A few words about the CSA, a Global, not-for-profit organization. It now has over 16,000 individual members, 80 corporate members. Its main focus is building best practices and a trusted cloud ecosystem using agile security philosophy, rapid development of applied research. Research areas include: GRC: Balance compliance with risk management Reference models: build using existing standards Identity: a key foundation of a functioning cloud economy Champion interoperability Advocacy of prudent public policy The CSA motto is to “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
The class follows this outline: Introduction what this class is about, prerequisites, how to benefit PCI DSS reminder Cloud basics Where cloud interacts with PCI DSS Key cloud PCI controls Core PCI DSS + cloud scenarios Conclusions and action items
We will learn about cloud computing in a more formal way further in the class. For now just use whatever intuitive definition you might have in your head: maybe Amazon, Google, Salesforce – or whatever “cloud-related” company you dealt with in the past .
If no industry discussion of cloud computing should happen without the definitions as there is a lot of hype and noise out there... The following is a quote from public NIST materials on cloud computing: “ Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. “ This cloud model promotes availability and is composed of five essential characteristics, three service models , and four deployment models . Note 1: Cloud computing is still an evolving paradigm. Its definitions, use cases, underlying technologies, issues, risks, and benefits will be refined in a spirited debate by the public and private sectors. These definitions, attributes, and characteristics will evolve and change over time. Note 2: The cloud computing industry represents a large ecosystem of many models, vendors, and market niches. This definition attempts to encompass all of the various cloud approaches. National Institute of Standards and Technology (NIST) Special Publication 800-145 (Draft) Covers that in detail and uses the Following to further define the cloud: Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) Rapidly provisioned and released with minimal management effort or service provider interaction Composed of 5 essential characteristics, 3 service models, and 4 deployment models. Source: http://www.nist.gov/itl/csd/cloud-020111.cfm I sometimes like to add that the hybrid technologies with substantial presence in the cloud as well as in customer environments one has to be more creative in applying this definition . If if “Cloud anti-virus” is a Good example of that….
These 5 Essential Cloud Characteristics are a good test of whether a particular service provider is indeed a cloud provider. On-demand self-service Broad network access Resource pooling Location independence Rapid elasticity Measured service Essentially, cloud-based is not the same as simply web-based.
NIST further defined 3 cloud models:But if Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure and accessible from various client devices through a thin client interface such as a Web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created applications using programming languages and tools supported by the provider (e.g., java, python, .Net). The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, or storage, but the consumer has control over the deployed applications and possibly application hosting environment configurations. Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers). It should be noted that today there are many cross-over models, Sitting between IaaS and PaaS, and also between PaaS and SaaS or even below IaaS. It should also be noted - and it has implications for PCI and payments - that occasionally a SaaS provider might be a consumer of IaaS services (Netflix anybody?)
Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Hybrid cloud . The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting). In our class we are focused on public cloud models treating the private clouds as a fancy virtualization example …
Following the list of our laundry list slides here is the last one: 7 Common Cloud Characteristics, also from NIST. These do not have to be in the cloud but they often are. Massive scale Homogeneity Virtualization Resilient computing Low cost software Geographic distribution Service orientation These matter relatively little to PCI compliance but They do have implications on how organizations will choose to implement PCI controls (such as in light of recent PCI Virtualization guidance)
The diagram , also from NIST public slides on the cloud , helps see the big picture of cloud computing models By combining everything we learned above together
http:// aws.amazon.com /products/ The most well-known is Amazon Elastic Compute Cloud (Amazon EC2) ( http://aws.amazon.com/ec2/ ): “Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers.“ http://aws.amazon.com/ec2/#details “ Using Amazon EC2 to Run Instances Amazon EC2 allows you to set up and configure everything about your instances from your operating system up to your applications. An Amazon Machine Image (AMI) is simply a packaged-up environment that includes all the necessary bits to set up and boot your instance. Your AMIs are your unit of deployment. You might have just one AMI or you might compose your system out of several building block AMIs (e.g., webservers, appservers, and databases). Amazon EC2 provides a number of tools to make creating an AMI easy including the AWS Management Console.“ Amaozn also offers PaaS elements as well as some SaaS services
http:// code.google.com/appengine / “ Run your web apps on Google's infrastructure: Easy to build, easy to maintain, easy to scale http:// code.google.com/appengine/docs/whatisgoogleappengine.html Google App Engine enables you to build and host web apps on the same systems that power Google applications. App Engine offers fast development and deployment; simple administration, with no need to worry about hardware, patches or backups; and effortless scalability.” http:// code.google.com/appengine/docs/billing.html Google App Engine lets you run your web applications on Google's infrastructure. App Engine applications are easy to build, easy to maintain, and easy to scale as your traffic and data storage needs grow. With App Engine, there are no servers to maintain: You just upload your application, and it's ready to serve your users. Each App Engine application can consume a certain level of computing resources for free, controlled by a set of quotas . Developers who want to grow their applications beyond these free quotas can do so by enabling billing for their application and using Google Checkout to set a daily resource budget, which will allow for the purchasing of additional resources if and when they are needed. App Engine will always be free to get started, and after you've enabled billing for your app all usage up to the free quotas will remain free.
http:// www.salesforce.com/crm/sales -force-automation/ “ Your complete toolkit for sales success The Sales Cloud puts everything in one place. It’s as easy to use as your favorite consumer Web sites and the information you care about most gets pushed to you in real time. Suddenly, sales success is not only possible, it’s easy.” Also, Salesforce has a PaaS offering as well: Force.com http:// www.salesforce.com /platform/ “ Force.com The leading cloud platform for business apps Every business needs apps: HR apps, inventory apps, iPhone, iPad, Android, and BlackBerry apps. Now you can use the Force.com platform to build all of your apps—and websites—quickly and easily. 100% cloud—requires no hardware or software Mobile—run your apps on any platform or device Social—add collaboration features to every application” P.S. This starts to feel pretty close to PCI DSS, doesn’t it? Indeed, some organization do store PANs inside their salesforce accounts, we learn in one of the scenarios
MS Azure mixes PaaS and IaaS features due to some OS awareness and control http:// www.microsoft.com/windowsazure / “ Windows Azure and SQL Azure enable you to build, host and scale applications in Microsoft datacenters. They require no up-front expenses, no long term commitment, and enable you to pay only for the resources you use.” “ Focus on development not infrastructure. No need to buy servers or dedicate resources to infrastructure management. Automated service management shields you from hardware failure and routine maintenance. Use your existing skills in the cloud. Use your existing skills with Visual Studio and .NET to build compelling applications. Build applications in Java, PHP and Ruby using Eclipse and other tools.“
These public materials from NIST further explain the cloud models, which are essential to understand before we discuss PCI DSS in the cloud – using various models On top of this, it helps you visualize the chain of providers that will complicate us deciphering the PCI puzzle
Optional slide with additional details on what clouds are made of – this is a NIST public slide as well.
Recent media coverage of the cloud makes us believe that security is the main or one of the main barriers for Cloud computing adoption .
Source: CSA standard slide This is an oversimplification of the cloud security issues but it is definitely correct on a high level: there is only so much you can do to improve security if you use a software as a service provider (SaaS), who is hell bent on not being supportive of your security requirements
Source: CSA standard slide This also helps us map many of the security issues (Including payment security issues to the cloud components we discussed above) In other words, this helps us understand: what is there to secure in the cloud?
Source: CSA standard slide This is where the mysteries of PCI in the cloud start to come to life : Especially note those yellow boxes with the word JOINT (which, sadly, often means finger pointing and glaring security holes) Also, note that for cloud security (and for cloud Payment security as well as PCI ) you will have to trust the provider in regards to physical security.
Source: CSA standard slide Jurisdictional issues in the cloud will definitely complicate our road to PCI happiness. Specifically, think about locations where certain PCI mandated security safeguards are illegal due to (Misplaced!) privacy constraints .
Source: CSA standard slide It is funny that this view of the world and of the cloud also has a hidden implication : if you neighbor is hacked in a traditional environment , you have a perfectly good grounds for saying “I don’t care.” But in case of shared infrastructure – cloud! – Being able to say that because more and more rare – or more and more risky.
https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf The purpose of this document, “Top Threats to Cloud Computing”, is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. In essence, this threat research document should be seen as a companion to “Security Guidance for Critical Areas in Cloud Computing”. As the first deliverable in the CSA’s Cloud Threat Initiative, the “Top Threats” document will be updated regularly to reflect expert consensus on the probable threats which customers should be concerned about. There has been much debate about what is “in scope” for this research. We expect this debate to continue and for future versions of “Top Threats to Cloud Computing” to reflect the consensus emerging from those debates. While many issues, such as provider financial stability, create significant risks to customers, we have tried to focus on issues we feel are either unique to or greatly amplified by the key characteristics of Cloud Computing and its shared, on-demand nature. We identify the following threats in our initial document: Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk Profile The threats are not listed in any order of severity. Our advisory committee did evaluate the threats and each committee member provided a subjective ranking of the threats. The exercise helped validate that our threat listing reflected the critical threat concerns of the industry, however the cumulative ranking did not create a compelling case for a published ordered ranking, and it is our feeling that greater industry participation is required to take this step. The only threat receiving a consistently lower ranking was Unknown Risk Profile, however the commentary indicated that this is an important issue that is simply more difficult to articulate, so we decided to retain this threat and seek to further clarify it in future editions of the report
LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing COMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider DATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers. INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is
(source: Alex Stamos, iSec Partners at Source 2010 http://www.sourceconference.com/boston/speakers_2010.asp#AlexS) “ What are the realistic threats to cloud computing? 1. Loss of credentials via attacks against individuals Spear‐Phishing, malware, rubber hose Gain access to (under EC2): List of machines Persistent Storage (EBS, SDB and S3) Consoles Don’t automatically get access to: Running machine state/memory Login credentials Non‐persistent storage 2. Operational security breakdown Going from 50 machines/sysadmin to 500 is lifechanging Need to plan from the start your security process Patching Hardening Identity management Logging Application identification Distribution of secure files Forensics and IR This is where a direct port to the cloud kills you 3. Misuse of new cloud technologies Security promises of new technologies aren’t well understood i.e. Access control in Hadoop Easy to poorly architect system Easy to downgrade security via change Security zones in AWS vShield zones in VMW based cloud”
http://mobile.pcmag.com/device2/article.php?CALL_URL=http://www.pcmag.com/article2/0,2817,2387447,00.asp “ FBI Seizes Servers, Prompting Site Outages By Chloe Albanesius Tweet Early Tuesday morning, the FBI raided a data center in Reston, Virginia and seized servers, causing several high-profile Web sites to go dark. According to a New York Times report, the FBI showed up at the data center, owned by Switzerland-based DigitalOne, around 1:15am and removed the equipment. The move resulted in services like Pinboard, Instapaper, and the Curbed Network going offline.“ That is a recent example of a unique cloud risk due to shared and public nature of cloud computing
Source: CSA standard slide
Source: CSA standard slide CloudAudit Objective A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools. Define a namespace that can support diverse frameworks Express five critical compliance frameworks in that namespace Define the mechanisms for requesting and responding to queries relating to specific controls Integrate with portals and AAA systems And, as of this this, CSC CloudTrust protocol as well. Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.
All of this TOGETHER: The Cloud Deployment Models Service Models Essential Characteristics Common Characteristics Homogeneity Massive Scale Resilient Computing Geographic Distribution Community Cloud Private Cloud Public Cloud Hybrid Clouds Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Low Cost Software Virtualization Service Orientation Advanced Security