Get to know which security standards are applicable to OpenStack clouds
Evgeniya Shumakher, Mirantis
Compliance with critical industry and regulatory standards used to be mostly the concern of application makers and customers integrating their solutions. Cloud computing – especially IaaS – has made things a lot more complicated. Meanwhile, emerging cloud-specific standards, like FedRAMP or CSA cloud security guidelines, are suggesting new, complex and stringent requirements – while also offering critical guidance.
The presentation offers an inside look at the process:
The most important compliance and security standards for cloud builders,
Where existing OpenStack resources can fully or partially solve common compliance problems
Where standards support within OpenStack is currently thin
The common workflow for architecting standards-compliant clouds,
Common risks and emerging opportunities.
Take a closer look at PCI Compliance for private OpenStack clouds
Scott Carlson, PayPal
PCI Compliance is very important for large financial institutions. As one of the larger installations of OpenStack within the Financial space, PayPal has driven forward the PCI conversation and will be sharing the technical perspective on the following related to PCI and OpenStack Private Clouds:
How does OpenStack fit into an existing PCI-Compliant Environment
When there is not an external Cloud Service Provider, how does your team need to compensate
What are the design choices required to continue to be PCI-Compliant
Physical versus Logical devices
Hypervisor versus Guest compliance
Management Networks for PCI and non-PCI Zones
The case study won’t give a fully prescriptive talk on how to obtain PCI compliance, because there is a lot more to gaining compliance than just making your cloud compliant, but will help to understand:
Where existing OpenStack resources can fully or partially solve PCI compliance problems,
Where OpenStack community needs to join together to solve in order to continue growth
into PCI-compliant spaces.
3. What is ‘Compliance’?
Compliance means conforming to a rule, such as
a specification, policy, standard or law. Regulatory
compliance describes the goal that organisations
aspire to achieve in their efforts to ensure that
they are aware of and take steps to comply with
relevant laws and regulations.
http://en.wikipedia.org/wiki/Regulatory_compliance
5. It’s all about information
Confidentiality
IntegrityAvailability
Example: The Payment Card Industry Data Security Standard (PCI DSS) was developed to
encourage and enhance cardholder data security and facilitate the broad adoption of
consistent data security measures globally.
7. Who is responsible?
CloudStack IaaS PaaS SaaS
Data
Applications
Operating Systems
OpenStack
Processing and Memory, Data Storage, Network
Physical facilities
Cloud user
Cloud builder
11. Standards are pretty generic:
PCI DSSBuild and
Maintain a
Secure Network
and Systems
1. Install and
maintain a
firewall
configuration
to protect
cardholder
data
2. Do not use
vendor-
supplied
defaults for
system
passwords and
other security
parameters
Protect
Cardholder Data
3. Protect
stored
cardholder
data
4. Encrypt
transmission of
cardholder
data across
open, public
networks
Maintain a
Vulnerability
Management
Program
5. Protect all
systems
against
malware and
regularly
update anti-
virus software
or programs
6. Develop and
maintain
secure systems
and
applications
Implement
Strong Access
Control
Measures
7. Restrict
access to
cardholder
data by
business need
to know
8. Identify and
authenticate
access to
system
components
9. Restrict
physical access
to cardholder
data
Regularly
Monitor and
Test Networks
10. Track and
monitor all
access to
network
resources and
cardholder
data
11. Regularly
test security
systems and
processes
Maintain an
Information
Security Policy
12. Maintain a
policy that
addresses
information
security for all
personnel
12. Cloud Guidelines
• PCI DSS Virtualization Guidelines
• PCI DSS Cloud Computing Guidelines
• NIST Special Publication 800-144 Guidelines on
Security and Privacy in Public Cloud Computing
13. PCI DSS Cloud Guidelines
Don’t store, process or transmit payment card
data in the cloud.
14. PCI DSS Virtualization Guidelines
• Requirement 3: Protect stored cardholder data
– As well as being present in known locations, cardholder data
could exist in archived, off-line or dormant VM images, or be
unknowingly moved between virtual systems via dynamic
mechanisms such as live migration or storage migration tools.
– Sensitive data, such as unencrypted PAN, sensitive
authentication data, and cryptographic keys, could be
inadvertently captured in active memory and replicated via
VM imaging and snapshot functions...
18. 26CURRENCIES SUPPORTED
148M
ACTIVE REGISTERED ACCOUNTS
193
MARKETS OFFER PAYPAL
80
LOCALIZED MARKETING SITES
GLOBALLY
EUROPEAN UNION
EURO
AUSTRALIAN
DOLLAR
CANADIAN
DOLLAR
NEW ZEALAND
DOLLAR
HUNGARIAN
FORINT
MALAYSIAN
RINGGIT
UNITED KINGDOM
POUNDS STERLING
HONG KONG
DOLLAR
UNITED STATES
DOLLAR
TAIWAN
NEW DOLLAR
CHINESE
RMB
SWEDISH
KRONA
SINGAPORE
DOLLAR
PHILIPPINE
PESO
BRAZILIAN
REAL
RUSSIAN
RUBLE
NORWEGIAN
KRONE
JAPANESE
YEN
MEXICAN
PESO
TURKISH
LIRA
SWISS
FRANC
CZECH
KORUNA
ISRAELI
NEW SHEKEL
DANISH
KRONE
THAI
BAHT
POLISH
ZLOTY