Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PCI-DSS Compliant Cloud - Design & Architecture Best Practices


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

PCI-DSS Compliant Cloud - Design & Architecture Best Practices

  1. 1. PCI-DSS Compliant Cloud - Design & Architecture Best Practices Session ID: SEC2484 Track: Cloud Infrastructure: Security and Compliance Moderator: Hemma Prafullchandra, HyTrust Panelists: Allan MacPhee, Trend Micro •  Tom McAndrew, Coalfire •  Davi Ottenheimer, VMware •  Ken Owens, Savvis1
  2. 2. PCI DSS 2.0 & Virtualization Information Supplement  DSS 2.0 (released 10/2010) clarified that CDE system components can be physical or virtual  Virtualization Guidance Information Supplement (released 6/2011) provides an overview of different classes of virtualization as applicable to payment chain, key risks and challenges, scoping, set of recommendations of how best to virtualize CDE, and finally a set of testing procedures for specific PCI DSS requirements that need further considerations given use of virtualization  Brief discussion on mixed mode and use of cloud computing: take risk based approach and work with your QSA/card brand to determine what is adequate2
  3. 3. The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Software as a Service (SaaS) Service Platform as a Service (PaaS) Models Infrastructure as a Service (IaaS) On Demand Self-Service Essential Broad Network Access Rapid Elasticity Characteristics Resource Pooling Measured Service Massive Scale Resilient Computing Common Homogeneity Geographic Distribution Characteristics Virtualization Service Orientation Low Cost Software Advanced Security3
  4. 4. PCI Info Supp Recommendations1.  Hypervisor is ALWAYS in-scope if it hosts a guest-VM that is in- scope •  PCI controls apply to hypervisor and virtual management components2.  One function per server •  VMs treated in a manner consistent with their physical counterparts3.  Separation of duty •  Enforce least privilege where possible with RBAC •  Audit administrative operations4.  Mixing VM’s of different trust levels •  Conservative approach: all VMs (CDE and non-CDE) are in scope •  Work with your QSA on de-scoping options and best practices4
  5. 5. PCI Info Supp Recommendations 5.  Dormant VMs and VM snapshots •  New and unique to virtualized environments, treat in same manner as data backups •  Recognize that VMs being brought back online may be vulnerable (missing patches, stale AV pattern files, etc.) 6.  Immaturity of monitoring solutions •  Traditional monitoring tools need to be supplemented with “virtualization- aware” tools that provide greater visibility into virtualization activity 7.  Information leakage •  Increased risk of information leakage between logical network segments and components require “virtualization-aware” tools that provide greater visibility into virtualization activity5
  6. 6. PCI Info Supp Recommendations8.  Defense in depth •  Dynamic nature and mobility of VMs require virtualization specific security tools and approaches •  Ideally, VMs are self-defending regardless of state or location9.  VM & Hypervisor Hardening •  Harden hypervisors based upon vendor best practices •  Apply hypervisor & guest VM patches regularly (e.g. within 30 days) •  Use integrity monitoring software to detect unauthorized changes •  Collect and review log files diligently10.  Cloud Computing •  Cloud providers must provide customers with proof of what was included in the scope of their PCI DSS assessment and what was not in scope •  The ‘customer’ is responsible to ensure security controls not covered by the cloud provider are in place and managed appropriately6
  7. 7. Scoping & Responsibility7
  8. 8. Panelists Ken Owens Allan MacPhee Vice President of Security & Senior Product Manager, Virtualization Technologies, Trend Micro Savvis Davi Ottenheimer Tom McAndrew Security & Compliance Architect/ Vice President of Professional Consultant, Services, Coalfire VMware8
  9. 9. Why are you here?   How many of you are governed by PCI?   How many of you are already using virtualization/private cloud for PCI CDE?   How many of you are planning to use public cloud?   Anybody passed a PCI assessment with use of cloud (or partial use of cloud)? •  What type of cloud? •  Which vendor? •  Who was the assessor?9
  10. 10. Discussion   What are the characteristics of a cloud that make PCI compliance difficult?   Can a shared cloud environment even be PCI compliant?   What does it mean when your cloud provider tells you that they are PCI certified? •  What areas should your cloud provider be responsible for? •  What are the key questions you should ask your cloud provider to understand the scope of PCI certification achieved? •  How does a merchant figure out what the shared responsibility split is in detail?   If my environment is already PCI compliant and I want to just extend a single tier to a public cloud, what should I be concerned about?10
  11. 11. Discussion  What is the best way to involve my QSA in these discussions?  What resources can I use to help me plan for and use cloud computing for my CDE? •  Policy, People, Process, Technology11
  12. 12. Key Guidance PCI Compliance in Virtualized environments (on-premise)   Virtualization increases the risk and complexity of PCI compliance, engage your QSA early to streamline the audit process   Look beyond traditional security vendors for solutions that address virtualization specific requirements (hypervisor/VM controls)   View virtualization as an opportunity to improve your current processes – i.e. reporting, monitoring, inter-VM controls, etc. and achieve objectives that you always wanted in physical environments but could not afford or were restricted by legacy infrastructure   Embrace virtualization with a virtualization by default approach and build compliance into the default mode of operation12
  13. 13. Key GuidancePCI Compliance in the Cloud  Compliance is possible, but it takes the right cloud provider  Compliance is a shared responsibility, there is no magic bullet •  Understand the details & scope of your cloud provider’s PCI certification •  Work with your QSA to create a strategy for addressing the remaining required PCI controls  Cloud compliance requires elastic and automated VM security and persistence of machine data for audit and forensics  Create a strategy for Cloud compliance •  Start with virtualized on premise and dedicated hosting environments •  Evolve and apply these controls to cloud environments13
  14. 14. Useful Resources       framework.html Just Published: PCI-compliant Cloud Reference Architecture14
  15. 15. Thank You15