Get to know which security standards are applicable to OpenStack clouds Evgeniya Shumakher, Mirantis Compliance with critical industry and regulatory standards used to be mostly the concern of application makers and customers integrating their solutions. Cloud computing – especially IaaS – has made things a lot more complicated. Meanwhile, emerging cloud-specific standards, like FedRAMP or CSA cloud security guidelines, are suggesting new, complex and stringent requirements – while also offering critical guidance. The presentation offers an inside look at the process: The most important compliance and security standards for cloud builders, Where existing OpenStack resources can fully or partially solve common compliance problems Where standards support within OpenStack is currently thin The common workflow for architecting standards-compliant clouds, Common risks and emerging opportunities. Take a closer look at PCI Compliance for private OpenStack clouds Scott Carlson, PayPal PCI Compliance is very important for large financial institutions. As one of the larger installations of OpenStack within the Financial space, PayPal has driven forward the PCI conversation and will be sharing the technical perspective on the following related to PCI and OpenStack Private Clouds: How does OpenStack fit into an existing PCI-Compliant Environment When there is not an external Cloud Service Provider, how does your team need to compensate What are the design choices required to continue to be PCI-Compliant Physical versus Logical devices Hypervisor versus Guest compliance Management Networks for PCI and non-PCI Zones The case study won’t give a fully prescriptive talk on how to obtain PCI compliance, because there is a lot more to gaining compliance than just making your cloud compliant, but will help to understand: Where existing OpenStack resources can fully or partially solve PCI compliance problems, Where OpenStack community needs to join together to solve in order to continue growth into PCI-compliant spaces.

1. Will Your Cloud Be Compliant?
Scott Carlson – PayPal
Evgeniya Shumakher - Mirantis

2. © MIRANTIS 2013
OpenStack Cloud
Compliance
Evgeniya Shumakher
Business Analyst

3. What is ‘Compliance’?
Compliance means conforming to a rule, such as
a specification, policy, standard or law. Regulatory
compliance describes the goal that organisations
aspire to achieve in their efforts to ensure that
they are aware of and take steps to comply with
relevant laws and regulations.
http://en.wikipedia.org/wiki/Regulatory_compliance

4. Compliance <> Security
Security Compliance

5. It’s all about information
Confidentiality
IntegrityAvailability
Example: The Payment Card Industry Data Security Standard (PCI DSS) was developed to
encourage and enhance cardholder data security and facilitate the broad adoption of
consistent data security measures globally.

6. Enterprise ecosystem
Data
Applications
Operating Systems
OpenStack
Processing and Memory, Data Storage, Network
Physical facilities
People
BusinessProcesses
Regulations

7. Who is responsible?
CloudStack IaaS PaaS SaaS
Data
Applications
Operating Systems
OpenStack
Processing and Memory, Data Storage, Network
Physical facilities
Cloud user
Cloud builder

8. Standards
• PCI DSS
• HIPAA / HITECH
• SOX
• FedRAMP/FISMA
• ISO/IEC 27001-2005
• NIST SP800-53

9. Typical structure
Standard
Requirement #1
Control #1.1
Control #1.2
Control #1.NRequirement #2
Requirement #N

10. • CLOUD CONTROLS MATRIX VERSION 3.0
Controls are very similar

11. Standards are pretty generic:
PCI DSSBuild and
Maintain a
Secure Network
and Systems
1. Install and
maintain a
firewall
configuration
to protect
cardholder
data
2. Do not use
vendor-
supplied
defaults for
system
passwords and
other security
parameters
Protect
Cardholder Data
3. Protect
stored
cardholder
data
4. Encrypt
transmission of
cardholder
data across
open, public
networks
Maintain a
Vulnerability
Management
Program
5. Protect all
systems
against
malware and
regularly
update anti-
virus software
or programs
6. Develop and
maintain
secure systems
and
applications
Implement
Strong Access
Control
Measures
7. Restrict
access to
cardholder
data by
business need
to know
8. Identify and
authenticate
access to
system
components
9. Restrict
physical access
to cardholder
data
Regularly
Monitor and
Test Networks
10. Track and
monitor all
access to
network
resources and
cardholder
data
11. Regularly
test security
systems and
processes
Maintain an
Information
Security Policy
12. Maintain a
policy that
addresses
information
security for all
personnel

12. Cloud Guidelines
• PCI DSS Virtualization Guidelines
• PCI DSS Cloud Computing Guidelines
• NIST Special Publication 800-144 Guidelines on
Security and Privacy in Public Cloud Computing

13. PCI DSS Cloud Guidelines
Don’t store, process or transmit payment card
data in the cloud.

14. PCI DSS Virtualization Guidelines
• Requirement 3: Protect stored cardholder data
– As well as being present in known locations, cardholder data
could exist in archived, off-line or dormant VM images, or be
unknowingly moved between virtual systems via dynamic
mechanisms such as live migration or storage migration tools.
– Sensitive data, such as unencrypted PAN, sensitive
authentication data, and cryptographic keys, could be
inadvertently captured in active memory and replicated via
VM imaging and snapshot functions...

15. OpenStack Security Guidelines
• OpenStack Security Guide
• Securing OpenStack for compliance

16. Q&A
• email: eshumakher@mirantis.com
• irc: eshumakher

17. © 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Private Cloud Compliance
Scott Carlson - @relaxed137

18. 26CURRENCIES SUPPORTED
148M
ACTIVE REGISTERED ACCOUNTS
193
MARKETS OFFER PAYPAL
80
LOCALIZED MARKETING SITES
GLOBALLY
EUROPEAN UNION
EURO
AUSTRALIAN
DOLLAR
CANADIAN
DOLLAR
NEW ZEALAND
DOLLAR
HUNGARIAN
FORINT
MALAYSIAN
RINGGIT
UNITED KINGDOM
POUNDS STERLING
HONG KONG
DOLLAR
UNITED STATES
DOLLAR
TAIWAN
NEW DOLLAR
CHINESE
RMB
SWEDISH
KRONA
SINGAPORE
DOLLAR
PHILIPPINE
PESO
BRAZILIAN
REAL
RUSSIAN
RUBLE
NORWEGIAN
KRONE
JAPANESE
YEN
MEXICAN
PESO
TURKISH
LIRA
SWISS
FRANC
CZECH
KORUNA
ISRAELI
NEW SHEKEL
DANISH
KRONE
THAI
BAHT
POLISH
ZLOTY

19. 148MACTIVE
ACCOUNTS1
$6,688 IN PAYMENTS
PROCESSED
EVERY SECOND2
9M PAYMENTS PROCESSED
EVERY DAY3 +6M NEW ACTIVE
ACCOUNTS1
Q1 2014 Financial Metrics
$1.8BPAYPAL REVENUES
20% YOY
TPV2
26% YOY
$52B

20. © 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
PayPal Cloud & Software Defined Data Center
Agility with Security
Cloud Design Principals
Deploy from Templates
Any Image, Anywhere
Automatically scale up/down workloads
Follow devops auto-deployments CI/CD
Respond to intra-cloud events
ELASTIC
VIRTUAL
PCI-DSS 2.0 and 3.0
Local Country RequirementsSECURE
20

21. © 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Compliance requirements
Compliant with PCI-DSS 2.0 Standards
Non-US locations compliant with local
country regulations
21
Compliance Statement: http://www.visa.com/splisting/viewSPDetail.do?coName=PayPal

22. © 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Basic Methodology
Just pretend its infrastructure
OpenStack has servers in it
Hardware Configured and dedicated to the cloud
Hypervisor/Build Image meeting NIST/CIS standard templates
Vulnerability Scanning with third party tooling
Patching 7, 30, 90 day windows with vendor provided patches to OS
Configuration Management for important system files
Password Management – non-default, complex and unique!
OpenStack has Users in it
Do not use shared accounts for anything. Just don’t
Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time.
22

23. © 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Basic Methodology
Just pretend its infrastructure
Hypervisor Components
Its Just Linux. Treat it like hardened Linux and lock it down to standards (CIS, NIST)
Have a separate management interface from your production traffic (physical or virtual)
Do not combine security zones within a single hypervisor because then it’s ALL “in-scope”
Audit Access, Audit changes, be ready to show your work
Be ready to defend decisions to share ports for components
OpenStack Software Stack
Limited vulnerability scanning in a programmatic way, have to build our own (Fortify, AppScan)
Getting code from Trunk = Open Source Happiness, but have your licenses reviewed!
You still need to code review if CDE passes through here
Avoid Avoid Avoid Actual data getting put in your cloud stack (not guest VM’s, those are ok)
23

24. © 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Basic Methodology
Just pretend its infrastructure
Physical Network Components? Yep
Firewall rules around the cloud to limit ingress and egress
Monitor what happens on your firewalls, send it somewhere, keep it a LONG time
Make sure the person building your network isn’t the person building your cloud (SOD)
Configuration Guidelines exist for most physical installations (avoid virtual for now…)
Automation is fine, but make sure you log it, and auto-ticket it.
Virtual Network Components? Nope
Too early in the testing process to rely on virtual versions of components at scale
Okay for intra-tenant traffic with minimal rule set
Same rules for physical apply to virtual. Has your third party pen-tested and certified their thing?
24

25. © 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Basic Methodology
Just pretend its infrastructure
Data?
If its Card-holder data, controls become interesting very quickly
Storing things encrypted at rest in VM’s mean you can’t use OpenStack components
HSM, crypto, key management required
User management, controls over data, logging, all of the standard stuff needed
25

26. © 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
For more information, please contact:
Scott Carlson
sccarlson@paypal.com
@relaxed137