#PCICloudWhat You Need To Know AboutThe New PCI Cloud Guidelines Dave Shackleford Chris Brenton CTO, IANS Director of Security, CloudPassage, Inc.
Session Agenda • Can PCI DSS compliance be achieved in public cloud?! • Scope and responsibility example! • Checklist for PCI DSS compliance! • Suggestions for limiting PCI scope! • Breakdown of the shared responsibility model! • Securing and assessing data in a CSP environment ! • Incident Response! • Questions!
Helpful PCI Cloud Guidance? PCI DSS = 75 Pages of compliance goodness� � PCI Cloud SIG Guidance = 52 pages describing how to apply those 75 pages to:� � • Public cloud� • Private cloud� • Hybrid cloud� • IaaS� • PaaS� • SaaS� • Nested providers� • and more!�
The Big Question• Can PCI DSS compliance be achieved in public cloud? – Yes and folks are doing it• The easy way – Work with a PCI DSS certiﬁed CSP – Perform a gap analysis against the CSPs “PCI scope and responsibility” documentation • Their scope should include any nested providers – Make sure you ﬁll in all the gaps J• The hard way – Work with a CSP that has not achieved PCI compliance – Your auditor must scope and review their environment – You essentially must certify the CSP while footing the bill
Scope & Responsibility Example - CSPPCI #� PCI DSS Requirement� Testing Procedure� Customer Responsibility�9.1� Use appropriate Verify the FUBAR Cloud facility entry existence of Services maintains controls to limit and physical security the physical monitor physical controls for each security for all in- access to systems computer room, scope services.� in the cardholder data center, and data environment.� other physical areas with systems in the cardholder data environment.�
Scope & Responsibility Example - ClientPCI #� PCI DSS Requirement� Testing Procedure� Customer Responsibility�1.3.1� Implement a DMZ to Verify that a DMZ is FUBAR customers limit inbound traffic implemented to are responsible for to only system limit inbound traffic implementing components that to only system perimeter firewalls provide authorized components that through the FUBAR publicly accessible provide authorized GUI interface for services, protocols publicly accessible their in-scope and ports.� services, protocols services. FUBAR and ports.� customers are responsible for developing appropriate firewall rules for their DMZ and internal network.�
A Basic Checklistü Understand the ﬂow of credit card info – What processes/services handle it? – What communications exchange it? – What drives/partitions store it?ü Understand what SaaS services will have Admin control – Can be in-scope if controlling servers handling credit card infoü Flow diagrams are your friend, leverage themü Delineate portions that are internal vs. externalü For internal portions, you need to address all 12 PCI req.ü For external portions – Understand the CSPs scope and responsibility documentation – Fill in the gaps as required
Section 6.5• Does not directly address PCI requirements• Has lots of good info on how/why cloud is an evolving tech• Caveats for legacy security tools• Example: Introspection – Expands the functionality of the hypervisor – Provides visibility of VM memory, disk & network via API – In private virtualization, leveraged for implementing security – Problematic in public cloud • Expands the attack surface of the hypervisor • Leaves no forensic trail on the VM itself • Can be a serious issue in public IaaS – Provider manages hypervisor – Client manages their unique VMs
Limiting PCI Scope�The new guidance offers the followingsuggestions for limiting PCI scope:� – Don’t store, process or transmit payment card data in the cloud� – Implement a dedicated physical infrastructure� – Minimize reliance on third-party CSPs for protecting payment card data� – Ensure that clear-text account data is never accessible in the cloud �
Who is responsible for Security?�AWS Shared Responsibility Model Data!“…the customer should assumeresponsibility and management of, Responsibility� App Code!but not limited to, the guest operating Customersystem…and associated application App Framework!software...”“it is possible for customers to Operating System!enhance security and/or meet morestringent compliance requirements Virtual Machine!with the addition of… host based Hypervisor! Responsibility�ﬁrewalls, host based intrusion Providerdetection/prevention, encryption and Compute & Storage!key management.” Amazon Web Services: Shared Network! Overview of Security Processes Physical Facilities!
Data Security�• Securing and assessing data in a CSP environment can be very challenging�• The data may be in:� – Multiple physical locations� – Multiple countries� – Multiple data formats�• Data security processes within a CSP environment needs to be closely evaluated�
Data Acquisition, Storage, Lifecycle�• Data flows need to be developed and constructed for all client and CSP networks�• All data “capture” points need to be identified and protected� – Memory and VM snapshots included, as are hypervisor access methods�• Data lifecycle is critical to identify and clarify� – Data should be protected at all stages in and out of CSP environment, and disposed of properly�
Data Classification and Encryption�• CSPs should meet data classification requirements for clients before migration to the cloud� – Cardholder data, credentials, and crypto keys are examples�• All sensitive data should use data-level encryption� – Crypto keys should be stored separately� – All key custodians should be defined and listed, in both client and CSP environments� – Unique keys should be in place for each client�
Data Decommissioning and Disposal�• Clearly define data disposal techniques within the CSP �• Document “Termination of Service” procedures �• Ensure that all data is deleted permanently when agreements have been terminated, even if encrypted�
Incident Response�• Clients need to discuss data breach notification with CSPs� – Clients may also need to notify CSPs about data breaches in their environments, to mitigate risk to other clients�• Definitions of what constitutes a breach should be defined and agreed on before doing business�
Incident Response Continued�• Notification processes and timelines should be in SLAs�• Discuss the potential for client data to be captured by 3rd parties during a breach investigation �• The PCI guidance acknowledges that incident response and detection may be almost impossible if a VM has been decommissioned or removed!�
Questions?Dave Shackleford" Chris Brenton" CTO, IANS" Director of Security, CloudPassage"@IANS_Security" @CloudPassage"