SlideShare a Scribd company logo

PCI-DSS Compliant Cloud - Design & Architecture Best Practices

H
HyTrust
TechnologyBusiness
1 of 15
Download to read offline
PCI-DSS Compliant Cloud - Design & Architecture Best Practices Session ID: SEC2484 Track: Cloud Infrastructure: Security and Compliance Moderator: Hemma Prafullchandra, HyTrust Panelists: Allan MacPhee, Trend Micro •  Tom McAndrew, Coalfire •  Davi Ottenheimer, VMware •  Ken Owens, Savvis 1
PCI DSS 2.0 & Virtualization Information Supplement   DSS 2.0 (released 10/2010) clarified that CDE system components can be physical or virtual   Virtualization Guidance Information Supplement (released 6/2011) provides an overview of different classes of virtualization as applicable to payment chain, key risks and challenges, scoping, set of recommendations of how best to virtualize CDE, and finally a set of testing procedures for specific PCI DSS requirements that need further considerations given use of virtualization   Brief discussion on mixed mode and use of cloud computing: take risk based approach and work with your QSA/card brand to determine what is adequate 2
The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Software as a Service (SaaS) Service Platform as a Service (PaaS) Models Infrastructure as a Service (IaaS) On Demand Self-Service Essential Broad Network Access Rapid Elasticity Characteristics Resource Pooling Measured Service Massive Scale Resilient Computing Common Homogeneity Geographic Distribution Characteristics Virtualization Service Orientation Low Cost Software Advanced Security 3
PCI Info Supp Recommendations 1.  Hypervisor is ALWAYS in-scope if it hosts a guest-VM that is in- scope •  PCI controls apply to hypervisor and virtual management components 2.  One function per server •  VMs treated in a manner consistent with their physical counterparts 3.  Separation of duty •  Enforce least privilege where possible with RBAC •  Audit administrative operations 4.  Mixing VM’s of different trust levels •  Conservative approach: all VMs (CDE and non-CDE) are in scope •  Work with your QSA on de-scoping options and best practices 4
PCI Info Supp Recommendations 5.  Dormant VMs and VM snapshots •  New and unique to virtualized environments, treat in same manner as data backups •  Recognize that VMs being brought back online may be vulnerable (missing patches, stale AV pattern files, etc.) 6.  Immaturity of monitoring solutions •  Traditional monitoring tools need to be supplemented with “virtualization- aware” tools that provide greater visibility into virtualization activity 7.  Information leakage •  Increased risk of information leakage between logical network segments and components require “virtualization-aware” tools that provide greater visibility into virtualization activity 5
PCI Info Supp Recommendations 8.  Defense in depth •  Dynamic nature and mobility of VMs require virtualization specific security tools and approaches •  Ideally, VMs are self-defending regardless of state or location 9.  VM & Hypervisor Hardening •  Harden hypervisors based upon vendor best practices •  Apply hypervisor & guest VM patches regularly (e.g. within 30 days) •  Use integrity monitoring software to detect unauthorized changes •  Collect and review log files diligently 10.  Cloud Computing •  Cloud providers must provide customers with proof of what was included in the scope of their PCI DSS assessment and what was not in scope •  The ‘customer’ is responsible to ensure security controls not covered by the cloud provider are in place and managed appropriately 6
Scoping & Responsibility 7
Panelists Ken Owens Allan MacPhee Vice President of Security & Senior Product Manager, Virtualization Technologies, Trend Micro Savvis Davi Ottenheimer Tom McAndrew Security & Compliance Architect/ Vice President of Professional Consultant, Services, Coalfire VMware 8
Why are you here?   How many of you are governed by PCI?   How many of you are already using virtualization/private cloud for PCI CDE?   How many of you are planning to use public cloud?   Anybody passed a PCI assessment with use of cloud (or partial use of cloud)? •  What type of cloud? •  Which vendor? •  Who was the assessor? 9
Discussion   What are the characteristics of a cloud that make PCI compliance difficult?   Can a shared cloud environment even be PCI compliant?   What does it mean when your cloud provider tells you that they are PCI certified? •  What areas should your cloud provider be responsible for? •  What are the key questions you should ask your cloud provider to understand the scope of PCI certification achieved? •  How does a merchant figure out what the shared responsibility split is in detail?   If my environment is already PCI compliant and I want to just extend a single tier to a public cloud, what should I be concerned about? 10
Discussion   What is the best way to involve my QSA in these discussions?   What resources can I use to help me plan for and use cloud computing for my CDE? •  Policy, People, Process, Technology 11
Key Guidance PCI Compliance in Virtualized environments (on-premise)   Virtualization increases the risk and complexity of PCI compliance, engage your QSA early to streamline the audit process   Look beyond traditional security vendors for solutions that address virtualization specific requirements (hypervisor/VM controls)   View virtualization as an opportunity to improve your current processes – i.e. reporting, monitoring, inter-VM controls, etc. and achieve objectives that you always wanted in physical environments but could not afford or were restricted by legacy infrastructure   Embrace virtualization with a virtualization by default approach and build compliance into the default mode of operation 12
Key Guidance PCI Compliance in the Cloud   Compliance is possible, but it takes the right cloud provider   Compliance is a shared responsibility, there is no magic bullet •  Understand the details & scope of your cloud provider’s PCI certification •  Work with your QSA to create a strategy for addressing the remaining required PCI controls   Cloud compliance requires elastic and automated VM security and persistence of machine data for audit and forensics   Create a strategy for Cloud compliance •  Start with virtualized on premise and dedicated hosting environments •  Evolve and apply these controls to cloud environments 13
Useful Resources   www.pcisecuritystandards.org   www.coalfiresystems.com   www.hytrust.com/pci   www.savvis.net   http://us.trendmicro.com/us/solutions/enterprise/security-solutions/compliance/   http://www.vmware.com/solutions/datacenter/cloud-security-compliance/unified- framework.html Just Published: PCI-compliant Cloud Reference Architecture 14
Thank You 15

Recommended

How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditSecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 

Recommended

How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditSecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualKimberly Simon MBA
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 

More Related Content

What's hot

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 

What's hot (20)

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
 

Viewers also liked

VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
Windows azure learning poster
Windows azure learning posterWindows azure learning poster
Windows azure learning posterMahmoud Moussa
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2David Linthicum
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
 
Cloud Design Pattern part1
Cloud Design Pattern part1Cloud Design Pattern part1
Cloud Design Pattern part1Masashi Narumoto
 
Linthicum next generation-iaa s-paas-and-database-as-a-service
Linthicum next generation-iaa s-paas-and-database-as-a-serviceLinthicum next generation-iaa s-paas-and-database-as-a-service
Linthicum next generation-iaa s-paas-and-database-as-a-serviceDavid Linthicum
 
Cloud Design Pattern part2
Cloud Design Pattern part2Cloud Design Pattern part2
Cloud Design Pattern part2Masashi Narumoto
 
人類とデプロイの歴史(ネタなのでご容赦)
人類とデプロイの歴史(ネタなのでご容赦)人類とデプロイの歴史(ネタなのでご容赦)
人類とデプロイの歴史(ネタなのでご容赦)Keiichi Hashimoto
 
Servcie Fabric and Cloud Design Pattern
Servcie Fabric and Cloud Design PatternServcie Fabric and Cloud Design Pattern
Servcie Fabric and Cloud Design PatternTakekazu Omi
 
CMPE282_009994036_PROJECT_REPORT
CMPE282_009994036_PROJECT_REPORTCMPE282_009994036_PROJECT_REPORT
CMPE282_009994036_PROJECT_REPORTSandyarathi Das
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Ten^H^H^H Many Cloud App Design Patterns
Ten^H^H^H Many Cloud App Design PatternsTen^H^H^H Many Cloud App Design Patterns
Ten^H^H^H Many Cloud App Design PatternsShlomo Swidler
 
Microservices and Azure App Services
Microservices and Azure App ServicesMicroservices and Azure App Services
Microservices and Azure App ServicesDamir Dobric
 
Distributed Design and Architecture of Cloud Foundry
Distributed Design and Architecture of Cloud FoundryDistributed Design and Architecture of Cloud Foundry
Distributed Design and Architecture of Cloud FoundryDerek Collison
 
Towards the Cloud: Architecture Patterns and VDI Story
Towards the Cloud: Architecture Patterns and VDI StoryTowards the Cloud: Architecture Patterns and VDI Story
Towards the Cloud: Architecture Patterns and VDI StoryIT Expert Club
 

Viewers also liked (20)

VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
 
Windows azure learning poster
Windows azure learning posterWindows azure learning poster
Windows azure learning poster
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2
 
Cloud architecture
Cloud architectureCloud architecture
Cloud architecture
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & Gatekeeper
 
Cloud Design Pattern part1
Cloud Design Pattern part1Cloud Design Pattern part1
Cloud Design Pattern part1
 
Linthicum next generation-iaa s-paas-and-database-as-a-service
Linthicum next generation-iaa s-paas-and-database-as-a-serviceLinthicum next generation-iaa s-paas-and-database-as-a-service
Linthicum next generation-iaa s-paas-and-database-as-a-service
 
Cloud Design Pattern part2
Cloud Design Pattern part2Cloud Design Pattern part2
Cloud Design Pattern part2
 
人類とデプロイの歴史(ネタなのでご容赦)
人類とデプロイの歴史(ネタなのでご容赦)人類とデプロイの歴史(ネタなのでご容赦)
人類とデプロイの歴史(ネタなのでご容赦)
 
Servcie Fabric and Cloud Design Pattern
Servcie Fabric and Cloud Design PatternServcie Fabric and Cloud Design Pattern
Servcie Fabric and Cloud Design Pattern
 
Tax DSS
Tax DSSTax DSS
Tax DSS
 
CMPE282_009994036_PROJECT_REPORT
CMPE282_009994036_PROJECT_REPORTCMPE282_009994036_PROJECT_REPORT
CMPE282_009994036_PROJECT_REPORT
 
Forecast 2014: Cloud-Aware Applications
Forecast 2014: Cloud-Aware Applications Forecast 2014: Cloud-Aware Applications
Forecast 2014: Cloud-Aware Applications
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
MicroServices on Azure
MicroServices on AzureMicroServices on Azure
MicroServices on Azure
 
Ten^H^H^H Many Cloud App Design Patterns
Ten^H^H^H Many Cloud App Design PatternsTen^H^H^H Many Cloud App Design Patterns
Ten^H^H^H Many Cloud App Design Patterns
 
Microservices and Azure App Services
Microservices and Azure App ServicesMicroservices and Azure App Services
Microservices and Azure App Services
 
Distributed Design and Architecture of Cloud Foundry
Distributed Design and Architecture of Cloud FoundryDistributed Design and Architecture of Cloud Foundry
Distributed Design and Architecture of Cloud Foundry
 
Towards the Cloud: Architecture Patterns and VDI Story
Towards the Cloud: Architecture Patterns and VDI StoryTowards the Cloud: Architecture Patterns and VDI Story
Towards the Cloud: Architecture Patterns and VDI Story
 

Similar to PCI-DSS Compliant Cloud - Design & Architecture Best Practices

PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitectureHyTrust
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesCloudPassage
 
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...Khazret Sapenov
 
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...IndicThreads
 
Why the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureWhy the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureInnoTech
 
Security for v mware
Security for v mwareSecurity for v mware
Security for v mwareReadWrite
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxBabatundeAbioye2
 
Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02abhisheknayak29
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisationanupriti
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloudAjay Rathi
 
Isaca 2011 trends in virtual security v1.0
Isaca 2011 trends in virtual security v1.0Isaca 2011 trends in virtual security v1.0
Isaca 2011 trends in virtual security v1.0kimwisniewski
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
 

Similar to PCI-DSS Compliant Cloud - Design & Architecture Best Practices (20)

PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference Architecture
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud Guidelines
 
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
 
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
 
Why the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureWhy the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and Secure
 
Security for v mware
Security for v mwareSecurity for v mware
Security for v mware
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptx
 
Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisation
 
Private cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud securityPrivate cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud security
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
 
Isaca 2011 trends in virtual security v1.0
Isaca 2011 trends in virtual security v1.0Isaca 2011 trends in virtual security v1.0
Isaca 2011 trends in virtual security v1.0
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
Logicalis Cloud Briefing
Logicalis Cloud BriefingLogicalis Cloud Briefing
Logicalis Cloud Briefing
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 

More from HyTrust

Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointHyTrust
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...HyTrust
 
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:HyTrust
 
S24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.veS24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.veHyTrust
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business ValueHyTrust
 
IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011HyTrust
 
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...HyTrust
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesHyTrust
 
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies HyTrust
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust
 

More from HyTrust (11)

Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
 
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
 
S24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.veS24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.ve
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 
IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011
 
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
 
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data Center
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure
 

Recently uploaded

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 

Recently uploaded (20)

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

PCI-DSS Compliant Cloud - Design & Architecture Best Practices

  • 1. PCI-DSS Compliant Cloud - Design & Architecture Best Practices Session ID: SEC2484 Track: Cloud Infrastructure: Security and Compliance Moderator: Hemma Prafullchandra, HyTrust Panelists: Allan MacPhee, Trend Micro •  Tom McAndrew, Coalfire •  Davi Ottenheimer, VMware •  Ken Owens, Savvis 1
  • 2. PCI DSS 2.0 & Virtualization Information Supplement   DSS 2.0 (released 10/2010) clarified that CDE system components can be physical or virtual   Virtualization Guidance Information Supplement (released 6/2011) provides an overview of different classes of virtualization as applicable to payment chain, key risks and challenges, scoping, set of recommendations of how best to virtualize CDE, and finally a set of testing procedures for specific PCI DSS requirements that need further considerations given use of virtualization   Brief discussion on mixed mode and use of cloud computing: take risk based approach and work with your QSA/card brand to determine what is adequate 2
  • 3. The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Software as a Service (SaaS) Service Platform as a Service (PaaS) Models Infrastructure as a Service (IaaS) On Demand Self-Service Essential Broad Network Access Rapid Elasticity Characteristics Resource Pooling Measured Service Massive Scale Resilient Computing Common Homogeneity Geographic Distribution Characteristics Virtualization Service Orientation Low Cost Software Advanced Security 3
  • 4. PCI Info Supp Recommendations 1.  Hypervisor is ALWAYS in-scope if it hosts a guest-VM that is in- scope •  PCI controls apply to hypervisor and virtual management components 2.  One function per server •  VMs treated in a manner consistent with their physical counterparts 3.  Separation of duty •  Enforce least privilege where possible with RBAC •  Audit administrative operations 4.  Mixing VM’s of different trust levels •  Conservative approach: all VMs (CDE and non-CDE) are in scope •  Work with your QSA on de-scoping options and best practices 4
  • 5. PCI Info Supp Recommendations 5.  Dormant VMs and VM snapshots •  New and unique to virtualized environments, treat in same manner as data backups •  Recognize that VMs being brought back online may be vulnerable (missing patches, stale AV pattern files, etc.) 6.  Immaturity of monitoring solutions •  Traditional monitoring tools need to be supplemented with “virtualization- aware” tools that provide greater visibility into virtualization activity 7.  Information leakage •  Increased risk of information leakage between logical network segments and components require “virtualization-aware” tools that provide greater visibility into virtualization activity 5
  • 6. PCI Info Supp Recommendations 8.  Defense in depth •  Dynamic nature and mobility of VMs require virtualization specific security tools and approaches •  Ideally, VMs are self-defending regardless of state or location 9.  VM & Hypervisor Hardening •  Harden hypervisors based upon vendor best practices •  Apply hypervisor & guest VM patches regularly (e.g. within 30 days) •  Use integrity monitoring software to detect unauthorized changes •  Collect and review log files diligently 10.  Cloud Computing •  Cloud providers must provide customers with proof of what was included in the scope of their PCI DSS assessment and what was not in scope •  The ‘customer’ is responsible to ensure security controls not covered by the cloud provider are in place and managed appropriately 6
  • 8. Panelists Ken Owens Allan MacPhee Vice President of Security & Senior Product Manager, Virtualization Technologies, Trend Micro Savvis Davi Ottenheimer Tom McAndrew Security & Compliance Architect/ Vice President of Professional Consultant, Services, Coalfire VMware 8
  • 9. Why are you here?   How many of you are governed by PCI?   How many of you are already using virtualization/private cloud for PCI CDE?   How many of you are planning to use public cloud?   Anybody passed a PCI assessment with use of cloud (or partial use of cloud)? •  What type of cloud? •  Which vendor? •  Who was the assessor? 9
  • 10. Discussion   What are the characteristics of a cloud that make PCI compliance difficult?   Can a shared cloud environment even be PCI compliant?   What does it mean when your cloud provider tells you that they are PCI certified? •  What areas should your cloud provider be responsible for? •  What are the key questions you should ask your cloud provider to understand the scope of PCI certification achieved? •  How does a merchant figure out what the shared responsibility split is in detail?   If my environment is already PCI compliant and I want to just extend a single tier to a public cloud, what should I be concerned about? 10
  • 11. Discussion   What is the best way to involve my QSA in these discussions?   What resources can I use to help me plan for and use cloud computing for my CDE? •  Policy, People, Process, Technology 11
  • 12. Key Guidance PCI Compliance in Virtualized environments (on-premise)   Virtualization increases the risk and complexity of PCI compliance, engage your QSA early to streamline the audit process   Look beyond traditional security vendors for solutions that address virtualization specific requirements (hypervisor/VM controls)   View virtualization as an opportunity to improve your current processes – i.e. reporting, monitoring, inter-VM controls, etc. and achieve objectives that you always wanted in physical environments but could not afford or were restricted by legacy infrastructure   Embrace virtualization with a virtualization by default approach and build compliance into the default mode of operation 12
  • 13. Key Guidance PCI Compliance in the Cloud   Compliance is possible, but it takes the right cloud provider   Compliance is a shared responsibility, there is no magic bullet •  Understand the details & scope of your cloud provider’s PCI certification •  Work with your QSA to create a strategy for addressing the remaining required PCI controls   Cloud compliance requires elastic and automated VM security and persistence of machine data for audit and forensics   Create a strategy for Cloud compliance •  Start with virtualized on premise and dedicated hosting environments •  Evolve and apply these controls to cloud environments 13
  • 14. Useful Resources   www.pcisecuritystandards.org   www.coalfiresystems.com   www.hytrust.com/pci   www.savvis.net   http://us.trendmicro.com/us/solutions/enterprise/security-solutions/compliance/   http://www.vmware.com/solutions/datacenter/cloud-security-compliance/unified- framework.html Just Published: PCI-compliant Cloud Reference Architecture 14