PCI in the Public CloudPhil Cox                   Rand WackerDirector, Security &       VP, ProductsCompliance            ...
About The Presenters           Phil Cox                      Rand Wacker • RightScale, Director of       • CloudPassage, V...
Discussion Topics• The primary concerns of PCI in the public cloud• Challenges that come with the shared responsibility mo...
Why PCI Compliance and CloudCan Work• Cloud infrastructure is just another compute  platform• Lack of understanding/guidan...
What it Takes to be PCICompliant in The Public Cloud• Security (if done correctly) begets compliance  – Not the other way ...
Survey Results: Standards• What standards or regulatory compliance mandates  apply to your cloud project(s)?         SOX  ...
Survey Results: Controls• What cloud security technologies did your auditors  expect you to have deployed? Firewalls & Acc...
Controls Must Change in CloudFirewalls & Access control    81%        File integrity monitoring   46%SIEM/LM              ...
Compliance Design andShared Responsibility            11
Foundation  Public cloud provider  Assessor  Application design  Harden the systems                       12
PCI Shared Responsibility (IaaS)• Service provider  responsible for   – Infrastructure, networking,                       ...
General Notes on Cloud Service Providers (CSPs)• Compliance concerns will vary depending on  whether CSP is SaaS, PaaS, Ia...
Assessor• Find one … that knows cloud technology  – A good default choice is the QSA who did the assessment for    your CS...
Application Design• Ability to achieve PCI compliance is  primarily based on forethought given  to application design• Mos...
Harden the Systems• Protect the system  –   Firewalls (remember ingress and egress)  –   Change defaults  –   Install patc...
Automating Compliance            18
Traditional DC Operations Model             www-1   www-2        www-3   www-4              !        !           !       !...
Ensuring Cloud Server Integrity                        www-1   www-2   www-3   www-4      www   Gold Master       Most ins...
Ensuring Cloud Server Integrity                        www-1    www-2      www-3   www-4      www                         ...
Ensuring Cloud Server Integrity                         www-1    www-2      www-3   www-4       www      www-2            ...
Ensuring Cloud Server Integrity              www-1     www-2   www-3   www-4               !         !                   23
Ensuring Cloud Server Integrity                    www-1   www-2        www-3   www-4                     !      ?        ...
Ensuring Cloud Server Integrity                    www-1   www-2        www-3   www-4                     !      ?        ...
Ensuring Cloud Server Integrity                    www-1   www-2        www-3   www-4          Continuous Compliance Needs...
Building a Well-Secured CloudServer Continuously verify                                  Track sensitive data applications...
Securing Servers in the Cloud  Servers in hybrid and public clouds must be self-  defending with highly automated controls...
Summary          29
Best Practices• Read and understand what your provider does, and  what you are responsible for, with regards to PCI• When ...
Resources                                PCI Compliance in the                                 Public IaaS Cloud:         ...
Questions?    32
Thank You!           Phil Cox                            Rand Wacker • Email: phil@rightscale.com        • Email: rand@clo...
Upcoming SlideShare
Loading in …5
×

Yes, you can be pci compliant using a public iaas cloud a case study by phil cox, director of security and compliance for right scale and rand wacker, vp of product at cloudpassage

588 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
588
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • With that basic premise, we’ll cover 4 KEY FOUNDATIONAL items that you need to deal with if you want to be able to do this right.These range form conceptual items to actual implementation thoughts, so I encourage you to “think” about the objective and maybe not the specific words I say. Understanding the concepts are much more important that the specific detail. If you get the concept, the detail will follow.With that, let’s go …
  • The GIST of this page is that part of your compliance relies on the compliance of your provider, and they have 2 ways to “prove” that: Be on the list, or be willing to prove it to you at a level you are satisfied with.Note, that in the letter of the law, you would need to perform due diligence on those listed as well. MEANING, JUST BECAUSE THEY ARE LISTED DOES NOT GIVE YOU A GET OUT OF JAIL FRE CARD IF YOU ARE COMPROMISED.You must feel comfortable with your providers security. In reality, the level 2 who is willing to work with you may be a better fit. But it is up to you, just remember, they do NOT HAVE TO BE ON THE LIST!
  • Key here is an assessor that knows cloud. There are WAY TOO MANY WHO DO NOT!
  • Your DESING IS KEY … if you don’t design it right, you are hosed. But that goes for any environment, not just cloud.While providers and OS can, The same cannot be said for all applications
  • This is really about deploying secure systems. From where I stand, it should be no different than any other system you deploy: It should be built secure.The one advantage of Cloud is meeting the “1 systems 1 service” rule. Given the characteristics of Cloud, doing the 1:1 is much simpler.
  • Yes, you can be pci compliant using a public iaas cloud a case study by phil cox, director of security and compliance for right scale and rand wacker, vp of product at cloudpassage

    1. 1. PCI in the Public CloudPhil Cox Rand WackerDirector, Security & VP, ProductsCompliance CloudPassageRightScale 1
    2. 2. About The Presenters Phil Cox Rand Wacker • RightScale, Director of • CloudPassage, VP of Security and Compliance Products • Multiple PCI SIGs • Cisco Security, IronPort, UC • 20+ years InfoSec Berkeley Security/Network Ops Twitter: @sec_prof Twitter: @randwacker 2
    3. 3. Discussion Topics• The primary concerns of PCI in the public cloud• Challenges that come with the shared responsibility model• Architectural challenges of security and compliance in the cloud• Compliance automation to accelerate your development 3
    4. 4. Why PCI Compliance and CloudCan Work• Cloud infrastructure is just another compute platform• Lack of understanding/guidance != unsupported• Shouldn’t get hung up on the language – Because it’s going to change…and change…and change some more 5
    5. 5. What it Takes to be PCICompliant in The Public Cloud• Security (if done correctly) begets compliance – Not the other way around• Need technical controls that work like the cloud does – Dynamic, elastic, scalable• What worked in your datacenter might not work in cloud environments 7
    6. 6. Survey Results: Standards• What standards or regulatory compliance mandates apply to your cloud project(s)? SOX 55.8% PCI-DSS 45.3% HIPAA 40.7% ISO 26.7% CoBIT 19.8% Cloud Audit 10.5% GLBA 9.3% FISMA 9.3% CIPA 7.0% FFIEC 7.0% COPPA 3.5% 8
    7. 7. Survey Results: Controls• What cloud security technologies did your auditors expect you to have deployed? Firewalls & Access control 81% File integrity monitoring 46% SIEM/LM 73% Network IDS 57% Configuration monitoring 46% Patch management 56% Database encryption 45% WAF 54% Host-based IDS 44% Network encryption 53% Multi-factor authentication 49% Disk encryption 28% Code scanning 24% 9
    8. 8. Controls Must Change in CloudFirewalls & Access control 81% File integrity monitoring 46%SIEM/LM 73% Configuration monitoring 46%Network IDS 57% Database encryption 45%Patch management 56%WAF 54% Host-based IDS 44%Network encryption 53% Disk encryption 28%Multi-factor authentication 49% Code scanning 24%Many traditional security technologies won’t work inpublic cloud or need to be highly automated to fully support private/hybrid cloud deployments 10
    9. 9. Compliance Design andShared Responsibility 11
    10. 10. Foundation Public cloud provider Assessor Application design Harden the systems 12
    11. 11. PCI Shared Responsibility (IaaS)• Service provider responsible for – Infrastructure, networking, Responsibility storage, and virtualization Data Customer mechanism App Code – …and the compliance of these components… App Framework Operating System• Tenant responsible for Virtual Machine – OS, application, and data Responsibility – …and the compliance of these Hypervisor Provider components… Compute & Storage• This bar moves up the Shared Network stack for PaaS, SaaS Physical Facilities 13
    12. 12. General Notes on Cloud Service Providers (CSPs)• Compliance concerns will vary depending on whether CSP is SaaS, PaaS, IaaS• Is easier if the CSPs is on the card brands’ “approved list”• PCI compliance must be in contract* 14
    13. 13. Assessor• Find one … that knows cloud technology – A good default choice is the QSA who did the assessment for your CSP• If you don’t want/need to use an external auditor, then …determine if you have the knowledge internally – You need to make sure you have the depth of knowledge on the PCI DSS, as you will likely get it wrong if not 15
    14. 14. Application Design• Ability to achieve PCI compliance is primarily based on forethought given to application design• Most providers, and all cloud-based OS’s can be PCI compliant*• Ask: MASTER DB SLAVE DB – What data am I storing? Why? – What is communication flow of the application? Is it restricted? – Is my crypto public vetted standards? 16
    15. 15. Harden the Systems• Protect the system – Firewalls (remember ingress and egress) – Change defaults – Install patches – Watch the system for odd behavior or changes• You need to automate this. Trying to do this by hand in a cloud environment is error-prone. 17
    16. 16. Automating Compliance 18
    17. 17. Traditional DC Operations Model www-1 www-2 www-3 www-4 ! ! ! ! private datacenter Capacity is mostly static Servers are long-lived Security risk on servers is mitigated by network defenses 19
    18. 18. Ensuring Cloud Server Integrity www-1 www-2 www-3 www-4 www Gold Master Most instances are clones of single image 20
    19. 19. Ensuring Cloud Server Integrity www-1 www-2 www-3 www-4 www ! public cloud Gold Master Most instances are clones of a single image Changes to critical files indicate concern 21
    20. 20. Ensuring Cloud Server Integrity www-1 www-2 www-3 www-4 www www-2 ! public cloud Gold Master Most instances are clones of a single image Changes to critical files indicate concern Affected servers should be sequestered and replaced 22
    21. 21. Ensuring Cloud Server Integrity www-1 www-2 www-3 www-4 ! ! 23
    22. 22. Ensuring Cloud Server Integrity www-1 www-2 www-3 www-4 ! ? ! Scan for misconfigurations due to deployment or debugging issues 24
    23. 23. Ensuring Cloud Server Integrity www-1 www-2 www-3 www-4 ! ? ! ? ! Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patches quickly 25
    24. 24. Ensuring Cloud Server Integrity www-1 www-2 www-3 www-4 Continuous Compliance Needs: ! ? ! ? ! ! Configuration Security Scan for Software Vulnerability Management misconfigurations due to deployment or debugging issues File Integrity Monitoring Ensure software packages are up-to-date and watch for remote exploits that must be patches quickly Monitor business code for unintended or malicious changes 26
    25. 25. Building a Well-Secured CloudServer Continuously verify Track sensitive data applications code and prevent egress is current and Data un-tampered App Code Ensure application stacks locked down App Framework and match gold Provision host-based standardsfirewalls (inbound and FW Operating System FW outbound) Cloud Server VM Verify gold masters and harden server configurations Fully automate security operations 27
    26. 26. Securing Servers in the Cloud Servers in hybrid and public clouds must be self- defending with highly automated controls like… Dynamic firewall & Server compromise & access control intrusion alerting Configuration and Server forensics and package security security analysis Server account Integration & automation visibility & control capabilities 28
    27. 27. Summary 29
    28. 28. Best Practices• Read and understand what your provider does, and what you are responsible for, with regards to PCI• When moving servers outside your data center, ensure that they are hardened and compliant before they are exposed to the public• Start with public cloud, PCI everywhere else is relatively easy!• Focus on securing the tenets of PCI that you can control – partners (CSPs, vendors) are key to success 30
    29. 29. Resources PCI Compliance in the Public IaaS Cloud: How I Did Itcloudpassage.com/pci-kit blog.rightscale.com 31
    30. 30. Questions? 32
    31. 31. Thank You! Phil Cox Rand Wacker • Email: phil@rightscale.com • Email: rand@cloudpassage.com • Twitter: @sec_prof • Twitter: @randwacker www.rightscale.com www.cloudpassage.com 33

    ×