2               ...
Ensuring Cloud Server Integrity              www-1               www           www-2                              www     ...
Ensuring Cloud Server Integrity               www-1                www           www-2                               www  ...
Ensuring Cloud Server Integrity                www-1                 www           www-2                                ww...
Ensuring Cloud Server Integrity                www-1          www-2              www-3               www-4                ...
Lessons to LearnEmbrace the flexibility of the cloud;re-think operationsSecure your server integrity by keeping imagesup-t...
Best Practices• Read and understand what your provider  does, and what you are responsible for, with  regards to PCI• When...
Thank You & QuestionsDave ShacklefordCTO, IANS                                                            Follow us on Twi...
Upcoming SlideShare
Loading in...5
×

PCI and the Cloud

555

Published on

Join the discussion with Andrew Hay, Chief Evangelist of CloudPassage and Dave Shackleford, Senior Vice President, Research and Chief Technology Officer of IANS.

In this presentation, we will discuss:

- How compliance is affected by using private, hybrid, and public cloud environments
- What to consider when researching providers who offer "PCI-compliant" clouds
- Recommendations for improving compliance and security posture in the cloud


Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
555
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Many organizations are looking to outsource systems, applications, and data into the cloudSome of these may fall under the helm of PCI complianceThere are lots of questions about this, but few answers to dateHow will compliance be affected with various cloud configurations?What should we look for in PCI-compliant providers?How can security be improved for cloud infrastructure?We’ll explore all these topics
  • Can you be PCI compliant in the cloud?Absolutely.Depends on the model and your architectureYou will likely need some different tools and processes.Not all providers are created equal!Be sure to check claims of compliance very carefullyLook for any additional audit data, as wellThere is no “silver bullet” – the responsibility is still yours.
  • Compliance concerns will vary depending on whether CSP is SaaS, PaaS, IaaSResponsibility and control levels differCSPs should be on the card brands’ “approved list” if at all possiblePCI Compliance shouldbe in contractDelineate which partsof the “stack” you areresponsible for
  • PCI and the Cloud

    1. 1. PCI and the Cloud Dave Shackleford, CTO, IANS Andrew Hay, Chief Evangelist, CloudPassageHashtag - #PCIcloud 8/29/2012
    2. 2. Who We Are Dave Shackleford Andrew Hay SVP of Research & Chief Evangelist at CTO at IANS CloudPassage, Inc. Interact with us on Twitter using the #PCIcloud hashtag Copyright © 2012 IANS. All rights reserved. 2
    3. 3. Introduction• There are lots of questions about PCI in cloud environments…but few answers to date How will compliance be affected with What should we How can I various cloud look for in PCI- satisfy the configurations? compliant security and providers? control What does requirements? a ‘PCI Compliant’ Can I even What am I cloud even Will my be PCI responsible for mean? existing compliant in in technical the cloud? Private/Public/H controls work ybrid clouds? in cloud? Copyright © 2012 IANS. All rights reserved. 3
    4. 4. It’s Not All Doom and Gloom• Yes, you can be PCI compliant in the cloud!• You will likely need some different tools and processes• Not all providers are created equal!• There is no “silver bullet” – but the responsibility is still yours Copyright © 2012 IANS. All rights reserved. 4
    5. 5. Survey Results: Compliance & Standards• What standards or regulatory compliance mandates apply to your cloud project(s)? PCI DSS 84.2% HIPAA 42.1% SOX 36.8% ISO 31.6% CoBIT 15.8% CIPA 5.3% Cloud Audit 5.3% COPPA 5.3% FISMA 5.3% GLBA 5.3% 0.0% 20.0% 40.0% 60.0% 80.0% 100.0% Copyright © 2012 IANS. All rights reserved. 5
    6. 6. A Little About Cloud Types US Public Cloud Provider EU Public Cloud Provider DB App App App Server Server ServerDB App App App Auth Server Server Server Server Auth Server DB App Load App Load Auth DB DB App Server Balancer Server Balancer Server Server Legacy Datacenter / Colo Private Cloud / Hybrid Staging Copyright © 2012 IANS. All rights reserved. 6
    7. 7. Survey Results - Environments • Which of the following cloud hosting environments are leveraged by your project(s)?A private cloud hosted and/or operated by an 44.4% external provider A public, multi-tenant cloud provider 38.9% A public, multi-tenant Platform-as-a-Service 33.3% (PaaS) A private cloud hosted in your own data 27.8% center A private Platform-as-a-Service (PaaS) 16.7% Copyright © 2012 IANS. All rights reserved. 7
    8. 8. Who is responsible for Security?AWS Shared Responsibility Model Data“…the customer should assume Responsibility Customerresponsibility and management App Codeof, but not limited to, the guestoperating system…and associated App Frameworkapplication software...” Operating System“it is possible for customers toenhance security and/or meet more Virtual Machinestringent compliance requirementswith the addition of… host based Responsibility Hypervisorfirewalls, host based intrusion Providerdetection/prevention, encryption and Compute & Storagekey management.” Amazon Web Services: Shared Network Overview of Security Processes Physical Facilities Copyright © 2012 IANS. All rights reserved. 8
    9. 9. General Notes on Cloud Service Providers (CSPs)• Compliance concerns will vary depending on whether CSP is SaaS, PaaS, IaaS• CSPs should be on the card brands’ “approved list”• PCI compliance should be in contract Copyright © 2012 IANS. All rights reserved. 9
    10. 10. What Else to Look For: CSPs• Evidence of audit and attestation – combination of “PCI Compliance” and perhaps SSAE 16• Cloud SLAs and contract provisions• Who is responsible for what? This should be clear!• You cannot outsource your compliance status!• But you CAN take steps to secure the requirements under your control Copyright © 2012 IANS. All rights reserved. 10
    11. 11. Requirement Areas 1-3PCI DSS Requirement Cloud Concerns and Comments1: Install/maintain firewall configs 1. Data flow is important 2. Host-based firewalls may make the most sense Protect the perimeter, internal, and wireless networks. 3. Hardware and some network may be up to the CSP2: Vendor defaults 1. Virtualization templates can help (once they are secured properly) 2. CSP audit data may be needed Secure payment card applications. 3. Always check for inappropriate settings3: Protect stored data 1. Options will depend on data storage type Protect stored cardholder data. 2. Cloud storage platforms may have their own options Copyright © 2012 IANS. All rights reserved. 11
    12. 12. Requirement Areas 4-6PCI DSS Requirement Cloud Concerns and Comments4: Encrypt data in transit 1. VPN connections to/from cloud Protect stored cardholder data. environment 2. Leverage SSL connections5: Use and update anti-malware 1. Ensure anti-malware is built into Monitor and control access to your templates for deployment systems.6: Develop/maintain secure systems and 1. Build security into apps and VMapps templates in the cloud Secure payment card applications. 2. Be wary of provisioning and “cloud bursting” Copyright © 2012 IANS. All rights reserved. 12
    13. 13. Requirement Areas 7-9PCI DSS Requirement Cloud Concerns and Comments7: Restrict access to Cardholder Data 1. Leverage any role-based controls (e.g.(CHD) by “Need to Know” Amazon IAM and others) Monitor and control access to your 2. Build controls into cloud systems and systems. manage normally (if possible)8: Use unique IDs for accessing PCI 1. Proper configuration managementsystems and role/group management are Monitor and control access to your required systems.9: Restrict physical access 1. This is entirely on the CSP – similar to Monitor and control access to your a hosting environment systems. Copyright © 2012 IANS. All rights reserved. 13
    14. 14. Requirement Areas 10-12PCI DSS Requirement Cloud Concerns and Comments10: Track and monitor access to CHD 1. Will your CSP provide any logs? If so, which ones? Monitor and control access to your 2. Send your own logs to a central log systems. server in the cloud or elsewhere11: Test PCI systems and processes 1. Test your cloud assets – this may require a different coordination level Monitor and control access to your with the CSP systems. 2. Ask for CSP test reports if relevant12: Maintain information security policies 1. Update any/all policies that may have Finalize remaining compliance ties to the new cloud-based assets. efforts, and ensure all controls are in place. Copyright © 2012 IANS. All rights reserved. 14
    15. 15. Survey Results: Audit• How many times has your cloud project been audited for adherence to the compliance standards above? 23.8% Never Once 9.5% More than three 66.7% times Copyright © 2012 IANS. All rights reserved. 15
    16. 16. Survey Results: Controls• What cloud security technologies did your auditors expect you to have deployed?Firewalls & Access Patch management 57.1% 78.6%controlSIEM/LM 71.4% Disk encryption 42.9%WAF 71.4% HIDS 35.7%Multi-factor Configuration 64.3% 35.7%authentication monitoringDatabase encryption 57.1% FIM 35.7%Network encryption 57.1%NIDS 57.1% Code scanning 35.7% Copyright © 2012 IANS. All rights reserved. 16
    17. 17. Survey Results: Who Audited?• Who performed your cloud compliance audit (big four, small firm, QSA)? A LARGE ACCOUNTING FIRM (E.G. ONE OF 6.7% THE “BIG FOUR”) 6.7% 6.7% A LARGE TECHNOLOGY INTEGRATOR OR TECHNICAL CONSULTING FIRM 13.3% A SMALLER FIRM SPECIALIZING IN 66.7% INFORMATION SECURITY TECHNOLOGY A SMALLER FIRM SPECIALIZING IN GENERAL RISK MANAGEMENT, GOVERNANCE AND COMPLIANCE INTERNAL/SELF AUDIT Copyright © 2012 IANS. All rights reserved. 17
    18. 18. How Do I Secure Servers in the Cloud? Servers in hybrid and public clouds must be self-defending with highly automated controls like… Dynamic firewall & Server compromise & access control intrusion alerting Configuration and Server forensics and package security security analysis Server account Integration & automation visibility & control capabilities Copyright © 2012 IANS. All rights reserved. 18
    19. 19. Mapping Compliance to the Cloud Copyright © 2012 IANS. All rights reserved. 19
    20. 20. Firewalling Without Network Control Copyright © 2012 IANS. All rights reserved. 20
    21. 21. Traditional Datacenter (DC) Firewalling Auth DB DB DB Server core core Firewal l Load App Load www-4 App Balancer Server Balancer Server ! dmz dmz Firewal l Copyright © 2012 IANS. All rights reserved. 21
    22. 22. Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l Copyright © 2012 IANS. All rights reserved. 22
    23. 23. Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l public cloud Copyright © 2012 IANS. All rights reserved. 23
    24. 24. Moving to the Cloud Auth DB DB DB Server Load App Load App Balancer Server Balancer Server public cloud Copyright © 2012 IANS. All rights reserved. 24
    25. 25. Moving to the Cloud Load Balancer App App Server Server ! DB Master ! public cloud Copyright © 2012 IANS. All rights reserved. 25
    26. 26. Dynamic Cloud Firewalling Load Balancer FW App App Server Server FW FW DB Master FW public cloud Copyright © 2012 IANS. All rights reserved. 26
    27. 27. Dynamic Cloud Firewalling Load Load Balancer Balancer FW FW App App App Server Server Server FW FW FW DB DB Master Slave FW FW public cloud Copyright © 2012 IANS. All rights reserved. 27
    28. 28. Dynamic Cloud Firewalling Load Load Balancer Balancer FW FW App App App Server Server App Server FW FW FW Server IP DB DB Master Slave FW FW public cloud Copyright © 2012 IANS. All rights reserved. 28
    29. 29. Dynamic Cloud Firewalling Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud Copyright © 2012 IANS. All rights reserved. 29
    30. 30. Lessons to LearnWhatever firewall options you have, use themMake sure your firewall rules are updatedquickly and automaticallyPlan for the future, because you will be multi-cloud Copyright © 2012 IANS. All rights reserved. 30
    31. 31. Securing Highly Dynamic Servers Copyright © 2012 IANS. All rights reserved. 31
    32. 32. Traditional DC Operations Model www-1 www-2 www-3 www-4 ! ! ! ! private datacenter Capacity is mostly static Servers are long-lived Security risk on servers is mitigated by network defenses Copyright © 2012 IANS. All rights reserved. 32
    33. 33. Cloud Operations Model www www www www www Gold Master Capacity is highly dynamic Copyright © 2012 IANS. All rights reserved. 33
    34. 34. Cloud Operations Model www www-2 www www www www ! public cloud Gold Master Capacity is highly dynamic Servers are short lived Copyright © 2012 IANS. All rights reserved. 34
    35. 35. Cloud Operations Model www www www ! ! ! Gold Master Capacity is highly dynamic Servers are short lived Copyright © 2012 IANS. All rights reserved. 35
    36. 36. Cloud Operations Model www www www www www ! ! ! Gold Master Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally Copyright © 2012 IANS. All rights reserved. 36
    37. 37. Cloud Operations Model www-1 www www-2 www www www www ! ! ! What does server security mean Gold Master in this environment? Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally Copyright © 2012 IANS. All rights reserved. 37
    38. 38. Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ! Copyright © 2012 IANS. All rights reserved. 38
    39. 39. Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ? ! Scan for misconfigurations due to deployment or debugging issues Copyright © 2012 IANS. All rights reserved. 39
    40. 40. Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ? ! ? ! Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly Copyright © 2012 IANS. All rights reserved. 40
    41. 41. Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ? ! ? ! ! Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patched quicklyMonitor business code for unintended or malicious changes Copyright © 2012 IANS. All rights reserved. 41
    42. 42. Ensuring Cloud Server Integrity www-1 www-2 www-3 www-4 ? ?! ! Automate ! ! management and monitoring of these critical Scan for misconfigurations duepoints operational security to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patched quicklyMonitor business code for unintended or malicious changes Copyright © 2012 IANS. All rights reserved. 42
    43. 43. Lessons to LearnEmbrace the flexibility of the cloud;re-think operationsSecure your server integrity by keeping imagesup-to-date and monitor closely for changesKnow what areas of security you are responsiblefor and automate them heavily Copyright © 2012 IANS. All rights reserved. 43
    44. 44. Best Practices• Read and understand what your provider does, and what you are responsible for, with regards to PCI• When moving servers outside your data center, ensure that they are hardened and compliant before they are exposed to the public• Start with public cloud, PCI everywhere else is relatively easy!• Focus on securing the tenets of PCI that you can control Copyright © 2012 IANS. All rights reserved. 44
    45. 45. Thank You & QuestionsDave ShacklefordCTO, IANS Follow us on Twitter:dshackleford@iansresearch.com twitter.com/ians_security twitter.com/cloudpassageAndrew HayChief Evangelist, CloudPassageandrew@cloudpassage.com www.cloudpassage.com/pci-kit Copyright © 2012 IANS. All rights reserved. 45
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×