ICT role in 21st century education and its challenges
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
1. PCI-DSS Compliant Cloud -
Design & Architecture Best Practices
Session ID: SEC2484
Track: Cloud Infrastructure: Security and Compliance
Moderator: Hemma Prafullchandra, HyTrust
Panelists: Allan MacPhee, Trend Micro
• Tom McAndrew, Coalfire
• Davi Ottenheimer, VMware
• Ken Owens, Savvis
1
2. PCI DSS 2.0 & Virtualization Information Supplement
DSS 2.0 (released 10/2010) clarified that CDE system components
can be physical or virtual
Virtualization Guidance Information Supplement (released 6/2011)
provides an overview of different classes of virtualization as
applicable to payment chain, key risks and challenges, scoping,
set of recommendations of how best to virtualize CDE, and finally a
set of testing procedures for specific PCI DSS requirements that
need further considerations given use of virtualization
Brief discussion on mixed mode and use of cloud computing: take
risk based approach and work with your QSA/card brand to
determine what is adequate
2
3. The NIST Cloud Definition Framework
Hybrid Clouds
Deployment
Models
Software as a Service (SaaS)
Service
Platform as a Service (PaaS)
Models
Infrastructure as a Service (IaaS)
On Demand Self-Service
Essential
Broad Network Access Rapid Elasticity
Characteristics
Resource Pooling Measured Service
Massive Scale Resilient Computing
Common Homogeneity Geographic Distribution
Characteristics Virtualization Service Orientation
Low Cost Software Advanced Security
3
4. PCI Info Supp Recommendations
1. Hypervisor is ALWAYS in-scope if it hosts a guest-VM that is in-
scope
• PCI controls apply to hypervisor and virtual management components
2. One function per server
• VMs treated in a manner consistent with their physical counterparts
3. Separation of duty
• Enforce least privilege where possible with RBAC
• Audit administrative operations
4. Mixing VM’s of different trust levels
• Conservative approach: all VMs (CDE and non-CDE) are in scope
• Work with your QSA on de-scoping options and best practices
4
5. PCI Info Supp Recommendations
5. Dormant VMs and VM snapshots
• New and unique to virtualized environments, treat in same manner as data
backups
• Recognize that VMs being brought back online may be vulnerable
(missing patches, stale AV pattern files, etc.)
6. Immaturity of monitoring solutions
• Traditional monitoring tools need to be supplemented with “virtualization-
aware” tools that provide greater visibility into virtualization activity
7. Information leakage
• Increased risk of information leakage between logical network segments
and components require “virtualization-aware” tools that provide greater
visibility into virtualization activity
5
6. PCI Info Supp Recommendations
8. Defense in depth
• Dynamic nature and mobility of VMs require virtualization specific security
tools and approaches
• Ideally, VMs are self-defending regardless of state or location
9. VM & Hypervisor Hardening
• Harden hypervisors based upon vendor best practices
• Apply hypervisor & guest VM patches regularly (e.g. within 30 days)
• Use integrity monitoring software to detect unauthorized changes
• Collect and review log files diligently
10. Cloud Computing
• Cloud providers must provide customers with proof of what was included
in the scope of their PCI DSS assessment and what was not in scope
• The ‘customer’ is responsible to ensure security controls not covered by
the cloud provider are in place and managed appropriately
6
8. Panelists
Ken Owens
Allan MacPhee
Vice President of Security &
Senior Product Manager,
Virtualization Technologies,
Trend Micro
Savvis
Davi Ottenheimer
Tom McAndrew
Security & Compliance Architect/
Vice President of Professional
Consultant,
Services, Coalfire
VMware
8
9. Why are you here?
How many of you are governed by PCI?
How many of you are already using virtualization/private cloud for
PCI CDE?
How many of you are planning to use public cloud?
Anybody passed a PCI assessment with use of cloud (or partial
use of cloud)?
• What type of cloud?
• Which vendor?
• Who was the assessor?
9
10. Discussion
What are the characteristics of a cloud that make PCI compliance
difficult?
Can a shared cloud environment even be PCI compliant?
What does it mean when your cloud provider tells you that they
are PCI certified?
• What areas should your cloud provider be responsible for?
• What are the key questions you should ask your cloud provider to understand
the scope of PCI certification achieved?
• How does a merchant figure out what the shared responsibility split is in
detail?
If my environment is already PCI compliant and I want to
just extend a single tier to a public cloud, what should I be
concerned about?
10
11. Discussion
What is the best way to involve my QSA in these discussions?
What resources can I use to help me plan for and use cloud
computing for my CDE?
• Policy, People, Process, Technology
11
12. Key Guidance
PCI Compliance in Virtualized environments (on-premise)
Virtualization increases the risk and complexity of PCI compliance,
engage your QSA early to streamline the audit process
Look beyond traditional security vendors for solutions that address
virtualization specific requirements (hypervisor/VM controls)
View virtualization as an opportunity to improve your current
processes – i.e. reporting, monitoring, inter-VM controls, etc. and
achieve objectives that you always wanted in physical environments
but could not afford or were restricted by legacy infrastructure
Embrace virtualization with a virtualization by default approach and
build compliance into the default mode of operation
12
13. Key Guidance
PCI Compliance in the Cloud
Compliance is possible, but it takes the right cloud provider
Compliance is a shared responsibility, there is no magic bullet
• Understand the details & scope of your cloud provider’s PCI certification
• Work with your QSA to create a strategy for addressing the remaining required PCI
controls
Cloud compliance requires elastic and automated VM security and
persistence of machine data for audit and forensics
Create a strategy for Cloud compliance
• Start with virtualized on premise and dedicated hosting environments
• Evolve and apply these controls to cloud environments
13