#rightscaleIs AchievablePCI Compliance in Public Cloud
#2#rightscaleRightScale Story• We accept credit cards for payment: a Merchant, and must bemeet PCI DSS compliance as part ...
#rightscaleMy Core Message for Today:PCI compliance in publiccloud is achievable
#4#rightscaleAgenda• Your selection of partners matter• Application design and system deployment are key• Walkthrough of P...
#5#rightscalePartners Matter• Your choice of:• Cloud Service Provider• Assessor: Qualified Security Assessor (QSA) or Inte...
#6#rightscaleCloud Service Provider• Partnership has an implicit “shared responsibility” model• CSP has to be doing their ...
#7#rightscaleWhat to look for in a CSP• Is on “Approved Service Providers” list (i.e., completed level 1) *OR*has done a L...
#8#rightscaleAssessor• This will be the authority who signs off on your compliance• If they don’t understand the technolog...
#9#rightscaleWhat to look for in an Assessor• They must understand cloud technology, and in ideally the cloudtechnology yo...
#rightscaleAs a reminder:PCI compliance in publiccloud is achievable
#11#rightscaleApplication Design• Your ability to achieve PCI compliance in the public cloud is primarilybased on how much...
#12#rightscaleApplication Guidelines• Here are guidelines I have used to ensure an application is“securable” from a PCI pe...
#13#rightscaleApplication Guidelines (cont.)3. Terminate SSL/TLS at the load balancer and run all other traffic overthe pr...
#14#rightscaleHarden the Systems• Protect the system• Firewalls (remember ingress and egress)• Change defaults• Install pa...
#rightscaleOnce again:PCI compliance in publiccloud is achievable
#16#rightscalePCI and Cloud Snapshot• Those that need special consideration because of cloud: 1, 3, 9, 10, 11, 12 (orange)...
#17#rightscaleRequirement 1: Firewalls• Design the application and communications flows so they can besecured• The state o...
#18#rightscaleRequirement 2: Defaults• Make sure to change the vendor supplied defaults• RightScale ServerTemplates™ are a...
#19#rightscaleRequirement 3: Protect CHD• Gets down to:• Do not store what you don’t need• Good crypto selection• Proper k...
#20#rightscaleStored PAN Tangent• Assume you store PAN in the DB• Not tokenized, truncated, or hashed• For most of us, you...
#21#rightscaleRequirement 4: Encrypt transmission• No huge difference between cloud or hosted here• Biggest item is determ...
#22#rightscaleRequirement 5: AV and Malware• Not much specific to a “cloud” deployment• Servers come and go more frequentl...
#23#rightscaleRequirement 6: Development & System Admin• The “what” (securing systems) is not really a “cloud” specific pr...
#24#rightscaleRequirements 7 & 8: Restrict Access & Users• Again, not the “What to do” that is the issue, but “How to do i...
#25#rightscaleRequirement 9: Physical• You need to worry about user systems and any hard copy• Really no different than a ...
#26#rightscaleRequirement 10: Logging & Tracking• Basically need host-based tools• The lack of transparency into some of t...
#27#rightscaleRequirement 11: Testing• Coordination with the CSP when doing testing may be something thatis new and requir...
#28#rightscaleRequirement 12: Governance• The policies need to exist with or without the cloud• Must ensure appropriate la...
#29#rightscaleSummary• Your selection of partners matter• Application design and system deployment are key• Know how the P...
#rightscaleOne last time:PCI compliance in publiccloud is achievable
#31#rightscaleAction Item• Investigate where you are at in the context of PCI and publiccloud compliance
#rightscaleQuestions???
#33#rightscaleWrap-Up• I have walked this path• Contact me if you need help
#34#rightscaleMy Contact Info• Email: phil@rightscale.com• Twitter: sec_prof• Google+: phil@rightscale.com
Upcoming SlideShare
Loading in …5
×

PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

469 views

Published on

Speaker: Phil Cox, Director Security and Compliance, RightScale

Over the past few years, PCI compliance in the public cloud has been a growing topic of concern and interest. Like us, you probably have heard assertions from both sides of the topic – some stating that one can be a PCI compliant merchant using public IaaS cloud, others stating that it is impossible. We’ll discuss foundational principles and mindsets for PCI compliance, how to determine system/application scope and requirement applicability, and how to meet top-level PCI DSS (Data Security Standard) requirements in the public IaaS cloud.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
469
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Just touch on these, we’ll cover them in the following slides
  • Just touch on these, we’ll cover them in the following slides
  • Partnership, NOT JUST CLOUD
  • The GIST of this page is that part of your compliance relies on the compliance of your provider, and they have 2 ways to “prove” that: Be on the list, or be willing to prove it to you at a level you are satisfied with.Note, that in the letter of the law, you would need to perform due diligence on those listed as well. MEANING, JUST BECAUSE THEY ARE LISTED DOES NOT GIVE YOU A GET OUT OF JAIL FRE CARD IF YOU ARE COMPROMISED.You must feel comfortable with your providers security. In reality, the level 2 who is willing to work with you may be a better fit. But it is up to you, just remember, they do NOT HAVE TO BE ON THE LIST!
  • Key here is an assessor that knows cloud. There are WAY TOO MANY WHO DO NOT!
  • Your DESING IS KEY … if you don’t design it right, you are hosed. But that goes for any environment, not just cloud. I say this, with the understanding that there are good partners to have out there, you are most likely to hose yourself.
  • Note on “Not storing the PAN”, use one of these:One-way hashes based on strong cryptography (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN)Index tokens and pads (pads must be securely stored)Strong cryptography with associated key-management So you have options to encryption. As a matter of fact, encryption is the hardest to do correctly.It has been my experience that MOST folks who keep the PAN do NOT need it. THIS IS THE MOST CRITICAL DECISION YOU WILL MAKE, AND IT HAS A DIRECT AFFECT ON THE EASE OF PCI COMPLIANCE
  • This is really about deploying secure systems. From where I stand, it should be no different than any other system you deploy: It should be built secure.The one advantage of Cloud is meeting the “1 systems 1 service” rule. Given the characteristics of Cloud, doing the 1:1 is much simpler.
  • A snapshotOrange: In general these have special considerations for CloudBlue: In general, Cloud does not alter what you do significantlyWe’ll hit these more in the next sldies{IF SHORT ON TIME, MAKE THESE BRIEF AND REFERENCE THE BLOG AND ASSOCIATED PDF}
  • BIGGEST issue here is the maturity of the networking, and the fact that you need to use host based firewalls on all instances. It is just a different way of doing things than most are a custom. It is however that way that Cloud works.NOTE: If you use a Virtual Private Cloud or something like that, this is a bit different. Remember everything I am talking about is Public.
  • This is “Change the things a hacker read in an install or setup guide to break into your systems”
  • If you use file- or column-level database encryption, then you are golden as long as it is based on public crypto and has great key managementIf you used Disk level encryption, the encryption method cannot have: A direct association with the operating system, orDecryption keys that are associated with user accounts So TrendMicro SecureCloud is a solution that you can use.
  • 3rd party:CloudPassageSPLUNKTrendMicro Deep SecuritySumo LogicAny SIEM
  • Just touch on these, we’ll cover them in the following slides
  • PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

    1. 1. #rightscaleIs AchievablePCI Compliance in Public Cloud
    2. 2. #2#rightscaleRightScale Story• We accept credit cards for payment: a Merchant, and must bemeet PCI DSS compliance as part of our contract• We only use public cloud services: We are “All-In” cloud so tospeak• Thus we needed to design, implement, and maintain a PCIenvironment in the public cloud
    3. 3. #rightscaleMy Core Message for Today:PCI compliance in publiccloud is achievable
    4. 4. #4#rightscaleAgenda• Your selection of partners matter• Application design and system deployment are key• Walkthrough of PCI DSS
    5. 5. #5#rightscalePartners Matter• Your choice of:• Cloud Service Provider• Assessor: Qualified Security Assessor (QSA) or Internal Resource• Will have a significant impact on your ability to achievecompliance
    6. 6. #6#rightscaleCloud Service Provider• Partnership has an implicit “shared responsibility” model• CSP has to be doing their part• IaaS – Everything up to and including the hypervisor (or equivalent)• PaaS – IaaS + underlying OS and supporting applications• SaaS – PaaS + data protection
    7. 7. #7#rightscaleWhat to look for in a CSP• Is on “Approved Service Providers” list (i.e., completed level 1) *OR*has done a Level 2 assessment and can show you their validationresults (essence of Requirement 2.4)• Many providers go through the rigor of ensuring compliance internally, but notthe cost of hiring an external QSA• Do not dismiss a potential partner because they are not on the list. If you aregoing to dismiss them, do it because they are not transparent.• Will sign a contract that states they must protect CHD in accordancewith PCI DSS to the extent it applies to them (Requirement 12.8.2)
    8. 8. #8#rightscaleAssessor• This will be the authority who signs off on your compliance• If they don’t understand the technology or application, the chances ofsign-off are small• There are A LOT of charlatans out there. Be wise with your $ spend
    9. 9. #9#rightscaleWhat to look for in an Assessor• They must understand cloud technology, and in ideally the cloudtechnology you are using• A good default choice for an external Assessor is the one who did theassessment for your chosen CSP (assuming there was one)• If you don’t want/need to use an external auditor, then …determine ifyou have the knowledge internally• The caveat: Internal assessor may know the tech, but they need tojust as versed in the PCI DSS
    10. 10. #rightscaleAs a reminder:PCI compliance in publiccloud is achievable
    11. 11. #11#rightscaleApplication Design• Your ability to achieve PCI compliance in the public cloud is primarilybased on how much forethought you gave to the application in itsdesign• Most providers, and all cloud-based operating systems can be PCIcompliant. The same cannot be said for all applications• Ask the following questions:• What data am I storing? Why? Can I get away without it?• Do I know the communication flow of the application? Can I restrictcommunications to specific system roles?• Am I using well-known, public vetted cryptography standards?
    12. 12. #12#rightscaleApplication Guidelines• Here are guidelines I have used to ensure an application is“securable” from a PCI perspective:1. Do not store the Primary Account Number (PAN) if you do not needit.• Many payment processors have mechanisms for recurring billing or credits.Depending on your situation, it is highly likely that you do not need to store thePAN, thus making your life significantly easier from a PCI DSS compliancestandpoint.2. If you are going to store PAN, then the design of crypto mechanismand, more importantly, the key management of data in the DB, iscritical• This is really not a “cloud” thing, and is dealt with in any PCI application thatstores CHD.
    13. 13. #13#rightscaleApplication Guidelines (cont.)3. Terminate SSL/TLS at the load balancer and run all other traffic overthe private interface/network• This assumes that the “private” interfaces have been designed to meet thedefinition of “non-public” as far as PCI DSS• This is the case with Amazon Web Services. Traffic between the private IPaddresses can be considered a private network and not require encryption. Thisdoes not mean that you can’t or shouldn’t do it, just that you do not have to inorder to meet PCI DSS requirements.4. Validate all user input• While this is not a “cloud” issue, it is THE main intrusion vectorYep, that’s pretty much it: Protect it in transit/at rest (if needed) & Testfor bad code• It is not rocket science, but most folks don’t do these right
    14. 14. #14#rightscaleHarden the Systems• Protect the system• Firewalls (remember ingress and egress)• Change defaults• Install patches• Watch the system for odd behavior or changes• Shout out to CloudPassage• Manage the firewall rules and separation of duty that PCI DSS requires, and willmake achieving compliance much easier.• I recommend using a public cloud management solution. Trying to dothis by hand is error-prone.
    15. 15. #rightscaleOnce again:PCI compliance in publiccloud is achievable
    16. 16. #16#rightscalePCI and Cloud Snapshot• Those that need special consideration because of cloud: 1, 3, 9, 10, 11, 12 (orange)• Those that are more about HOW than WHAT: 2, 4, 5, 6, 7, 8 (blue)
    17. 17. #17#rightscaleRequirement 1: Firewalls• Design the application and communications flows so they can besecured• The state of networking features in cloud have an affect on how youprovide isolation for scoping• e.g. AWS EC2 general Security Groups are NOT adequate: No egress filtering• Review/audit regularly to make sure design and implementationshave not changed• One nice aspect of the cloud is that since automation is part of the DNA,automation of these reviews is easier
    18. 18. #18#rightscaleRequirement 2: Defaults• Make sure to change the vendor supplied defaults• RightScale ServerTemplates™ are a great way to enforce this, as well as provideversion control of configurations• The cloud actually helps you: Have to plan• There is not “throw in the CD, plug in the cable, and leave it”• Cloud should give you a leg up in this area, as this is part of CloudDNA so to speak
    19. 19. #19#rightscaleRequirement 3: Protect CHD• Gets down to:• Do not store what you don’t need• Good crypto selection• Proper key management• For block/storage level encryption, use of a third party likeTrendMicro SecureCloud (or similar) is a big help here• Note: Cloud really is not an issue here, as you have many of the sameconcerns in a managed hosting environment. The main difference isbetween owned or third-party infrastructure.
    20. 20. #20#rightscaleStored PAN Tangent• Assume you store PAN in the DB• Not tokenized, truncated, or hashed• For most of us, you need to mask on display• Per Requirement 3 if you store CHD, then you must encrypt• Does your DB support it? If not, then have to do in App• Use encrypted filesystem on block storage in addition• Inject keys at instance launch• Management of encryption keys is the big issue• Rotation – You need to plan on how to do this!• Storage – In memory is best, restricted filesystem is next best
    21. 21. #21#rightscaleRequirement 4: Encrypt transmission• No huge difference between cloud or hosted here• Biggest item is determining private vs. public networks• SSL/TLS is the defacto way to do this
    22. 22. #22#rightscaleRequirement 5: AV and Malware• Not much specific to a “cloud” deployment• Servers come and go more frequently, so you need to make sure theAV solution is operating correctly• If I had Windows systems for servers, I’d be using RightScale ServerTemplates tomake sure things were configured correctly• Nice aspect of the cloud is that since automation is part of the DNA,automation of this should actually make it easier to meet therequirements
    23. 23. #23#rightscaleRequirement 6: Development & System Admin• The “what” (securing systems) is not really a “cloud” specific problem,but the “how” is• Need to deploy hardened systems• RightScale ServerTemplates and built in versioning makes it easy and provideschange tracking. You can choose how you want to do it, just do it• Nice aspect of the cloud is that since automation is part of the DNA,automation of these should actually make it easier to meet therequirements
    24. 24. #24#rightscaleRequirements 7 & 8: Restrict Access & Users• Again, not the “What to do” that is the issue, but “How to do it”• Make sure you enforce it on EVERY system• Role-Based Access Control (RBAC) and ServerTemplate features of RightScale anda strict provisioning policy to get this done. You can choose any method thatworks• I use a combination of RightScale, policies, and regular audits. You canchoose any method that works• Really no different than a hosted environment
    25. 25. #25#rightscaleRequirement 9: Physical• You need to worry about user systems and any hard copy• Really no different than a hosted environment
    26. 26. #26#rightscaleRequirement 10: Logging & Tracking• Basically need host-based tools• The lack of transparency into some of the devices you don’t haveaccess to (e.g., hypervisor logs) needs to be taken into account• I use RightScale to configure systems and send local system andapplication logs to central log server• You can choose any method that works for you• Use of a 3rd party is a BIG WIN here
    27. 27. #27#rightscaleRequirement 11: Testing• Coordination with the CSP when doing testing may be something thatis new and require modification of your process• “Internal” testing becomes a bit tricky• I recommend:• Automated tools - Continuous• Internal experts – Monthly or more• 3rd party testing – Annually• While you can use a Web App Firewall (WAF), I prefer testing• Use both if you can
    28. 28. #28#rightscaleRequirement 12: Governance• The policies need to exist with or without the cloud• Must ensure appropriate language is included in contracts withpartners• Biggest issues I run into:• Ensure that if you share CHD with others, contracts state they must protect CHDin accordance with PCI DSS• Have an incident response plan and make sure it works!
    29. 29. #29#rightscaleSummary• Your selection of partners matter• Application design and system deployment are key• Know how the PCI DSS applies to you
    30. 30. #rightscaleOne last time:PCI compliance in publiccloud is achievable
    31. 31. #31#rightscaleAction Item• Investigate where you are at in the context of PCI and publiccloud compliance
    32. 32. #rightscaleQuestions???
    33. 33. #33#rightscaleWrap-Up• I have walked this path• Contact me if you need help
    34. 34. #34#rightscaleMy Contact Info• Email: phil@rightscale.com• Twitter: sec_prof• Google+: phil@rightscale.com

    ×