There Is No Spoon:
             Compliance & Privacy in
                   the Cloud
                            Michael D...
Which Cloud do you mean?

                                   Compliance
                                     Cloud


     ...
Compliance Cloud




Friday, November 20, 2009
Compliance Cloud




Friday, November 20, 2009
Compliance Cloud




Friday, November 20, 2009
Compliance Cloud




Friday, November 20, 2009
Compliance Cloud




Friday, November 20, 2009
Compliance Cloud




Friday, November 20, 2009
Compliance Cloud




                             CA, MA, MN, FL, ...
Friday, November 20, 2009
Compliance Cloud




                             CA, MA, MN, FL, ...
Friday, November 20, 2009
Technical Cloud




       • SPI Model: Software,
               Platform, Infrastructure

             ✓*aaS (Something* ...
Technical Cloud




       • SPI Model: Software,
               Platform, Infrastructure

             ✓*aaS (Something* ...
What is Compliance?




Friday, November 20, 2009
Compliance vs Validation



                • Compliance is a state of being, like auto
                        insurance ...
Compliance vs Security




Friday, November 20, 2009
Compliance vs Security
        “The Payment Card Industry (PCI)
        Data Security Standard (DSS) was
        developed...
Compliance vs Security
        “The Payment Card Industry (PCI)
        Data Security Standard (DSS) was
        developed...
Compliance vs Security
        “The Payment Card Industry (PCI)
        Data Security Standard (DSS) was
        developed...
the “Singularity”




Friday, November 20, 2009
the “Singularity”




                    • “When falls the Coliseum, Rome shall fall;
                            And whe...
the “Singularity”




                    • “When falls the Coliseum, Rome shall fall;
                            And whe...
Risk & Transference




                    • #1 Question everyone has: Liability?
                    • “You can outsourc...
There is No Spoon




Friday, November 20, 2009
There is No Spoon

                    • Can any firewall be used to segment a
                            network?




Fri...
There is No Spoon

                    • Can any firewall be used to segment a
                            network?

      ...
There is No Spoon

                    • Can any firewall be used to segment a
                            network?

      ...
There is No Spoon

                    • Can any firewall be used to segment a
                            network?

      ...
There is No Spoon

                    • Can any firewall be used to segment a
                            network?

      ...
Problem List




Friday, November 20, 2009
Problems: PCI DSS




Friday, November 20, 2009
Problems: PCI DSS



                    • Requirement 2.2.1: when creating baseline
                            configurat...
Problems: PCI DSS



                    • Requirement 2.2.1: when creating baseline
                            configurat...
Problems: PCI DSS



                    • Requirement 2.2.1: when creating baseline
                            configurat...
Problems: PCI DSS



                    • Requirement 2.2.1: when creating baseline
                            configurat...
Problems: PCI DSS



                    • Requirement 2.2.1: when creating baseline
                            configurat...
Problems: Service Level Agreement




                    • Uptime/Availability? Yes’ish
                    • Security? N...
Problems: Image Sprawl
                                12% month-over-month
                                growth of Amaz...
Problems: Image Sprawl
                                           12% month-over-month
                                   ...
Problems: Image Sprawl
                                               12% month-over-month
                               ...
Problems: Image Sprawl
                                               12% month-over-month
                               ...
Problems: Image Sprawl
                                               12% month-over-month
                               ...
Problems: Image Sprawl
                                12% month-over-month
                                growth of Amaz...
Problems: Audit Logging




Friday, November 20, 2009
Problems: Audit Logging



                    • Goals:
                     ✓Alert on suspicious activity? Yes
          ...
Problems: Audit Logging



                    • Goals:
                     ✓Alert on suspicious activity? Yes
          ...
Problems: Audit Logging



                    • Goals:
                     ✓Alert on suspicious activity? Yes
          ...
Problems: Forensic Issues




                    • During peak retail months systems are
                            scal...
Problems: Third-Party Access

         Who has
      Remote admin
      on my server?
                            • People...
Problems: Third-Party Access

         Who has
      Remote admin
      on my server?
                                  • ...
Problems: Data Destruction




                    • Where do the following go?
                     ✓Failed hard drive
  ...
Problems: Backup?



                    • Who is backing up?
                    • How is it backed up?
                 ...
Conclusion




                    • Cloud Compliance is possible but not
                            probable .. until th...
Thank You




                    • Questions?

                    • Contact Mike Dahn?


Friday, November 20, 2009
Upcoming SlideShare
Loading in …5
×

Compliance & Privacy in the Cloud

557 views
514 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
557
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Compliance & Privacy in the Cloud

  1. 1. There Is No Spoon: Compliance & Privacy in the Cloud Michael Dahn MSIA, CISSP Friday, November 20, 2009
  2. 2. Which Cloud do you mean? Compliance Cloud Technical Cloud Friday, November 20, 2009
  3. 3. Compliance Cloud Friday, November 20, 2009
  4. 4. Compliance Cloud Friday, November 20, 2009
  5. 5. Compliance Cloud Friday, November 20, 2009
  6. 6. Compliance Cloud Friday, November 20, 2009
  7. 7. Compliance Cloud Friday, November 20, 2009
  8. 8. Compliance Cloud Friday, November 20, 2009
  9. 9. Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
  10. 10. Compliance Cloud CA, MA, MN, FL, ... Friday, November 20, 2009
  11. 11. Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
  12. 12. Technical Cloud • SPI Model: Software, Platform, Infrastructure ✓*aaS (Something* as a Service) Friday, November 20, 2009
  13. 13. What is Compliance? Friday, November 20, 2009
  14. 14. Compliance vs Validation • Compliance is a state of being, like auto insurance you need to have it continuously • Validation is proof of compliance you do annually Friday, November 20, 2009
  15. 15. Compliance vs Security Friday, November 20, 2009
  16. 16. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” Friday, November 20, 2009
  17. 17. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Friday, November 20, 2009
  18. 18. Compliance vs Security “The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance Myth 4 - PCI Will Make Us Secure cardholder data security and facilitate Successful completion of a system the broad adoption of consistent data scan or assessment for PCI is but a security measures globally.” snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Compliant until you're compromised... Friday, November 20, 2009
  19. 19. the “Singularity” Friday, November 20, 2009
  20. 20. the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron Friday, November 20, 2009
  21. 21. the “Singularity” • “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron • If someone dies wearing a seat belt, does that make them useless? Friday, November 20, 2009
  22. 22. Risk & Transference • #1 Question everyone has: Liability? • “You can outsource the work, but you cannot outsource the responsibility” • Cloud-sourcing does not transfer risk Friday, November 20, 2009
  23. 23. There is No Spoon Friday, November 20, 2009
  24. 24. There is No Spoon • Can any firewall be used to segment a network? Friday, November 20, 2009
  25. 25. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall Friday, November 20, 2009
  26. 26. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? Friday, November 20, 2009
  27. 27. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made Friday, November 20, 2009
  28. 28. There is No Spoon • Can any firewall be used to segment a network? ✓No! Only a properly configured firewall • Can any Cloud be used and achieve compliance? ✓Maybe... if considerations are made • Think beyond technology, checklists, and compliance. Think Risk. Friday, November 20, 2009
  29. 29. Problem List Friday, November 20, 2009
  30. 30. Problems: PCI DSS Friday, November 20, 2009
  31. 31. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” Friday, November 20, 2009
  32. 32. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? Friday, November 20, 2009
  33. 33. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? Friday, November 20, 2009
  34. 34. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? Friday, November 20, 2009
  35. 35. Problems: PCI DSS • Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server” ✓Virtualization? ✓Cloud? ✓WAF in the cloud? • Requirement 11.2 - ASV Scans Friday, November 20, 2009
  36. 36. Problems: Service Level Agreement • Uptime/Availability? Yes’ish • Security? No. • Compliance? No. • Assurance of data integrity? No. Friday, November 20, 2009
  37. 37. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
  38. 38. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! Friday, November 20, 2009
  39. 39. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! Friday, November 20, 2009
  40. 40. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? Friday, November 20, 2009
  41. 41. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 • First rule of fight club? Find your data! • Second rule of fight club? Find your data (no really)! • Always “ask twice” - how it works? fails? • Now assume everything moves Friday, November 20, 2009
  42. 42. Problems: Image Sprawl 12% month-over-month growth of Amazon Machine Images (AMI) in 2008 Friday, November 20, 2009
  43. 43. Problems: Audit Logging Friday, November 20, 2009
  44. 44. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe Friday, November 20, 2009
  45. 45. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? Friday, November 20, 2009
  46. 46. Problems: Audit Logging • Goals: ✓Alert on suspicious activity? Yes ✓Facilitate a forensic investigation? Maybe • Are the logs backed up? • Are they accessible 12-18 months later? ✓What if the server is no longer there? Friday, November 20, 2009
  47. 47. Problems: Forensic Issues • During peak retail months systems are scaled up and then down • Fraud patterns have lead time of 12-18 mo. • How do you forensically examine a ‘ghost’ server? Friday, November 20, 2009
  48. 48. Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Friday, November 20, 2009
  49. 49. Problems: Third-Party Access Who has Remote admin on my server? • People you give data to • People you give access to data • People who have access to your data Maintain a written agreement that includes an acknowledgement that the ... monitor service providers! service providers are responsible for PCI DSS compliance status. the security of cardholder data the service providers possess. Friday, November 20, 2009
  50. 50. Problems: Data Destruction • Where do the following go? ✓Failed hard drive ✓Deleted VM Who owns the data? You or your cloud? Friday, November 20, 2009
  51. 51. Problems: Backup? • Who is backing up? • How is it backed up? • Where do the backups go? ✓Offsite to a third-party? New scope/ contract Friday, November 20, 2009
  52. 52. Conclusion • Cloud Compliance is possible but not probable .. until the services evolve • Cloud gives you scalability, but not security .. unless you bake it in Friday, November 20, 2009
  53. 53. Thank You • Questions? • Contact Mike Dahn? Friday, November 20, 2009

×