PCI Compliance and the Cloud


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PCI Compliance and the Cloud

  1. 1. PCI Compliance and the Cloud By: Jim Bibles, Qualys Inc. NYM ISSA – PCI and Beyond New York, NY April 21, 2010
  2. 2. Agenda <ul><li>What is the Cloud? </li></ul><ul><li>How is the Cloud the Same? </li></ul><ul><li>How is the Cloud Different? </li></ul><ul><li>Vetting Solutions </li></ul><ul><li>PCI Challenges </li></ul><ul><li>Potential Payment Solutions </li></ul><ul><li>One Security Program, Many Applications </li></ul><ul><li>Q& A </li></ul>
  3. 3. What is the Cloud? Definition: “ The cloud is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” – NIST Information Technology Laboratory
  4. 4. What is the Cloud? <ul><li>Five Essential Characteristics: </li></ul><ul><li>On-demand, self-service – Ability to unilaterally provision computing capabilities </li></ul><ul><li>Broad network access – Available over the network and accessed through standard mechanisms that promote heterogonous thin or thick client platforms </li></ul><ul><li>Resource pooling – Resources are pooled to serve multiple consumers using a multi tenant model (location independence) </li></ul><ul><li>Rapid elasticity – capabilities can be rapidly and elastically provisioned </li></ul><ul><li>Measured service – Resource usage can be monitored, controlled and reported </li></ul>
  5. 5. What is the Cloud? <ul><li>Thee Service Models </li></ul><ul><li>Software As A Service (SaaS) – Managed application/service where customers consume application resources as needed, without impact to internal computing resources. Security provided by cloud vendor </li></ul><ul><li>Platform as a Service (PaaS) - Developers build and manage their own custom applications on top of platform provided by the cloud vendor . Application and data security managed by cloud customer. </li></ul><ul><li>Infrastructure as a Service (IaaS) - Cloud vendor provides storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications. Cloud vendor protects infrastructure, but operating systems, applications, and content is managed and secured by the cloud consumer . </li></ul><ul><ul><li>Key Takeaway - The lower down the stack the cloud service provider goes, the more security capabilities and management enterprises are responsible for. </li></ul></ul>
  6. 6. What is the Cloud? <ul><li>Four Deployment Models </li></ul><ul><li>Public: Made available to the general public or large industry group and is owned by an organization selling cloud services. </li></ul><ul><li>Private: Operated solely for a single or group of organizations isolated among peers. May be managed by the organization or a third party and may exist on-premise or off-premise. </li></ul><ul><li>Community: Shared by several organizations and supports a specific community that has shared concerns. May be managed by the organization or a third party and may exist on-premise or off-premise. </li></ul><ul><li>Hybrid : Composed of two or more clouds (Private, Community, or Public) that remain unique, but are bound together standardized or proprietary technology that enables data and application portability (cloud bursting for load balancing between clouds). </li></ul>
  7. 7. What is the Cloud?
  8. 8. How is the Cloud the Same? <ul><li>You still need to do the basics: </li></ul><ul><li>Map Network </li></ul><ul><ul><li>Include data flows </li></ul></ul><ul><li>Classify Information Assets (data and systems) </li></ul><ul><ul><li>Public </li></ul></ul><ul><ul><li>Internal </li></ul></ul><ul><ul><li>Confidential (PCI Data) </li></ul></ul><ul><ul><li>Top Secret </li></ul></ul><ul><li>Secure Data Based on Classification </li></ul><ul><li>Be Able to Demonstrate Compliance with PCI DSS </li></ul><ul><ul><li>ROC/ SAQ </li></ul></ul><ul><ul><li>ASV Scan </li></ul></ul>
  9. 9. How is the Cloud Different? <ul><li>Shifts many day-to-day security activities to the cloud vendors (depending on service model): </li></ul><ul><ul><ul><li>SaaS </li></ul></ul></ul><ul><ul><ul><li>PaaS </li></ul></ul></ul><ul><ul><ul><li>IaaS </li></ul></ul></ul><ul><li>Requires a more robust vendor management program: </li></ul><ul><ul><ul><li>Enforcement of Service Level Agreements </li></ul></ul></ul><ul><ul><ul><li>Regular Reporting on Security Posture </li></ul></ul></ul><ul><ul><ul><li>Site Inspections/Audits </li></ul></ul></ul>
  10. 10. Vetting the Cloud Solutions
  11. 11. Vetting the Cloud Solutions
  12. 12. PCI Challenges <ul><li>Audit / investigations </li></ul><ul><li>Need for isolation management </li></ul><ul><li>Multi-tenancy </li></ul><ul><li>Logging challenges </li></ul><ul><li>Data ownership issues </li></ul><ul><li>Quality of service guarantees </li></ul><ul><li>Enforcement of data classification, retention, and destruction policies </li></ul>
  13. 13. Potential Payment Solutions <ul><li>Fully Hosted Payment Solution </li></ul><ul><ul><li>Must use HTTP redirect instead of transmitting data via API </li></ul></ul><ul><li>Virtual Terminal </li></ul><ul><ul><li>Low Cost </li></ul></ul><ul><ul><li>Significantly reduces scope and risk </li></ul></ul><ul><li>Tokenization </li></ul><ul><ul><li>Reduces risk, does not eliminate it </li></ul></ul><ul><li>End-To-End Encryption </li></ul><ul><ul><li>Significantly reduces scope and risk </li></ul></ul>
  14. 14. One Security Program, Many Applications <ul><li>Based on Globally Accepted Security Standards: </li></ul><ul><li>ISO 27001 </li></ul><ul><li>ISO 27002 </li></ul><ul><li>Meets Multiple Compliance Frameworks: </li></ul><ul><li>PCI DSS </li></ul><ul><li>HIPPA </li></ul><ul><li>GLBA </li></ul><ul><li>SOX </li></ul>
  15. 15. Remember <ul><ul><li>“ You can delegate authority, but you can never delegate responsibility for delegating a task to someone else. If you picked the right man, fine, but if you picked the wrong man, the responsibility is yours -- not his.”   </li></ul></ul><ul><ul><li>Richard E Krafve </li></ul></ul>
  16. 16. Q&A Thank You