5787355.ppt

Thanks to Class Sponsors
2
Courseware created by Dr. Anton Chuvakin for Cloud Security Alliance

About the Cloud Security
Alliance
Global, not-for-profit organization
Building best practices and a trusted cloud
ecosystem
Comprehensive research and tools
Certificate of Cloud Security Knowledge (CCSK)
www.cloudsecurityalliance.org
3

About the Class
Learn/refresh knowledge about PCI DSS
Learn/refresh knowledge about cloud
computing
Understand how to assess PCI compliance in
cloud environments
Understand how to implement PCI DSS
controls in cloud environments
Gain useful tools for planning/doing this
4

5
5

Show of hands please…
1. QSA
2. Merchant
a) L1
b) L2-4
3. Service provider
4. Security tool vendor
5. Security consultant
6. Other
6
6

Prerequisites
Know how to spell “P-C-I D-S-S” 
Have heard about “The Cloud”
Possess basic information security
knowledge, IT management
7

Full Class Outline
Introduction
What this class is about, prerequisites, how to benefit
PCI DSS reminder
Cloud basics
Where cloud interacts with PCI DSS
Key cloud PCI controls
Core PCI DSS + cloud scenarios
Conclusions and action items
8

9

How to benefit?
If you are a merchant…
Learn how to stay compliant in the cloud, what to ask of CSPs, what to
show to QSAs
If you are a QSA…
Figure how to assess merchants and CSPs
If you are a cloud service provider…
Learn how to keep you and merchants compliant
If you are a security vendor…
Learn about the new problems you can solve
If you are a consultant around PCI and cloud…
Learn the “pain points” around PCI DSS and cloud
10

PCI in the Cloud... In the Media
….bla bla …. bla bla ….. PCI DSS….
….. The Cloud……… cloud…..bla…cloud…
….bla bla…… compliant ..……cloud.
……cloud…..bla bla……possible ……….
……cloud……….. bla bla………cloud
….. as long as no cardholder data is in the
cloud… bla bla…………………………..
11

12

Quick Reality Check
13

Cloud?
14

PCI DSS?
15

Together?
16

DISCUSSION!
17

18

Why is PCI Here?
19
Criminals
need
money
Credit cards =
MONEY
Where are the
most cards?
In
computers.
Data theft
grows and
reaches
HUGE
volume.
Some organizations
still don’t care…
especially if the loss
is not theirs
PAYMENT
CARD
BRANDS
ENFORCE
DSS!

Laggards vs. Leaders
20
Issue: many merchants
don’t even want to “grow
up” to the floor of security
Result: breaches, loss of
card data, lawsuits,
unhappy consumers,
threat of regulation
Action: PCI DSS mandate!

What is PCI DSS or PCI?
Payment Card Industry Data Security Standard
Payment Card =
Payment Card Industry =
Data Security =
Data Security Standard =
21
21

• Protect stored data
• Encrypt transmission of cardholder data and sensitive
information across public networks
Protect Cardholder Data
• Maintain a policy that addresses information security
Maintain an Information
Security Policy
• Track and monitor all access to network resources and
cardholder data
• Regularly test security systems and processes
Regularly Monitor and
Test Networks
• Restrict access to data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
Implement Strong Access
Control Measures
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications
Maintain a Vulnerability
Management Program
• Install and maintain a firewall confirmation to protect data
• Do not use vendor-supplied defaults for system passwords
and other security parameters
Build and Maintain a
Secure Network
22
PCI DSS: Basic Security
Practices!

PCI DSS Domain Coverage
… In no particular order:
Security policy and procedures
Network security
Malware protection
Application security (and web)
Vulnerability scanning and remediation
Logging and monitoring
Security awareness
23

PCI DSS 2.0 is Here!
Select items changing for PCI 2.0
Scoping clarification
Data storage
Virtualization (!!)
DMZ clarification
Vulnerability remediation
Remote data access
24

Does it Apply to Me?
“PCI DSS compliance includes
merchants and service providers
who accept, capture, store,
transmit or process credit and
debit card data.”
25
25

PCI Game: The Players
26
PCI Security Standards Council

PCI Regime vs DSS Guidance
The PCI Council publishes PCI DSS
• Outlined the minimum data security
protections measures for payment card data.
• Defined Merchant & Service Provider Levels, and
compliance validation requirements.
• Left the enforcement to card brands (Council
doesn’t fine anybody!)
Key point: PCI DSS (document) vs PCI
(validation regime)
27

My Data – Their Risk!?
*I* GIVE *YOU* DATA
*YOU* LOSE IT
*ANOTHER*
SUFFERS!
29

Key Concept//
Scoping
30

Sidenote//
FLAT NET to FLAT CLOUD
REALITY: “Without adequate network
segmentation (sometimes called a "flat
network") the entire network is in scope of the
PCI DSS assessment.“ (PCI DSS 2.0)
DREAM: “Without adequate network
segmentation the entire CLOUD is in scope of
the PCI DSS assessment.“
31

Key Concept//
Compliance vs Validation
Q: What to do after your QSA leaves?
A: PCI DSS compliance does NOT end when
a QSA leaves or SAQ is submitted.
Use what you built for PCI to reduce risk
“Own” PCI DSS; make it the basis for your
policies
32

Key Concept//
Stay Compliant
Ongoing compliance with PCI DSS – tasks:
33
TASK FREQUENCY
Risk assessment, security awareness, key changes,
review off-site backups, QSA assessment, etc
Annual
ASV and internal scans, wireless scans Quarterly
File integrity checking Weekly
Log and alerts review, other operational procedures
Daily

Failing That…
“Classic” example
from my PCI
book, co-author
Branden Williams
34

Two BIG Approaches
to PCI DSS Compliance
SECURE the
data:
Encrypt, access
control, monitor,
block attempts,
authenticate,
authorized, etc…
35
These apply to PCI in the cloud as well!
DELETE the
data:
Organize your
business to avoid
dealing with the
data

36

37

NIST Definition of Cloud Computing
“Cloud computing is a model for
enabling convenient, on-demand
network access to a shared pool of
configurable computing resources
that can be rapidly provisioned and
released with minimal management
effort or service provider interaction. “
38
38

5 Essential Cloud
Characteristics
1. On-demand self-service
2. Broad network access
3. Resource pooling
– Location independence
4. Rapid elasticity
5. Measured service
39
39

3 Cloud Service Models
1. Cloud Software as a Service (SaaS)
– Use provider’s applications over a network
2. Cloud Platform as a Service (PaaS)
– Deploy customer-created applications to a cloud
3. Cloud Infrastructure as a Service (IaaS)
– Rent processing, storage, network capacity, and other
fundamental computing resources
To be considered “cloud” they must be deployed on
top of cloud infrastructure that has the essential
characteristics
40

4 Cloud Deployment Models
Private cloud
Enterprise owned or leased
Community cloud
Shared infrastructure for specific community
Public cloud <- our focus in this class!
Sold to the public, mega-scale infrastructure
Hybrid cloud
Composition of two or more clouds
41
41

7 Common Cloud
Characteristics
1. Massive scale
2. Homogeneity
3. Virtualization
4. Resilient computing
5. Low cost software
6. Geographic distribution
7. Service orientation
42

All of this TOGETHER: The Cloud
Community
Cloud
Private
Cloud
Public Cloud
Hybrid Clouds
Deployment
Models
Service
Models
Essential
Characteristics
Common
Characteristics
Software as a
Service (SaaS)
Platform as a
Service (PaaS)
Infrastructure as a
Service (IaaS)
Resource Pooling
Broad Network Access Rapid Elasticity
Measured Service
On Demand Self-Service
Low Cost Software
Virtualization Service Orientation
Advanced Security
Homogeneity
Massive Scale Resilient Computing
Geographic Distribution
43
43

Example IaaS//
Amazon Cloud
Amazon cloud components
– Elastic Compute Cloud (EC2)
• Run your own or Amazon’s OS “instances”
– Simple Storage Service (S3)
– SimpleDB
– Other services
44
44

Example PaaS//
Google App Engine
Create, deploy and run applications
NO control (or, in fact, even visibility) of OS
Use SDK to
develop the
applications
Run “natively”
in the cloud
45

Example SaaS//
Salesforce
Well-known SaaS CRM application
Cloud CRM + a lot more applications
46
46

Example P/IaaS //
Azure
Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das
47
47

Service Model Architectures
Cloud Infrastructure
IaaS
PaaS
SaaS
Infrastructure as a Service (IaaS)
Architectures
Platform as a Service (PaaS)
Architectures
Software as a Service
(SaaS)
Architectures
SaaS
PaaS
SaaS
IaaS
PaaS
PaaS
IaaS
48
48

Security?
Are there …mmm
…cloud security issues?
50

51
Security: Barrier to Adoption?

52
What is Different about Cloud?

Security Relevant Cloud
Components
Cloud Provisioning Services
Cloud Data Storage Services
Cloud Processing Infrastructure
Cloud Support Services
Cloud Network and Perimeter Security
Elastic Elements: Storage, Processing, and
Virtual Networks
53
53

54
SERVICE OWNER SaaS PaaS IaaS
Data Joint Tenant Tenant
Application Joint Joint Tenant
Compute Provider Joint Tenant
Storage Provider Provider Joint
Network Provider Provider Joint
Physical Provider Provider Provider

55

56

CSA Cloud “Threats”
1. Abuse & Nefarious Use of Cloud Computing
2. Insecure Interfaces & APIs
3. Malicious Insiders
4. Shared Technology Issues
5. Data Loss or Leakage
6. Account or Service Hijacking
7. Unknown Risk Profile
57

ENISA Cloud Risks
1. Loss of governance
2. Lock-in
3. Isolation failure
4. Compliance risks
5. Management interface compromise
6. Data protection
7. Insecure or incomplete data deletion
8. Malicious insider
58

iSEC Realistic Cloud
“Threats”
1. Authentication abuse
2. Operations breakdown
3. Misuse of cloud-specific technology
59

FBI Takes Cloud Away
60

Discussion
61
What do YOU think are actual,
relevant, TRUE threats to cloud
computing?

While we are “in the cloud”
Here are some additional
CSA/cloud security resources…
62

CSA GRC Stack
Bringing it all together to peel back the
layers of control ownership and
address concerns for trusted Cloud
adoption.
63
Control
Requirements
Provider
Assertions
Private,
Community &
Public Clouds

CSA CloudAudit
Open standard and API to automate
provider audit assertions
Change audit from data gathering to data analysis
Necessary to provide audit & assurance at the
scale demanded by cloud providers
Uses Cloud Controls Matrix as controls namespace
Use to instrument cloud for continuous controls
monitoring
64

CSA Cloud Controls Matrix
65
Controls derived from
guidance
Mapped to familiar
frameworks: ISO 27001,
COBIT, PCI, HIPAA
Rated as applicable to
SaaS/PaaS/IaaS
Customer vs Provider role
Help bridge the “cloud gap”
for IT & IT auditors
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

66
Next?

Do We See A Cloud in There?
Requirement 12.8 “If
cardholder data is
shared with service
providers, maintain and
implement policies and
procedures to
67
manage service providers…”
Requirement A.1: “Shared hosting
providers must protect the cardholder data
environment”

Magic of Requirement 12.8
Q: Does PCI DSS apply to merchants who use
payment gateways to process transactions on their
behalf, and thus never store, process or transmit
cardholder data?
A: PCI DSS requirements are applicable if a Primary
Account Number (PAN) is stored, processed, or
transmitted. If PAN is not stored, processed, or
transmitted, PCI DSS requirements do not apply.
….…………………. however ………………………
68

Magic of 12.8 Revealed
“If the merchant shares cardholder data with a … service
provider, the merchant must ensure that there is an
agreement with that …service provider that includes their
acknowledgement that the third party
processor/service provider is responsible for the
security of the cardholder data it possesses.
In lieu of a direct agreement, the merchant must obtain
evidence of the … provider's compliance with PCI
DSS via other means, such as via a letter of
attestation.”
69

Requirement 9//
Amazon Example
Q: “Do QSAs for Level 1 merchants require a
physical walkthrough of a service provider’s
data center?
A: No. A merchant can obtain certification without
a physical walkthrough of a service provider’s
data center if the service provider is a Level 1
validated service provider (such as AWS). A
merchant’s QSA can rely on the work performed by
our QSA, which included an extensive review of the
physical security of our data centers.”
70

June 2011//
PCI SSC Virtualization
Guidance
Key Cloud Items:
“CSP should clearly identify
which PCI DSS requirements,
system components, and
services are covered by the
cloud provider’s PCI DSS
compliance program.”
71

PCI SSC on Cloud Challenges
“The distributed architectures of cloud environments add layers of
technology and complexity to the environment.
Public cloud environments are designed to be public-facing, to allow
access into the environment from anywhere on the Internet.
The infrastructure is by nature dynamic, and boundaries between tenant
environments can be fluid.
The hosted entity has limited or no visibility into the underlying
infrastructure and related security controls.
The hosted entity has limited or no oversight or control over cardholder
data storage.
The hosted entity has no knowledge of ―who‖ they are sharing
resources with, or the potential risks their hosted neighbors may be
introducing to the host system, data stores, or other resources shared
across a multi-tenant environment”
72

And now…
… a brainteaser
73

Requirement 11.3//
Pentesting
“11.3 Perform external and internal penetration testing
at least once a year and after any significant
infrastructure or application upgrade or modification
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests”
“Cloudify” this for me, please!
74

Q: How should we address it?
75
Audience Poll
A: Only pentest applications with narrow
rules
D: Hide under our desks and squeal 
C: Trust that “they do it”
B: Go full blast and “own” provider’s
datacenter

Detailed Example//
Amazon PCI
76
Happy now?
“Amazon is PCI
OK”
Huh?

Say What….
Q: “What does this mean to me as a PCI merchant or
service provider?
A: Our PCI Service Provider status means that customers who
use our services to store, process or transmit cardholder data
can rely on our PCI compliance validation for the technology
infrastructure as they manage their own compliance and
certification, including PCI audits and responses to incidents.
Our service provider compliance covers all requirements as
defined by PCI DSS for physical infrastructure service
providers. Moving the entire cardholder environment to AWS
can simplify your own PCI compliance by relying on our
validated service provider status.”
77

Example//
Amazon view of this
78

Example//
Amazon Guidance
79

80
Sidenote//
“Compliant” Provider of
What?

81

Scenarios Introduction
In scope for discussion:
– Public IaaS, PaaS, SaaS
– Chained or multiple CSPs
NOT in scope:
– Traditional hosting providers
– Outsourced data center or call center
– Private cloud and virtualization on-prem
– Virtual private cloud (sort of)
82

Learn Using Scenarios
Description
How to assess this scenarios / Assessment tips
How to scope this scenario / Scoping tips
How to get compliant
How to stay compliant
What to show to QSA / compliance evidence
Notable PCI requirements to watch
Responsibility split
Pitfalls, Risks and Tips
83

Key Goal
DO build a framework for
assessing/complying, based on the scenarios
DO NOT memorize the scenarios, yours might
be different or be a combination of these
84

Scenario 1//
Clean Cloud
85
Merchant – ecommerce or stores
Use public cloud (SaaS, PaaS, IaaS)
Cloud environment segmented from CDE
NO PANs in any cloud environment
… or so they think 

Description
Sells books online
Level 1 merchant
Uses cloud provider(s) for testing, training,
etc
Cloud provider NOT PCI-OK
NO payment data stored in the cloud
NO payment data processed in the cloud
NO payment data passed through cloud
86

Scenario 1//
Visual
87

Q: Can they be PCI DSS compliant?
88
Audience Poll
A: Yes
C: Cannot tell
B: No

How to Assess?
Key: Are they right?
Test that PANs didn’t “escape” to Amazon
89

How to Scope?
On-prem: as usual
Cloud environment:
IaaS: run a discovery tool
Example: DLP tool, open source data discovery,
dedicated PAN discovery tool, custom script to look for
unencrypted PANs
Q: What about encrypted PANs?
90

How to Get / Stay Compliant?
Easy huh:
Keep the PANs out of the cloud
Recheck (via discovery tools) that cloud
systems are not contaminated by the PANs
Look for old PANs, “test” PANs, etc.
91

Compliance Evidence
What to show to QSA?
Discovery scan results
Other data that confirms that PCI data does
not get to the cloud systems
Policies and procedures BANNING card data
in the cloud; evidence of people actually
following them….
92

Responsibility SPLIT
PROVIDER
Nothing (not
even being PCI
compliant)
93
MERCHANT
All PCI controls
Scoping
Keeping cloud
systems out of
scope

Contract SLA Tips
Requirement 12.8 does NOT play
No SLA in regards to cardholder data
94

Common Pitfalls and Key
Risks
Failing to assure that PANs don’t leak to the
cloud
Failing to maintain “no PANs in the cloud”
status
“Rogue PANs” theft is still CHD theft…
Tip: run a discovery tool on cloud systems
Tip: assure segmentation (no data flow from
CDE to YOUR cloud)
95

Common PAN Leakage
Excel spreadsheet on cloud systems
– Excel spreadsheet on Google Documents
Application screenshots
Finance and HR documents with PANs
Other Office formats with PAN information
Text dumps from poorly-written/legacy
applications
96

Scenario 2//
Storage in the Cloud
97
Use public cloud (SaaS, PaaS, IaaS)
Stores PANs in public cloud environment!

Description
A chain of stores across the US West
Level 2 merchant
Uses cloud provider(s) for testing, training,
backup systems, data storage, etc
Cloud provider MAY BE PCI-OK
PAN data stored in the cloud
PAN data transmitted through cloud
NO payment data processed in the cloud
98

Scenario 2//
Visual
99

100
Audience Poll
A: Yes
C: Cannot tell
B: No
What about their service provider(s)?
Must they be PCI-OK for merchant to be PCI-OK?
Bonus question: What about their CSPs’ CSP?

How to Assess?
Key: Encryption AND/OR
Provider PCI Status
Case #1: Unencrypted PANs at CSP => no PCI
compliance possible
Case #2: Encrypted with provider having the key =>
provider must be PCI-OK
Case #3: Encrypted with provider NOT having the key =>
presumably, provider may be NOT PCI-OK
101

Huh? What does it mean?
IaaS (e.g. VMs in the cloud, EC2
instances, etc) = likely case #3
Merchant deals with PCI DSS, provider may
not know anything about it
No unencrypted data possible in/across the
cloud
NO WAY for CSP to decrypt the data
Reminder: scan for unintended cloud PANs
102

Huh? What does it mean?
Part II
SaaS or PaaS (e.g SalesForce, etc) =
likely case #2
Provider MUST be PCI-OK
Merchant and CSP share PCI responsibilities
CSP encrypts the data AND/OR can decrypt it
103

How to Scope?
On-prem: as usual
Cloud environment:
– IaaS (case #2)
• Cloud environment can be claimed to be out of scope
(if CSP has NO key!!!)
• Merchant is responsible for all controls
• Look for unintentional PANs
– SaaS and maybe PaaS (case #3)
• Cloud environment IS in scope
• Controls shared between CSP and Merchant
104

PCI Council Says…
“For example, an entity subscribing to an IaaS service may retain
complete control of, and therefore be responsible for, the
ongoing security and maintenance of all operating systems,
applications, virtual configurations (including the hypervisor
and virtual security appliances), and data. In this scenario, the
cloud provider would only be responsible for maintaining the
underlying physical network and computing hardware.
In an alternative scenario, a SaaS service offering may
encompass management of all hardware and software, including
virtual components and hypervisor configurations. In this scenario,
the entity may only be responsible for protecting their data,
and all other security requirements would be implemented and
managed by the service provider.”
105

How to Get Compliant?
1. Realize what scenario you are in, then either
a) Ensure CSP cooperation and PCI-OK status
(see matrix), or (“PCI in cloud”, SaaS/PaaS)
b) Encrypt all PANs and prevent the provider from
having the key (“no PCI in cloud”, IaaS)
2. In case a), build the control matrix and test it
106

How to Stay Compliant?
Either …
Keep testing the CSP PCI-OK status and
check the matrix for missing controls
Keep encrypting, preventing the provider
from seeing the key and testing for “rogue
PANs”
107

Compliance Evidence
What to show to QSA? By case…
CSP PCI status and additional evidence of
how they do PCI DSS
Proof of your scoping decision to exclude the
cloud due to encryption
+ evidence of all other PCI controls, of course
108

Responsibility SPLIT//
IaaS/No Cloud PCI/Encryption
PROVIDER
Nothing (may not
even be PCI
compliant)
109
MERCHANT
All PCI controls
Encryption + key
management
Scoping
Keeping cloud
systems out of
scope

SaaS/Cloud PCI provider
PROVIDER
Security policy
Physical
Network
Encryption
Key management
System security
Parts of application
security
110
MERCHANT
Security policy
Application security
Scoping
Monitoring (unless extra
$ to CSP)

PCI DSS Requirement Merchant Cloud provider
Secure application
development: R6
IaaS, PaaS SaaS
Update OS: R6 IaaS (joint) IaaS (joint), PaaS, SaaS
Log management: R10 IaaS (joint), PaaS
(joint)
IaaS (joint), PaaS (joint),
SaaS
Render PANs
unreadable: R3.4
IaaS, Maybe: PaaS SaaS, Maybe: PaaS
Physical access control:
R9
None IaaS, PaaS, SaaS
Vulnerability scanning:
R11.2
IaaS (joint – per
system), PaaS (joint)
SaaS
Penetration tests: R11.3 IaaS (joint), PaaS
(joint), SaaS (joint) –
degree varies
SaaS (joint) – degree varies
Security policy: R12 IaaS, PaaS, SaaS (all
joint)
IaaS, PaaS, SaaS (all joint)
Wireless security: R11.1 None IaaS, PaaS, SaaS
111
Example Scenario 2//
Control Matrix

Ooops!
Merchant uses IaaS, manages the systems,
encrypts the data
– (so far, case “No Cloud PCI”)
…but
SHARES THE KEY WITH CSP!
What now?
112

Notable PCI DSS
Requirements to Watch
Requirement 3.4 covers the encryption of
stored data.
Requirement 12.8 covers service providers
and the matrix
Requirement A cover shared hosting
providers
113

Contract SLA Tips
Case SaaS/“PCI in the cloud”
Clear acceptance of responsibility for “their”
controls
Verification of provider controls
Incident response support for data breaches
114

PCI Council Says…
“The cloud provider should clearly identify which PCI DSS
requirements, system components, and services are covered by
the cloud provider’s PCI DSS compliance program. Any aspects
of the service not covered by the cloud provider should be
identified, and it should be clearly documented in the service
agreement that these aspects, system components, and PCI
DSS requirements are the responsibility of the hosted entity to
manage and assess. The cloud provider should provide
sufficient evidence and assurance that all processes and
components under their control are PCI DSS compliant. “
115

Risks
For IaaS/No PCI in cloud/encryption case,
assurance of provider not being able to
decrypt the data
For SaaS/PCI in cloud, failure to test the
provider on the ongoing basis
SLA failures: no escalation, evidence
sharing, incident response cooperation
“Finger pointing”
116

Scenario 3//
IaaS PCI
117
Use public cloud IaaS provider
Processes cards and possibly stores
them as well in the cloud

Description
Global airline with physical and online purchases
Uses CSP for a broad spectrum of payment tasks
Cloud provider MUST be PCI-OK
PAN data stored in the cloud
PAN data passed through cloud
PAN data processed in the cloud – at the same
provider!
118

Scenario 3//
Visual
119

120
Audience Poll
A: Yes
C: Cannot tell
B: No
Who is doing what for the merchant to be PCI-OK?
Bonus question: What about their SPs’ SP’s SP?

How to Assess?
Key: The Matrix …
Must Have No Holes
ALL PCI DSS controls are in place for all
layers of the cloud environment – and
somebody must … pay for it 
121

122
Secret to PCI In the Cloud

Huh? The Matrix?
Two basic FACTS:
1. Merchant CANNOT do PCI DSS without
the CSP!
2. CSP CANNOT make merchant compliant!
The only way is a clear delineation of duties aka
… The Control Matrix
123

PCI Council Says…
“For example, an entity subscribing to an IaaS service
may retain complete control of, and therefore be
responsible for, the ongoing security and
maintenance of all operating systems,
applications, virtual configurations (including the
hypervisor and virtual security appliances), and
data. In this scenario, the cloud provider would only be
responsible for maintaining the underlying physical
network and computing hardware.”
124

How to Scope?
On-prem: as usual
Cloud IaaS environment:
– IaaS systems are in scope: systems,
applications, network, devices, hypervisor
– Two tiered scoping (PCI 2.0 artifact)
• Systems WITH data vs systems that
touch/manage systems with data
Think “outsourced datacenter+”
125

One Approach!!
1. Pretend all IaaS infrastructure is YOUR ON-PREMISE
network
2. Plan PCI DSS controls for it
3. Realize which controls you CANNOT do since it is
really NOT an on-prem network and you don’t control
some domains (e.g. physical)
– Then have a talk with a provider on whether THEY
a) CAN and b) WILL cover that
4. Realize which controls DON’T APPLY verbatim to the
cloud environment
– Then and figure how to compensate!!
126

For Example
Project: replace branch servers with IaaS-
deployed servers
PCI controls: all on branch server
replacement, most on management servers,
etc
– Physical? => CSP
– Firewall management => CSP
– Monitoring? => CSP MSSP service ($)
– Web application scanning => Ooops!
127

128

PAN Flow
129

Compliance Evidence
Evidence of ALL controls – yours and CSPs
Evidence of ongoing compliance: logging,
testing, etc
MUST DO: obtained detailed PCI evidence
from CSP for controls that apply to your
environment!
130

IaaS PCI
PROVIDER
Physical
Network
Encryption
Key management
System security
Parts of application
security
MERCHANT
Scoping
Monitoring (unless
extra $ to CSP)
131

132
Control Matrix
PCI DSS Requirement Merchant: IaaS Cloud provider: IaaS
Secure application
development: R6
Yes No
Update OS: RXX Yes – for guest OS Yes – for host OS
Log management: R10 Yes – for guess OS,
applications, etc
Yes – for host OS,
management systems, etc
Render PANs
unreadable: R3.4
Yes No (!)
R9
None Yes
R11.2
Yes – for guest OS Yes – for host OS,
management systems, etc
Penetration tests: R11.3 Yes – for guest OS,
applications
Yes – for physical, host OS,
etc
Security policy: R12 Yes – for PARTS Yes – for ALL OTHER
PARTS
Wireless security: R11.1 None Yes

Sidenote//
Owner vs Manager
133
Setting: IaaS provider (EC2 or other)
PCI Requirement: Req 1 firewall management
• CSP OWNS the firewall appliance
• Merchant, CSP, CSP MSSP or 3rd party
MANAGES the firewall settings
Who is left holding the PCI bag?

PCI Council Says…
134
… you go figure it out! 

Full SAMPLE Matrix Review
This matrix is JUST A SAMPLE
Used here AS AN EXAMPLE
This is NOT YOUR REAL THING
EXAMPLE means “here is what CAN be”
EXAMPLE SAMPLE ILLUSTRATION!

Did I mention it is just an example?
135

How to use the shared PCI
control matrix?
The class addendum, EXAMPLE PCI DSS
shared control matrix can be used as follows:
To review one possible control sharing
methodology between CSP and merchant
To validate one’s own control sharing
For security discussion with CSPs
As a foundation for one’s control sharing
– with caution!
136

Notable PCI DSS
Requirement 3.4 covers the encryption of
stored data.
and the matrix
Requirement A cover shared hosting
providers
137

Contract SLA Tips
Case SaaS/“PCI in the cloud”
controls
138

Risks
Failure to test the provider on the ongoing
basis
Trusting the provider without evidence
Tip: make SLA as detailed as possible –
involve both information security AND legal
139

Scenario 4//
Twice-Cloudy PCI
140
Use public cloud IaaS provider
Processes cards and possibly stores them
as well in the cloud
Uses a dedicated CSP for payment
processing (P), NOT hosting CSP (H)

Description
An ecommerce company with seasonal
highly sales
Uses CSP H, but with payment
processing handled by CSP P
Cloud provider P MUST be PCI-OK
Cloud provider H SHOULD be PCI-OK (?)
PAN data processed and stored in the
cloud – by CSP P
141

142
Scenario 4//
Visual

143
Audience Poll
A: Yes
C: Cannot tell
B: No
Should CSP H be PCI compliant?
Can merchant be PCI compliant if CSP H is NOT?

This is VERY COMMON…
… but there is A LOT OF DEVIL in
the details 
144

Example//
Cloud Sites by Rackspace
145

Example//
Microsoft Azure
146
Official Azure FAQ (2011)
Q: “Can you host PCI (e.g. credit card) data [on Azure]?
A: Microsoft makes no claim regarding these standards for 3rd party hosting.
There are ways to develop cloud based applications to use 3rd party PCI
data processers that may keep the cloud application itself out of scope.”
Bonus question: where does here point?

How to Assess?
Key: Contain Toxic (=PCI) Data In
“Special Clouds”, Don’t Taint Your IaaS!
The logic here is to offload all (if possible)
operations with PANs to a payment
provider
147

How to Scope?
On-prem: as usual
Don’t SCOPE - KILL the scope to
nothing in the cloud
Minimize “rogue PANs”
148

Huh? Toxic What?
Three basic FACTS:
1. If neither Merchant nor CSP can see
payment data, there is tiny scope of PCI
for them (*)
2. If CSP cannot see the data, but Merchant
can, then this is a traditional on-prem PCI
environment
3. The more payment provider takes on, the
better: PCI stays in their cloud
149

Example//
PayPal API
“With Website Payments Standard, Email
Payments, and Payflow Link*, PayPal handles
the payment card information for you. So you
don’t have to worry about your buyers’
payment card security or about compliance
with PCI DSS for your business.”
Will they really sign such agreement?
150

Example//
Amazon FPS
Perfect “cloud shield”: “As a part of Amazon
Payments' services you [=merchant!] may not
have access to certain information
associated with Cards being processed,
including without limitation account number,
expiration date, and the card verification
value (CVV2/CVC2) (collectively, “Cardholder
Data”).”
151

152
Example//
Rackspace “Compliant” Cloud

How to Get and Stay
Compliant?
1. Avoid PANs
2. Engineer the payment chain to avoid
having PANs in CSP H and your own
environment
3. Verify CSP P compliant status (duh!)
153

154

Compliance Evidence
Evidence of zero scope
– Data flow, system architecture, etc
Evidence of CSP P PCI compliance
155

IaaS PCI
156
CSP H
Nothing
MERCHANT
Application
security
(maybe)
Provider
management
Others as
deployed
CSP P
All PCI
Controls

PCI Council Says…
157
… you go figure it out! 

Notable PCI DSS
Possibly none
– if no merchant ID and no relationship with
acquirer
158

Common Pitfalls,
Risks and SLA Tips
PAN leakage, temporary files and other
artifacts of bad coding of payment provider
APIs
Web application attacks that redirect the PAN
flow to the attacker
Crash dumps with PANs
159

Scenario 5//
PaaS PCI
160
Use public cloud PaaS provider
them as well in the cloud

PaaS… Come Again?
PaaS is EXACTLY between IaaS and SaaS
IaaS: OS, VM, networks, etc
SaaS: application
What’s in between? An environment for
application development … PaaS
161

Description
A major ecommerce website
Uses CSP for a broad spectrum of tasks,
including payments
Cloud provider MAY BE PCI-OK
PAN data stored/passed in the cloud
PAN data processed in the cloud
Merchant does NOT control the OS/VMs
at the CSP
162

Scenario 5//
Visual
163

164
Audience Poll
A: Yes
C: Cannot tell
B: No
Must the provider be PCI-OK? Can the merchant be PCI-OK if
the CSP is not? What must merchant do because the provider
cannot do it?

How to Assess?
Key: Need to Understand Your CSP…
Really Well
165

Decision Time
If PaaS CSP is
NOT PCI-OK
(Force.com, Azure)
THEN
the only way to PCI
is complete “3rd
party payment
takeover”
->Scenario 4
166
If PaaS CSP IS
PCI-OK
THEN
build the control
matrix
-> Scenario 3

How to Scope?
On-prem: as usual
Cloud PaaS environment:
– PaaS systems are in scope: systems,
applications, network, devices, hypervisor
– Two tiered scoping (PCI 2.0 artifact)
• Systems WITH data vs systems that
touch/manage systems with data
Think “outsourced IT-”
167

One Approach!!
1. Review which controls the PaaS CSP will handle for
you
2. Check which PCI DSS controls they cannot ever handle
– Example: your security policy, awareness training for your
employees (BTW, they should – for theirs)
3. Create the matrix and verify with the CSP
– Request additional information from them as needed
4. Deploy additional controls where needed and where
prudent
168

For Example
Project: replace marketing analytics
application that uses PAN with PaaS-
deployed application
PCI controls: all on the application, most on
management servers, etc
– Web application scanning => Merchant
– All others =>CSP
Decision: move the payment data
off CSP and “off PCI” you go
169

170

Compliance Evidence
Evidence of ALL controls – yours and CSPs
MUST DO: obtained detailed PCI evidence
from CSP for controls that apply to your
environment!
171

PaaS PCI
PROVIDER
Application platform
security
Physical
Network
Encryption
Key management
System security
MERCHANT
Scoping
Monitoring (unless
extra $ to CSP)
172

173
Control Matrix
PCI DSS Requirement Merchant: PaaS user Cloud provider: PaaS
Secure application
development: R6
Yes Yes (for platform)
Update OS: RXX No Yes
Log management: R10 Yes – application logs Yes – everything else (or
data provided to merchant!)
Render PANs
unreadable: R3.4
Yes Yes – where touches their
environment
R9
No Yes
R11.2
No Yes
Penetration tests: R11.3 Yes – application level Yes – for physical, network,
application, etc
Security policy: R12 Yes - applicable Yes – for the rest
Wireless security: R11.1 No Yes

Notable PCI DSS
Requirement 1 Firewall architecture (“cloud
networks are flat”)
Requirement 4.1 “Use strong cryptography and
security protocols “
– Intra-CSP traffic may be seen as public
Requirement 6.1 patch management is Joint; and
need to be done by both
Requirement 12.8 covers service providers and the
matrix
174

Contract SLA Tips
controls
175

Risks
Failure to test the provider on the ongoing
basis
176

Scenario 6//
Tiered PCI
177
Use public cloud PaaS or SaaS provider
…
… who uses public IaaS provider
them … somewhere 

Description
A major ecommerce website
Uses CSP for a broad spectrum of tasks,
including payments
Their provider uses another cloud
provider
Some cloud providers MAY BE PCI-OK
PAN data stored/passed in the cloud
PAN data processed in the cloud
178

Scenario 6//
Visual
179

180
Audience Poll
A: Yes
C: Cannot tell
B: No
Must the provider be PCI-OK? Must their provider’s provider be
PCI-OK? Can the merchant be PCI-OK if some CSPs are not?

Tiered Merchant Example
181
Merchant uses CSP
(SaaS)
that uses Amazon EC2
(IaaS)
A public Amazon case study
http://aws.amazon.com/solution
s/case-studies/36boutiques/

How to Assess?
Key: The Matrix …
Must Have No Holes, Again
…but
there are more dimensions now
182

Your CSP’s CSP is NOT your
CSP!
… and that some controls are
NOT implemented by your CSP
and they simply “trust their CSP
assertions”
183

How to Scope?
Worst case: FORGET IT!  We can never
figure it out…
……. reality ………………
Best case: payment chain is isolated from ALL
the CSPs (zero scope for you, all scope is
with payment provider)
184

We went through six PCI-in-the-
cloud scenarios!
185
Ahhhhhh……

Business: ecommerce
Setup: uses CSP for web hosting and all
application hosting, accepts payment cards,
sells to consumers
Challenge: we are a QSA they hired to “get
them compliant”
Next steps?
186
Exercise//
How to Comply/Assess?

What do the scenarios teach
us about PCI and cloud?
1. “Kill the scope” works in the cloud as well
2. It is better to have the payment processor
handle more and merchant/CSP handle
less of the PCI burden
3. CSP may do it, but MERCHANT is
responsible and need to validate it
4. Finally, we CAN have PCI in the cloud!
187

Final Recommendations
Follow the scenarios as templates for your
projects
Learn to scope in the cloud
Make a matrix of shared responsibility (and
“keep it with you at all times” )
Remember: MERCHANT is on the hook,
even if CSP does it (as per PCI DSS)
Requirement 12.8 is NOT “a punt”
188

Additional Tips from
Past Class Discussions
Use PCI + cloud security thinking for other
sensitive data: SSN, PHI, financials, etc
Involve legal in SLA and other discussions
about regulated data in the cloud (!)
Scan for YOUR sensitive data being put in
the cloud by business partners – in THEIR
clouds
“Trust but verify” principle MUST be applied
to your CSP
189

Any Lessons from the
Audience?
Anything “juicy” I missed to conclude?
190

A one-liner version?
191
If you can get rid of the PANs in the cloud,
DO IT!

Questions?
192

Thanks for Your Review!
Courseware author Dr. Anton Chuvakin would
like to thank the following people for their
thoughtful review of class materials:
Walt Conway @ 403 Labs
Martin McKeay @ Verizon
Mike Dahn @ PWC
Doug Barbin @ BrightLine
Jason Chan @ Netflix
193

Additional Materials
In the notes, there are links to various
useful reading, in addition to CSA and
other sites mentioned in the class.
Go to www.cloudsecurityalliance.org for
the latest information on our educational
resources
194

195

5787355.ppt

Recommended

Recommended

More Related Content

Similar to 5787355.ppt

Similar to 5787355.ppt (20)

More from ahmad21315

More from ahmad21315 (8)

Recently uploaded

Recently uploaded (20)

5787355.ppt