Your SlideShare is downloading. ×
  • Like
PCI Compliance and the Cloud
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

PCI Compliance and the Cloud



Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. PCI Compliance and the Cloud By: Jim Bibles, Qualys Inc. NYM ISSA – PCI and Beyond New York, NY April 21, 2010
  • 2. Agenda
    • What is the Cloud?
    • How is the Cloud the Same?
    • How is the Cloud Different?
    • Vetting Solutions
    • PCI Challenges
    • Potential Payment Solutions
    • One Security Program, Many Applications
    • Q& A
  • 3. What is the Cloud? Definition: “ The cloud is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” – NIST Information Technology Laboratory
  • 4. What is the Cloud?
    • Five Essential Characteristics:
    • On-demand, self-service – Ability to unilaterally provision computing capabilities
    • Broad network access – Available over the network and accessed through standard mechanisms that promote heterogonous thin or thick client platforms
    • Resource pooling – Resources are pooled to serve multiple consumers using a multi tenant model (location independence)
    • Rapid elasticity – capabilities can be rapidly and elastically provisioned
    • Measured service – Resource usage can be monitored, controlled and reported
  • 5. What is the Cloud?
    • Thee Service Models
    • Software As A Service (SaaS) – Managed application/service where customers consume application resources as needed, without impact to internal computing resources. Security provided by cloud vendor
    • Platform as a Service (PaaS) - Developers build and manage their own custom applications on top of platform provided by the cloud vendor . Application and data security managed by cloud customer.
    • Infrastructure as a Service (IaaS) - Cloud vendor provides storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications. Cloud vendor protects infrastructure, but operating systems, applications, and content is managed and secured by the cloud consumer .
      • Key Takeaway - The lower down the stack the cloud service provider goes, the more security capabilities and management enterprises are responsible for.
  • 6. What is the Cloud?
    • Four Deployment Models
    • Public: Made available to the general public or large industry group and is owned by an organization selling cloud services.
    • Private: Operated solely for a single or group of organizations isolated among peers. May be managed by the organization or a third party and may exist on-premise or off-premise.
    • Community: Shared by several organizations and supports a specific community that has shared concerns. May be managed by the organization or a third party and may exist on-premise or off-premise.
    • Hybrid : Composed of two or more clouds (Private, Community, or Public) that remain unique, but are bound together standardized or proprietary technology that enables data and application portability (cloud bursting for load balancing between clouds).
  • 7. What is the Cloud?
  • 8. How is the Cloud the Same?
    • You still need to do the basics:
    • Map Network
      • Include data flows
    • Classify Information Assets (data and systems)
      • Public
      • Internal
      • Confidential (PCI Data)
      • Top Secret
    • Secure Data Based on Classification
    • Be Able to Demonstrate Compliance with PCI DSS
      • ROC/ SAQ
      • ASV Scan
  • 9. How is the Cloud Different?
    • Shifts many day-to-day security activities to the cloud vendors (depending on service model):
        • SaaS
        • PaaS
        • IaaS
    • Requires a more robust vendor management program:
        • Enforcement of Service Level Agreements
        • Regular Reporting on Security Posture
        • Site Inspections/Audits
  • 10. Vetting the Cloud Solutions
  • 11. Vetting the Cloud Solutions
  • 12. PCI Challenges
    • Audit / investigations
    • Need for isolation management
    • Multi-tenancy
    • Logging challenges
    • Data ownership issues
    • Quality of service guarantees
    • Enforcement of data classification, retention, and destruction policies
  • 13. Potential Payment Solutions
    • Fully Hosted Payment Solution
      • Must use HTTP redirect instead of transmitting data via API
    • Virtual Terminal
      • Low Cost
      • Significantly reduces scope and risk
    • Tokenization
      • Reduces risk, does not eliminate it
    • End-To-End Encryption
      • Significantly reduces scope and risk
  • 14. One Security Program, Many Applications
    • Based on Globally Accepted Security Standards:
    • ISO 27001
    • ISO 27002
    • Meets Multiple Compliance Frameworks:
    • PCI DSS
    • HIPPA
    • GLBA
    • SOX
  • 15. Remember
      • “ You can delegate authority, but you can never delegate responsibility for delegating a task to someone else. If you picked the right man, fine, but if you picked the wrong man, the responsibility is yours -- not his.”  
      • Richard E Krafve
  • 16. Q&A Thank You