• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Compliance & Privacy in the Cloud
 

Compliance & Privacy in the Cloud

on

  • 545 views

 

Statistics

Views

Total Views
545
Views on SlideShare
545
Embed Views
0

Actions

Likes
1
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Compliance & Privacy in the Cloud Compliance & Privacy in the Cloud Presentation Transcript

    • There Is No Spoon: Compliance & Privacy in the Cloud Michael Dahn MSIA, CISSP Friday, November 20, 2009
    • Which Cloud do you mean? Compliance Cloud Technical Cloud Friday, November 20, 2009
    • Compliance Cloud Friday, November 20, 2009
    • Compliance Cloud Friday, November 20, 2009
    • Compliance Cloud Friday, November 20, 2009
    • Compliance Cloud Friday, November 20, 2009
    • Compliance Cloud Friday, November 20, 2009
    • Compliance Cloud Friday, November 20, 2009
    • Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
    • Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
    • Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
    • Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
    • What is Compliance? Friday, November 20, 2009
    • Compliance vs Validation • Compliance is a state of being, like auto insurance you need to have it continuously • Validation is proof of compliance you do annually Friday, November 20, 2009
    • Compliance vs Security Friday, November 20, 2009
    • Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” Friday, November 20, 2009
    • Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Friday, November 20, 2009
    • Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Compliant until you're compromised... Friday, November 20, 2009
    • the “Singularity” Friday, November 20, 2009
    • the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron Friday, November 20, 2009
    • the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron • If someone dies wearing a seat belt, does that make them useless? Friday, November 20, 2009
    • Risk & Transference • #1 Question everyone has: Liability? • “You can outsource the work, but you cannot outsource the responsibility” • Cloud-sourcing does not transfer risk Friday, November 20, 2009
    • There is No Spoon Friday, November 20, 2009
    • There is No Spoon • Can any firewall be used to segment a network? Friday, November 20, 2009
    • There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall Friday, November 20, 2009
    • There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? Friday, November 20, 2009
    • There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made Friday, November 20, 2009
    • There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made • Think beyond technology, checklists, and compliance. Think Risk. Friday, November 20, 2009
    • Problem List Friday, November 20, 2009
    • Problems: PCI DSS Friday, November 20, 2009
    • Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” Friday, November 20, 2009
    • Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? Friday, November 20, 2009
    • Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? Friday, November 20, 2009
    • Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? Friday, November 20, 2009
    • Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? • Requirement 11.2 - ASV Scans Friday, November 20, 2009
    • Problems: Service Level Agreement • Uptime/Availability? Yes’ish • Security? No. • Compliance? No. • Assurance of data integrity? No. Friday, November 20, 2009
    • Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
    • Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! Friday, November 20, 2009
    • Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! Friday, November 20, 2009
    • Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? Friday, November 20, 2009
    • Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? • Now assume everything moves Friday, November 20, 2009
    • Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
    • Problems: Audit Logging Friday, November 20, 2009
    • Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe Friday, November 20, 2009
    • Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? Friday, November 20, 2009
    • Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? • Are they accessible 12-18 months later? ✓What if the server is no longer there? Friday, November 20, 2009
    • Problems: Forensic Issues • During peak retail months systems are scaled up and then down • Fraud patterns have lead time of 12-18 mo. • How do you forensically examine a ‘ghost’ server? Friday, November 20, 2009
    • Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Friday, November 20, 2009
    • Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Maintain a written agreement that includes an acknowledgement that the ... monitor service providers! service providers are responsible for PCI DSS compliance status. the security of cardholder data the service providers possess. Friday, November 20, 2009
    • Problems: Data Destruction • Where do the following go? ✓Failed hard drive ✓Deleted VM Who owns the data? You or your cloud? Friday, November 20, 2009
    • Problems: Backup? • Who is backing up? • How is it backed up? • Where do the backups go? ✓Offsite to a third-party? New scope/ contract Friday, November 20, 2009
    • Conclusion • Cloud Compliance is possible but not probable .. until the services evolve • Cloud gives you scalability, but not security .. unless you bake it in Friday, November 20, 2009
    • Thank You • Questions? • Contact Mike Dahn? Friday, November 20, 2009