Your SlideShare is downloading. ×
Compliance & Privacy in the Cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Compliance & Privacy in the Cloud

456

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
456
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. There Is No Spoon: Compliance & Privacy in the Cloud Michael Dahn MSIA, CISSP Friday, November 20, 2009
  • 2. Which Cloud do you mean? Compliance Cloud Technical Cloud Friday, November 20, 2009
  • 3. Compliance Cloud Friday, November 20, 2009
  • 4. Compliance Cloud Friday, November 20, 2009
  • 5. Compliance Cloud Friday, November 20, 2009
  • 6. Compliance Cloud Friday, November 20, 2009
  • 7. Compliance Cloud Friday, November 20, 2009
  • 8. Compliance Cloud Friday, November 20, 2009
  • 9. Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
  • 10. Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
  • 11. Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
  • 12. Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
  • 13. What is Compliance? Friday, November 20, 2009
  • 14. Compliance vs Validation • Compliance is a state of being, like auto insurance you need to have it continuously • Validation is proof of compliance you do annually Friday, November 20, 2009
  • 15. Compliance vs Security Friday, November 20, 2009
  • 16. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” Friday, November 20, 2009
  • 17. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Friday, November 20, 2009
  • 18. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Compliant until you're compromised... Friday, November 20, 2009
  • 19. the “Singularity” Friday, November 20, 2009
  • 20. the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron Friday, November 20, 2009
  • 21. the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron • If someone dies wearing a seat belt, does that make them useless? Friday, November 20, 2009
  • 22. Risk & Transference • #1 Question everyone has: Liability? • “You can outsource the work, but you cannot outsource the responsibility” • Cloud-sourcing does not transfer risk Friday, November 20, 2009
  • 23. There is No Spoon Friday, November 20, 2009
  • 24. There is No Spoon • Can any firewall be used to segment a network? Friday, November 20, 2009
  • 25. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall Friday, November 20, 2009
  • 26. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? Friday, November 20, 2009
  • 27. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made Friday, November 20, 2009
  • 28. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made • Think beyond technology, checklists, and compliance. Think Risk. Friday, November 20, 2009
  • 29. Problem List Friday, November 20, 2009
  • 30. Problems: PCI DSS Friday, November 20, 2009
  • 31. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” Friday, November 20, 2009
  • 32. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? Friday, November 20, 2009
  • 33. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? Friday, November 20, 2009
  • 34. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? Friday, November 20, 2009
  • 35. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? • Requirement 11.2 - ASV Scans Friday, November 20, 2009
  • 36. Problems: Service Level Agreement • Uptime/Availability? Yes’ish • Security? No. • Compliance? No. • Assurance of data integrity? No. Friday, November 20, 2009
  • 37. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
  • 38. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! Friday, November 20, 2009
  • 39. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! Friday, November 20, 2009
  • 40. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? Friday, November 20, 2009
  • 41. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? • Now assume everything moves Friday, November 20, 2009
  • 42. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
  • 43. Problems: Audit Logging Friday, November 20, 2009
  • 44. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe Friday, November 20, 2009
  • 45. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? Friday, November 20, 2009
  • 46. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? • Are they accessible 12-18 months later? ✓What if the server is no longer there? Friday, November 20, 2009
  • 47. Problems: Forensic Issues • During peak retail months systems are scaled up and then down • Fraud patterns have lead time of 12-18 mo. • How do you forensically examine a ‘ghost’ server? Friday, November 20, 2009
  • 48. Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Friday, November 20, 2009
  • 49. Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Maintain a written agreement that includes an acknowledgement that the ... monitor service providers! service providers are responsible for PCI DSS compliance status. the security of cardholder data the service providers possess. Friday, November 20, 2009
  • 50. Problems: Data Destruction • Where do the following go? ✓Failed hard drive ✓Deleted VM Who owns the data? You or your cloud? Friday, November 20, 2009
  • 51. Problems: Backup? • Who is backing up? • How is it backed up? • Where do the backups go? ✓Offsite to a third-party? New scope/ contract Friday, November 20, 2009
  • 52. Conclusion • Cloud Compliance is possible but not probable .. until the services evolve • Cloud gives you scalability, but not security .. unless you bake it in Friday, November 20, 2009
  • 53. Thank You • Questions? • Contact Mike Dahn? Friday, November 20, 2009

×