Submit Search
Upload
5787355.ppt
•
Download as PPT, PDF
•
0 likes
•
3 views
A
ahmad21315
Follow
pc dss in the cloud
Read less
Read more
Software
Report
Share
Report
Share
1 of 193
Download now
Recommended
CSA & GRC Stack
CSA & GRC Stack
CloudSecurityAllianceAustralia
Presentation cisco cloud security
Presentation cisco cloud security
xKinAnx
Cloud services and it security
Cloud services and it security
East Midlands Cyber Security Forum
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
Moshe Ferber
Keys to success and security in the cloud
Keys to success and security in the cloud
Scalar Decisions
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
patmisasi
Cloud Security: A New Perspective
Cloud Security: A New Perspective
Wen-Pai Lu
Understanding the Cloud
Understanding the Cloud
www.datatrak.com
Recommended
CSA & GRC Stack
CSA & GRC Stack
CloudSecurityAllianceAustralia
Presentation cisco cloud security
Presentation cisco cloud security
xKinAnx
Cloud services and it security
Cloud services and it security
East Midlands Cyber Security Forum
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
Moshe Ferber
Keys to success and security in the cloud
Keys to success and security in the cloud
Scalar Decisions
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
patmisasi
Cloud Security: A New Perspective
Cloud Security: A New Perspective
Wen-Pai Lu
Understanding the Cloud
Understanding the Cloud
www.datatrak.com
Transforming cloud security into an advantage
Transforming cloud security into an advantage
Moshe Ferber
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
Ciente
Cisco Powered Presentation - For Customers
Cisco Powered Presentation - For Customers
Cisco Powered
Securing Sensitive Data in Your Hybrid Cloud
Securing Sensitive Data in Your Hybrid Cloud
RightScale
Will your cloud be compliant
Will your cloud be compliant
Evgeniya Shumakher
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
Sweta Kumari Barnwal
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
Cloud Computing Security Frameworks - our view from exoscale
Cloud Computing Security Frameworks - our view from exoscale
Antoine COETSIER
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Stefaan Van daele
Cloud Computing and the Promise of Everything as a Service
Cloud Computing and the Promise of Everything as a Service
Lew Tucker
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
Cloud Standards Customer Council
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera Technologies
Cloud Security, Standards and Applications
Cloud Security, Standards and Applications
Dr. Sunil Kr. Pandey
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
Yusuf Hadiwinata Sutandar
Cloud security
Cloud security
Niharika Varshney
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
Patrick Sklodowski
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
Jisc
5901194.ppt
5901194.ppt
ahmad21315
4946486.ppt
4946486.ppt
ahmad21315
More Related Content
Similar to 5787355.ppt
Transforming cloud security into an advantage
Transforming cloud security into an advantage
Moshe Ferber
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
Ciente
Cisco Powered Presentation - For Customers
Cisco Powered Presentation - For Customers
Cisco Powered
Securing Sensitive Data in Your Hybrid Cloud
Securing Sensitive Data in Your Hybrid Cloud
RightScale
Will your cloud be compliant
Will your cloud be compliant
Evgeniya Shumakher
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
Sweta Kumari Barnwal
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cryptzone
Cloud Computing Security Frameworks - our view from exoscale
Cloud Computing Security Frameworks - our view from exoscale
Antoine COETSIER
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Stefaan Van daele
Cloud Computing and the Promise of Everything as a Service
Cloud Computing and the Promise of Everything as a Service
Lew Tucker
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
Cloud Standards Customer Council
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera Technologies
Cloud Security, Standards and Applications
Cloud Security, Standards and Applications
Dr. Sunil Kr. Pandey
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
Yusuf Hadiwinata Sutandar
Cloud security
Cloud security
Niharika Varshney
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
Patrick Sklodowski
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
Jisc
Similar to 5787355.ppt
(20)
Transforming cloud security into an advantage
Transforming cloud security into an advantage
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
Cisco Powered Presentation - For Customers
Cisco Powered Presentation - For Customers
Securing Sensitive Data in Your Hybrid Cloud
Securing Sensitive Data in Your Hybrid Cloud
Will your cloud be compliant
Will your cloud be compliant
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Cloud Computing Security Frameworks - our view from exoscale
Cloud Computing Security Frameworks - our view from exoscale
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Cloud Computing and the Promise of Everything as a Service
Cloud Computing and the Promise of Everything as a Service
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cloud Security, Standards and Applications
Cloud Security, Standards and Applications
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
Cloud security
Cloud security
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
More from ahmad21315
5901194.ppt
5901194.ppt
ahmad21315
4946486.ppt
4946486.ppt
ahmad21315
4831586.ppt
4831586.ppt
ahmad21315
4582349.ppt
4582349.ppt
ahmad21315
3822424.ppt
3822424.ppt
ahmad21315
3549497.ppt
3549497.ppt
ahmad21315
3245224.ppt
3245224.ppt
ahmad21315
2775732.ppt
2775732.ppt
ahmad21315
More from ahmad21315
(8)
5901194.ppt
5901194.ppt
4946486.ppt
4946486.ppt
4831586.ppt
4831586.ppt
4582349.ppt
4582349.ppt
3822424.ppt
3822424.ppt
3549497.ppt
3549497.ppt
3245224.ppt
3245224.ppt
2775732.ppt
2775732.ppt
Recently uploaded
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
Sujith Sukumaran
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
VICTOR MAESTRE RAMIREZ
EY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
Neo4j
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
kotipi9215
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
BradBedford3
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
Alina Yurenko
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
Andreas Granig
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
Hanief Utama
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio, Inc.
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
nada99848
Professional Resume Template for Software Developers
Professional Resume Template for Software Developers
Vinodh Ram
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
VICTOR MAESTRE RAMIREZ
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Christina Lin
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
MyIntelliSource, Inc.
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽❤️🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽❤️🧑🏻 89...
gurkirankumar98700
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
StefanoLambiase
Asset Management Software - Infographic
Asset Management Software - Infographic
Hr365.us smith
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
OnePlan Solutions
Recently uploaded
(20)
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
EY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
Professional Resume Template for Software Developers
Professional Resume Template for Software Developers
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽❤️🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽❤️🧑🏻 89...
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Asset Management Software - Infographic
Asset Management Software - Infographic
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
5787355.ppt
1.
© 2011 Cloud
Security Alliance, Inc. All rights reserved.
2.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Thanks to Class Sponsors 2 Courseware created by Dr. Anton Chuvakin for Cloud Security Alliance
3.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. About the Cloud Security Alliance Global, not-for-profit organization Building best practices and a trusted cloud ecosystem Comprehensive research and tools Certificate of Cloud Security Knowledge (CCSK) www.cloudsecurityalliance.org 3
4.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. About the Class Learn/refresh knowledge about PCI DSS Learn/refresh knowledge about cloud computing Understand how to assess PCI compliance in cloud environments Understand how to implement PCI DSS controls in cloud environments Gain useful tools for planning/doing this 4
5.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 5 5
6.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Show of hands please… 1. QSA 2. Merchant a) L1 b) L2-4 3. Service provider 4. Security tool vendor 5. Security consultant 6. Other 6 6
7.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Prerequisites Know how to spell “P-C-I D-S-S” Have heard about “The Cloud” Possess basic information security knowledge, IT management 7
8.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Full Class Outline Introduction What this class is about, prerequisites, how to benefit PCI DSS reminder Cloud basics Where cloud interacts with PCI DSS Key cloud PCI controls Core PCI DSS + cloud scenarios Conclusions and action items 8
9.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 9
10.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to benefit? If you are a merchant… Learn how to stay compliant in the cloud, what to ask of CSPs, what to show to QSAs If you are a QSA… Figure how to assess merchants and CSPs If you are a cloud service provider… Learn how to keep you and merchants compliant If you are a security vendor… Learn about the new problems you can solve If you are a consultant around PCI and cloud… Learn the “pain points” around PCI DSS and cloud 10
11.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI in the Cloud... In the Media ….bla bla …. bla bla ….. PCI DSS…. ….. The Cloud……… cloud…..bla…cloud… ….bla bla…… compliant ..……cloud. ……cloud…..bla bla……possible ………. ……cloud……….. bla bla………cloud ….. as long as no cardholder data is in the cloud… bla bla………………………….. 11
12.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 12
13.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Quick Reality Check 13
14.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Cloud? 14
15.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI DSS? 15
16.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Together? 16
17.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. DISCUSSION! 17
18.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 18
19.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Why is PCI Here? 19 Criminals need money Credit cards = MONEY Where are the most cards? In computers. Data theft grows and reaches HUGE volume. Some organizations still don’t care… especially if the loss is not theirs PAYMENT CARD BRANDS ENFORCE DSS!
20.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Laggards vs. Leaders 20 Issue: many merchants don’t even want to “grow up” to the floor of security Result: breaches, loss of card data, lawsuits, unhappy consumers, threat of regulation Action: PCI DSS mandate!
21.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard = 21 21
22.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. • Protect stored data • Encrypt transmission of cardholder data and sensitive information across public networks Protect Cardholder Data • Maintain a policy that addresses information security Maintain an Information Security Policy • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes Regularly Monitor and Test Networks • Restrict access to data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data Implement Strong Access Control Measures • Use and regularly update anti-virus software • Develop and maintain secure systems and applications Maintain a Vulnerability Management Program • Install and maintain a firewall confirmation to protect data • Do not use vendor-supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network 22 PCI DSS: Basic Security Practices!
23.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI DSS Domain Coverage … In no particular order: Security policy and procedures Network security Malware protection Application security (and web) Vulnerability scanning and remediation Logging and monitoring Security awareness 23
24.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI DSS 2.0 is Here! Select items changing for PCI 2.0 Scoping clarification Data storage Virtualization (!!) DMZ clarification Vulnerability remediation Remote data access 24
25.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Does it Apply to Me? “PCI DSS compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data.” 25 25
26.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI Game: The Players 26 PCI Security Standards Council
27.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI Regime vs DSS Guidance The PCI Council publishes PCI DSS • Outlined the minimum data security protections measures for payment card data. • Defined Merchant & Service Provider Levels, and compliance validation requirements. • Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime) 27
28.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. My Data – Their Risk!? *I* GIVE *YOU* DATA *YOU* LOSE IT *ANOTHER* SUFFERS! 29
29.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Key Concept// Scoping 30
30.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Sidenote// FLAT NET to FLAT CLOUD REALITY: “Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment.“ (PCI DSS 2.0) DREAM: “Without adequate network segmentation the entire CLOUD is in scope of the PCI DSS assessment.“ 31
31.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Key Concept// Compliance vs Validation Q: What to do after your QSA leaves? A: PCI DSS compliance does NOT end when a QSA leaves or SAQ is submitted. Use what you built for PCI to reduce risk “Own” PCI DSS; make it the basis for your policies 32
32.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Key Concept// Stay Compliant Ongoing compliance with PCI DSS – tasks: 33 TASK FREQUENCY Risk assessment, security awareness, key changes, review off-site backups, QSA assessment, etc Annual ASV and internal scans, wireless scans Quarterly File integrity checking Weekly Log and alerts review, other operational procedures Daily
33.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Failing That… “Classic” example from my PCI book, co-author Branden Williams 34
34.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Two BIG Approaches to PCI DSS Compliance SECURE the data: Encrypt, access control, monitor, block attempts, authenticate, authorized, etc… 35 These apply to PCI in the cloud as well! DELETE the data: Organize your business to avoid dealing with the data
35.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 36
36.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 37
37.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. NIST Definition of Cloud Computing “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. “ 38 38
38.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 5 Essential Cloud Characteristics 1. On-demand self-service 2. Broad network access 3. Resource pooling – Location independence 4. Rapid elasticity 5. Measured service 39 39
39.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS) – Use provider’s applications over a network 2. Cloud Platform as a Service (PaaS) – Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources To be considered “cloud” they must be deployed on top of cloud infrastructure that has the essential characteristics 40
40.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud <- our focus in this class! Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds 41 41
41.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 7 Common Cloud Characteristics 1. Massive scale 2. Homogeneity 3. Virtualization 4. Resilient computing 5. Low cost software 6. Geographic distribution 7. Service orientation 42
42.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. All of this TOGETHER: The Cloud Community Cloud Private Cloud Public Cloud Hybrid Clouds Deployment Models Service Models Essential Characteristics Common Characteristics Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Low Cost Software Virtualization Service Orientation Advanced Security Homogeneity Massive Scale Resilient Computing Geographic Distribution 43 43
43.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Example IaaS// Amazon Cloud Amazon cloud components – Elastic Compute Cloud (EC2) • Run your own or Amazon’s OS “instances” – Simple Storage Service (S3) – SimpleDB – Other services 44 44
44.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Example PaaS// Google App Engine Create, deploy and run applications NO control (or, in fact, even visibility) of OS Use SDK to develop the applications Run “natively” in the cloud 45
45.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Example SaaS// Salesforce Well-known SaaS CRM application Cloud CRM + a lot more applications 46 46
46.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Example P/IaaS // Azure Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 47 47
47.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Service Model Architectures Cloud Infrastructure IaaS PaaS SaaS Infrastructure as a Service (IaaS) Architectures Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS 48 48
48.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Security? Are there …mmm …cloud security issues? 50
49.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 51 Security: Barrier to Adoption?
50.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 52 What is Different about Cloud?
51.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks 53 53
52.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 54 What is Different about Cloud? SERVICE OWNER SaaS PaaS IaaS Data Joint Tenant Tenant Application Joint Joint Tenant Compute Provider Joint Tenant Storage Provider Provider Joint Network Provider Provider Joint Physical Provider Provider Provider
53.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 55 What is Different about Cloud?
54.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 56 What is Different about Cloud?
55.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. CSA Cloud “Threats” 1. Abuse & Nefarious Use of Cloud Computing 2. Insecure Interfaces & APIs 3. Malicious Insiders 4. Shared Technology Issues 5. Data Loss or Leakage 6. Account or Service Hijacking 7. Unknown Risk Profile 57
56.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. ENISA Cloud Risks 1. Loss of governance 2. Lock-in 3. Isolation failure 4. Compliance risks 5. Management interface compromise 6. Data protection 7. Insecure or incomplete data deletion 8. Malicious insider 58
57.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. iSEC Realistic Cloud “Threats” 1. Authentication abuse 2. Operations breakdown 3. Misuse of cloud-specific technology 59
58.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. FBI Takes Cloud Away 60
59.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Discussion 61 What do YOU think are actual, relevant, TRUE threats to cloud computing?
60.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. While we are “in the cloud” Here are some additional CSA/cloud security resources… 62
61.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. CSA GRC Stack Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption. 63 Control Requirements Provider Assertions Private, Community & Public Clouds
62.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. CSA CloudAudit Open standard and API to automate provider audit assertions Change audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providers Uses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring 64
63.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. CSA Cloud Controls Matrix 65 Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
64.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 66 Next?
65.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Do We See A Cloud in There? Requirement 12.8 “If cardholder data is shared with service providers, maintain and implement policies and procedures to 67 manage service providers…” Requirement A.1: “Shared hosting providers must protect the cardholder data environment”
66.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Magic of Requirement 12.8 Q: Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data? A: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. ….…………………. however ……………………… 68
67.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Magic of 12.8 Revealed “If the merchant shares cardholder data with a … service provider, the merchant must ensure that there is an agreement with that …service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the … provider's compliance with PCI DSS via other means, such as via a letter of attestation.” 69
68.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Requirement 9// Amazon Example Q: “Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center? A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.” 70
69.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. June 2011// PCI SSC Virtualization Guidance Key Cloud Items: “CSP should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud provider’s PCI DSS compliance program.” 71
70.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI SSC on Cloud Challenges “The distributed architectures of cloud environments add layers of technology and complexity to the environment. Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of ―who‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment” 72
71.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. And now… … a brainteaser 73
72.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Requirement 11.3// Pentesting “11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification 11.3.1 Network-layer penetration tests 11.3.2 Application-layer penetration tests” “Cloudify” this for me, please! 74
73.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Q: How should we address it? 75 Audience Poll A: Only pentest applications with narrow rules D: Hide under our desks and squeal C: Trust that “they do it” B: Go full blast and “own” provider’s datacenter
74.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Detailed Example// Amazon PCI 76 Happy now? “Amazon is PCI OK” Huh?
75.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Say What…. Q: “What does this mean to me as a PCI merchant or service provider? A: Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving the entire cardholder environment to AWS can simplify your own PCI compliance by relying on our validated service provider status.” 77
76.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Example// Amazon view of this 78
77.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Example// Amazon Guidance 79
78.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 80 Sidenote// “Compliant” Provider of What?
79.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 81
80.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenarios Introduction In scope for discussion: – Public IaaS, PaaS, SaaS – Chained or multiple CSPs NOT in scope: – Traditional hosting providers – Outsourced data center or call center – Private cloud and virtualization on-prem – Virtual private cloud (sort of) 82
81.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Learn Using Scenarios Description How to assess this scenarios / Assessment tips How to scope this scenario / Scoping tips How to get compliant How to stay compliant What to show to QSA / compliance evidence Notable PCI requirements to watch Responsibility split Pitfalls, Risks and Tips 83
82.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Key Goal DO build a framework for assessing/complying, based on the scenarios DO NOT memorize the scenarios, yours might be different or be a combination of these 84
83.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenario 1// Clean Cloud 85 Merchant – ecommerce or stores Use public cloud (SaaS, PaaS, IaaS) Cloud environment segmented from CDE NO PANs in any cloud environment … or so they think
84.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Description Sells books online Level 1 merchant Uses cloud provider(s) for testing, training, etc Cloud provider NOT PCI-OK NO payment data stored in the cloud NO payment data processed in the cloud NO payment data passed through cloud 86
85.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenario 1// Visual 87
86.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 88 Audience Poll A: Yes C: Cannot tell B: No
87.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Assess? Key: Are they right? Test that PANs didn’t “escape” to Amazon 89
88.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud environment: IaaS: run a discovery tool Example: DLP tool, open source data discovery, dedicated PAN discovery tool, custom script to look for unencrypted PANs Q: What about encrypted PANs? 90
89.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Get / Stay Compliant? Easy huh: Keep the PANs out of the cloud Recheck (via discovery tools) that cloud systems are not contaminated by the PANs Look for old PANs, “test” PANs, etc. 91
90.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Discovery scan results Other data that confirms that PCI data does not get to the cloud systems Policies and procedures BANNING card data in the cloud; evidence of people actually following them…. 92
91.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Responsibility SPLIT PROVIDER Nothing (not even being PCI compliant) 93 MERCHANT All PCI controls Scoping Keeping cloud systems out of scope
92.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Contract SLA Tips Requirement 12.8 does NOT play No SLA in regards to cardholder data 94
93.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks Failing to assure that PANs don’t leak to the cloud Failing to maintain “no PANs in the cloud” status “Rogue PANs” theft is still CHD theft… Tip: run a discovery tool on cloud systems Tip: assure segmentation (no data flow from CDE to YOUR cloud) 95
94.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Common PAN Leakage Excel spreadsheet on cloud systems – Excel spreadsheet on Google Documents Application screenshots Finance and HR documents with PANs Other Office formats with PAN information Text dumps from poorly-written/legacy applications 96
95.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenario 2// Storage in the Cloud 97 Merchant – ecommerce or stores Use public cloud (SaaS, PaaS, IaaS) Stores PANs in public cloud environment!
96.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Description A chain of stores across the US West Level 2 merchant Uses cloud provider(s) for testing, training, backup systems, data storage, etc Cloud provider MAY BE PCI-OK PAN data stored in the cloud PAN data transmitted through cloud NO payment data processed in the cloud 98
97.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenario 2// Visual 99
98.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 100 Audience Poll A: Yes C: Cannot tell B: No What about their service provider(s)? Must they be PCI-OK for merchant to be PCI-OK? Bonus question: What about their CSPs’ CSP?
99.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Assess? Key: Encryption AND/OR Provider PCI Status Case #1: Unencrypted PANs at CSP => no PCI compliance possible Case #2: Encrypted with provider having the key => provider must be PCI-OK Case #3: Encrypted with provider NOT having the key => presumably, provider may be NOT PCI-OK 101
100.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Huh? What does it mean? IaaS (e.g. VMs in the cloud, EC2 instances, etc) = likely case #3 Merchant deals with PCI DSS, provider may not know anything about it No unencrypted data possible in/across the cloud NO WAY for CSP to decrypt the data Reminder: scan for unintended cloud PANs 102
101.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Huh? What does it mean? Part II SaaS or PaaS (e.g SalesForce, etc) = likely case #2 Provider MUST be PCI-OK Merchant and CSP share PCI responsibilities CSP encrypts the data AND/OR can decrypt it 103
102.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud environment: – IaaS (case #2) • Cloud environment can be claimed to be out of scope (if CSP has NO key!!!) • Merchant is responsible for all controls • Look for unintentional PANs – SaaS and maybe PaaS (case #3) • Cloud environment IS in scope • Controls shared between CSP and Merchant 104
103.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI Council Says… “For example, an entity subscribing to an IaaS service may retain complete control of, and therefore be responsible for, the ongoing security and maintenance of all operating systems, applications, virtual configurations (including the hypervisor and virtual security appliances), and data. In this scenario, the cloud provider would only be responsible for maintaining the underlying physical network and computing hardware. In an alternative scenario, a SaaS service offering may encompass management of all hardware and software, including virtual components and hypervisor configurations. In this scenario, the entity may only be responsible for protecting their data, and all other security requirements would be implemented and managed by the service provider.” 105
104.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Get Compliant? 1. Realize what scenario you are in, then either a) Ensure CSP cooperation and PCI-OK status (see matrix), or (“PCI in cloud”, SaaS/PaaS) b) Encrypt all PANs and prevent the provider from having the key (“no PCI in cloud”, IaaS) 2. In case a), build the control matrix and test it 106
105.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Stay Compliant? Either … Keep testing the CSP PCI-OK status and check the matrix for missing controls Keep encrypting, preventing the provider from seeing the key and testing for “rogue PANs” 107
106.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? By case… CSP PCI status and additional evidence of how they do PCI DSS Proof of your scoping decision to exclude the cloud due to encryption + evidence of all other PCI controls, of course 108
107.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Responsibility SPLIT// IaaS/No Cloud PCI/Encryption PROVIDER Nothing (may not even be PCI compliant) 109 MERCHANT All PCI controls Encryption + key management Scoping Keeping cloud systems out of scope
108.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Responsibility SPLIT// SaaS/Cloud PCI provider PROVIDER Security policy Physical Network Encryption Key management System security Parts of application security 110 MERCHANT Security policy Application security Scoping Monitoring (unless extra $ to CSP)
109.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI DSS Requirement Merchant Cloud provider Secure application development: R6 IaaS, PaaS SaaS Update OS: R6 IaaS (joint) IaaS (joint), PaaS, SaaS Log management: R10 IaaS (joint), PaaS (joint) IaaS (joint), PaaS (joint), SaaS Render PANs unreadable: R3.4 IaaS, Maybe: PaaS SaaS, Maybe: PaaS Physical access control: R9 None IaaS, PaaS, SaaS Vulnerability scanning: R11.2 IaaS (joint – per system), PaaS (joint) IaaS (joint), PaaS (joint), SaaS Penetration tests: R11.3 IaaS (joint), PaaS (joint), SaaS (joint) – degree varies IaaS (joint), PaaS (joint), SaaS (joint) – degree varies Security policy: R12 IaaS, PaaS, SaaS (all joint) IaaS, PaaS, SaaS (all joint) Wireless security: R11.1 None IaaS, PaaS, SaaS 111 Example Scenario 2// Control Matrix
110.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Ooops! Merchant uses IaaS, manages the systems, encrypts the data – (so far, case “No Cloud PCI”) …but SHARES THE KEY WITH CSP! What now? 112
111.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Requirement 3.4 covers the encryption of stored data. Requirement 12.8 covers service providers and the matrix Requirement A cover shared hosting providers 113
112.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Contract SLA Tips Case SaaS/“PCI in the cloud” Clear acceptance of responsibility for “their” controls Verification of provider controls Incident response support for data breaches 114
113.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI Council Says… “The cloud provider should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud provider’s PCI DSS compliance program. Any aspects of the service not covered by the cloud provider should be identified, and it should be clearly documented in the service agreement that these aspects, system components, and PCI DSS requirements are the responsibility of the hosted entity to manage and assess. The cloud provider should provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant. “ 115
114.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks For IaaS/No PCI in cloud/encryption case, assurance of provider not being able to decrypt the data For SaaS/PCI in cloud, failure to test the provider on the ongoing basis SLA failures: no escalation, evidence sharing, incident response cooperation “Finger pointing” 116
115.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenario 3// IaaS PCI 117 Merchant – ecommerce or stores Use public cloud IaaS provider Processes cards and possibly stores them as well in the cloud
116.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Description Global airline with physical and online purchases Uses CSP for a broad spectrum of payment tasks Cloud provider MUST be PCI-OK PAN data stored in the cloud PAN data passed through cloud PAN data processed in the cloud – at the same provider! 118
117.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenario 3// Visual 119
118.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 120 Audience Poll A: Yes C: Cannot tell B: No Who is doing what for the merchant to be PCI-OK? Bonus question: What about their SPs’ SP’s SP?
119.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Assess? Key: The Matrix … Must Have No Holes ALL PCI DSS controls are in place for all layers of the cloud environment – and somebody must … pay for it 121
120.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 122 Secret to PCI In the Cloud
121.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Huh? The Matrix? Two basic FACTS: 1. Merchant CANNOT do PCI DSS without the CSP! 2. CSP CANNOT make merchant compliant! The only way is a clear delineation of duties aka … The Control Matrix 123
122.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI Council Says… “For example, an entity subscribing to an IaaS service may retain complete control of, and therefore be responsible for, the ongoing security and maintenance of all operating systems, applications, virtual configurations (including the hypervisor and virtual security appliances), and data. In this scenario, the cloud provider would only be responsible for maintaining the underlying physical network and computing hardware.” 124
123.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud IaaS environment: – IaaS systems are in scope: systems, applications, network, devices, hypervisor – Two tiered scoping (PCI 2.0 artifact) • Systems WITH data vs systems that touch/manage systems with data Think “outsourced datacenter+” 125
124.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Get Compliant? One Approach!! 1. Pretend all IaaS infrastructure is YOUR ON-PREMISE network 2. Plan PCI DSS controls for it 3. Realize which controls you CANNOT do since it is really NOT an on-prem network and you don’t control some domains (e.g. physical) – Then have a talk with a provider on whether THEY a) CAN and b) WILL cover that 4. Realize which controls DON’T APPLY verbatim to the cloud environment – Then and figure how to compensate!! 126
125.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. For Example Project: replace branch servers with IaaS- deployed servers PCI controls: all on branch server replacement, most on management servers, etc – Physical? => CSP – Firewall management => CSP – Monitoring? => CSP MSSP service ($) – Web application scanning => Ooops! 127
126.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Stay Compliant? Keep testing the CSP PCI-OK status and check the matrix for missing controls 128
127.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PAN Flow 129
128.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Evidence of ALL controls – yours and CSPs Evidence of ongoing compliance: logging, testing, etc MUST DO: obtained detailed PCI evidence from CSP for controls that apply to your environment! 130
129.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Responsibility SPLIT// IaaS PCI PROVIDER Physical Network Encryption Key management System security Parts of application security MERCHANT Application security Scoping Monitoring (unless extra $ to CSP) 131
130.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 132 Example Scenario 3// Control Matrix PCI DSS Requirement Merchant: IaaS Cloud provider: IaaS Secure application development: R6 Yes No Update OS: RXX Yes – for guest OS Yes – for host OS Log management: R10 Yes – for guess OS, applications, etc Yes – for host OS, management systems, etc Render PANs unreadable: R3.4 Yes No (!) Physical access control: R9 None Yes Vulnerability scanning: R11.2 Yes – for guest OS Yes – for host OS, management systems, etc Penetration tests: R11.3 Yes – for guest OS, applications Yes – for physical, host OS, etc Security policy: R12 Yes – for PARTS Yes – for ALL OTHER PARTS Wireless security: R11.1 None Yes
131.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Sidenote// Owner vs Manager 133 Setting: IaaS provider (EC2 or other) PCI Requirement: Req 1 firewall management • CSP OWNS the firewall appliance • Merchant, CSP, CSP MSSP or 3rd party MANAGES the firewall settings Who is left holding the PCI bag?
132.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI Council Says… 134 … you go figure it out!
133.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Full SAMPLE Matrix Review This matrix is JUST A SAMPLE Used here AS AN EXAMPLE This is NOT YOUR REAL THING EXAMPLE means “here is what CAN be” EXAMPLE SAMPLE ILLUSTRATION! Did I mention it is just an example? 135
134.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to use the shared PCI control matrix? The class addendum, EXAMPLE PCI DSS shared control matrix can be used as follows: To review one possible control sharing methodology between CSP and merchant To validate one’s own control sharing For security discussion with CSPs As a foundation for one’s control sharing – with caution! 136
135.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Requirement 3.4 covers the encryption of stored data. Requirement 12.8 covers service providers and the matrix Requirement A cover shared hosting providers 137
136.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Contract SLA Tips Case SaaS/“PCI in the cloud” Clear acceptance of responsibility for “their” controls Verification of provider controls Incident response support for data breaches 138
137.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks Failure to test the provider on the ongoing basis Trusting the provider without evidence SLA failures: no escalation, evidence sharing, incident response cooperation Tip: make SLA as detailed as possible – involve both information security AND legal 139
138.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenario 4// Twice-Cloudy PCI 140 Merchant – ecommerce or stores Use public cloud IaaS provider Processes cards and possibly stores them as well in the cloud Uses a dedicated CSP for payment processing (P), NOT hosting CSP (H)
139.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Description An ecommerce company with seasonal highly sales Uses CSP H, but with payment processing handled by CSP P Cloud provider P MUST be PCI-OK Cloud provider H SHOULD be PCI-OK (?) PAN data processed and stored in the cloud – by CSP P 141
140.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 142 Scenario 4// Visual
141.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 143 Audience Poll A: Yes C: Cannot tell B: No Should CSP H be PCI compliant? Can merchant be PCI compliant if CSP H is NOT?
142.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. This is VERY COMMON… … but there is A LOT OF DEVIL in the details 144
143.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Example// Cloud Sites by Rackspace 145
144.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Example// Microsoft Azure 146 Official Azure FAQ (2011) Q: “Can you host PCI (e.g. credit card) data [on Azure]? A: Microsoft makes no claim regarding these standards for 3rd party hosting. There are ways to develop cloud based applications to use 3rd party PCI data processers that may keep the cloud application itself out of scope.” Bonus question: where does here point?
145.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Assess? Key: Contain Toxic (=PCI) Data In “Special Clouds”, Don’t Taint Your IaaS! The logic here is to offload all (if possible) operations with PANs to a payment provider 147
146.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Don’t SCOPE - KILL the scope to nothing in the cloud Minimize “rogue PANs” 148
147.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Huh? Toxic What? Three basic FACTS: 1. If neither Merchant nor CSP can see payment data, there is tiny scope of PCI for them (*) 2. If CSP cannot see the data, but Merchant can, then this is a traditional on-prem PCI environment 3. The more payment provider takes on, the better: PCI stays in their cloud 149
148.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Example// PayPal API “With Website Payments Standard, Email Payments, and Payflow Link*, PayPal handles the payment card information for you. So you don’t have to worry about your buyers’ payment card security or about compliance with PCI DSS for your business.” Will they really sign such agreement? 150
149.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Example// Amazon FPS Perfect “cloud shield”: “As a part of Amazon Payments' services you [=merchant!] may not have access to certain information associated with Cards being processed, including without limitation account number, expiration date, and the card verification value (CVV2/CVC2) (collectively, “Cardholder Data”).” 151
150.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 152 Example// Rackspace “Compliant” Cloud
151.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Get and Stay Compliant? 1. Avoid PANs 2. Engineer the payment chain to avoid having PANs in CSP H and your own environment 3. Verify CSP P compliant status (duh!) 153
152.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Stay Compliant? Keep testing the CSP PCI-OK status and check the matrix for missing controls 154
153.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Evidence of zero scope – Data flow, system architecture, etc Evidence of CSP P PCI compliance 155
154.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Responsibility SPLIT// IaaS PCI 156 CSP H Nothing MERCHANT Application security (maybe) Provider management Others as deployed CSP P All PCI Controls
155.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PCI Council Says… 157 … you go figure it out!
156.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Possibly none – if no merchant ID and no relationship with acquirer Requirement 12.8 covers service providers 158
157.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Common Pitfalls, Risks and SLA Tips PAN leakage, temporary files and other artifacts of bad coding of payment provider APIs Web application attacks that redirect the PAN flow to the attacker Crash dumps with PANs 159
158.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenario 5// PaaS PCI 160 Merchant – ecommerce or stores Use public cloud PaaS provider Processes cards and possibly stores them as well in the cloud
159.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. PaaS… Come Again? PaaS is EXACTLY between IaaS and SaaS IaaS: OS, VM, networks, etc SaaS: application What’s in between? An environment for application development … PaaS 161
160.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Description A major ecommerce website Uses CSP for a broad spectrum of tasks, including payments Cloud provider MAY BE PCI-OK PAN data stored/passed in the cloud PAN data processed in the cloud Merchant does NOT control the OS/VMs at the CSP 162
161.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenario 5// Visual 163
162.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 164 Audience Poll A: Yes C: Cannot tell B: No Must the provider be PCI-OK? Can the merchant be PCI-OK if the CSP is not? What must merchant do because the provider cannot do it?
163.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Assess? Key: Need to Understand Your CSP… Really Well 165
164.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Decision Time If PaaS CSP is NOT PCI-OK (Force.com, Azure) THEN the only way to PCI is complete “3rd party payment takeover” ->Scenario 4 166 If PaaS CSP IS PCI-OK THEN build the control matrix -> Scenario 3
165.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud PaaS environment: – PaaS systems are in scope: systems, applications, network, devices, hypervisor – Two tiered scoping (PCI 2.0 artifact) • Systems WITH data vs systems that touch/manage systems with data Think “outsourced IT-” 167
166.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Get Compliant? One Approach!! 1. Review which controls the PaaS CSP will handle for you 2. Check which PCI DSS controls they cannot ever handle – Example: your security policy, awareness training for your employees (BTW, they should – for theirs) 3. Create the matrix and verify with the CSP – Request additional information from them as needed 4. Deploy additional controls where needed and where prudent 168
167.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. For Example Project: replace marketing analytics application that uses PAN with PaaS- deployed application PCI controls: all on the application, most on management servers, etc – Web application scanning => Merchant – All others =>CSP Decision: move the payment data off CSP and “off PCI” you go 169
168.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Stay Compliant? Keep testing the CSP PCI-OK status and check the matrix for missing controls 170
169.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Evidence of ALL controls – yours and CSPs MUST DO: obtained detailed PCI evidence from CSP for controls that apply to your environment! 171
170.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Responsibility SPLIT// PaaS PCI PROVIDER Application platform security Physical Network Encryption Key management System security MERCHANT Application security Scoping Monitoring (unless extra $ to CSP) 172
171.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 173 Example Scenario 5// Control Matrix PCI DSS Requirement Merchant: PaaS user Cloud provider: PaaS Secure application development: R6 Yes Yes (for platform) Update OS: RXX No Yes Log management: R10 Yes – application logs Yes – everything else (or data provided to merchant!) Render PANs unreadable: R3.4 Yes Yes – where touches their environment Physical access control: R9 No Yes Vulnerability scanning: R11.2 No Yes Penetration tests: R11.3 Yes – application level Yes – for physical, network, application, etc Security policy: R12 Yes - applicable Yes – for the rest Wireless security: R11.1 No Yes
172.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Requirement 1 Firewall architecture (“cloud networks are flat”) Requirement 4.1 “Use strong cryptography and security protocols “ – Intra-CSP traffic may be seen as public Requirement 6.1 patch management is Joint; and need to be done by both Requirement 12.8 covers service providers and the matrix 174
173.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Contract SLA Tips Clear acceptance of responsibility for “their” controls Verification of provider controls Incident response support for data breaches 175
174.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks Failure to test the provider on the ongoing basis SLA failures: no escalation, evidence sharing, incident response cooperation 176
175.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenario 6// Tiered PCI 177 Merchant – ecommerce or stores Use public cloud PaaS or SaaS provider … … who uses public IaaS provider Processes cards and possibly stores them … somewhere
176.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Description A major ecommerce website Uses CSP for a broad spectrum of tasks, including payments Their provider uses another cloud provider Some cloud providers MAY BE PCI-OK PAN data stored/passed in the cloud PAN data processed in the cloud 178
177.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Scenario 6// Visual 179
178.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 180 Audience Poll A: Yes C: Cannot tell B: No Must the provider be PCI-OK? Must their provider’s provider be PCI-OK? Can the merchant be PCI-OK if some CSPs are not?
179.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Tiered Merchant Example 181 Merchant uses CSP (SaaS) that uses Amazon EC2 (IaaS) A public Amazon case study http://aws.amazon.com/solution s/case-studies/36boutiques/
180.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Assess? Key: The Matrix … Must Have No Holes, Again …but there are more dimensions now 182
181.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Your CSP’s CSP is NOT your CSP! … and that some controls are NOT implemented by your CSP and they simply “trust their CSP assertions” 183
182.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. How to Scope? Worst case: FORGET IT! We can never figure it out… ……. reality ……………… Best case: payment chain is isolated from ALL the CSPs (zero scope for you, all scope is with payment provider) 184
183.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. We went through six PCI-in-the- cloud scenarios! 185 Ahhhhhh……
184.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Business: ecommerce Setup: uses CSP for web hosting and all application hosting, accepts payment cards, sells to consumers Challenge: we are a QSA they hired to “get them compliant” Next steps? 186 Exercise// How to Comply/Assess?
185.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. What do the scenarios teach us about PCI and cloud? 1. “Kill the scope” works in the cloud as well 2. It is better to have the payment processor handle more and merchant/CSP handle less of the PCI burden 3. CSP may do it, but MERCHANT is responsible and need to validate it 4. Finally, we CAN have PCI in the cloud! 187
186.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Final Recommendations Follow the scenarios as templates for your projects Learn to scope in the cloud Make a matrix of shared responsibility (and “keep it with you at all times” ) Remember: MERCHANT is on the hook, even if CSP does it (as per PCI DSS) Requirement 12.8 is NOT “a punt” 188
187.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Additional Tips from Past Class Discussions Use PCI + cloud security thinking for other sensitive data: SSN, PHI, financials, etc Involve legal in SLA and other discussions about regulated data in the cloud (!) Scan for YOUR sensitive data being put in the cloud by business partners – in THEIR clouds “Trust but verify” principle MUST be applied to your CSP 189
188.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Any Lessons from the Audience? Anything “juicy” I missed to conclude? 190
189.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. A one-liner version? 191 If you can get rid of the PANs in the cloud, DO IT!
190.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Questions? 192
191.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Thanks for Your Review! Courseware author Dr. Anton Chuvakin would like to thank the following people for their thoughtful review of class materials: Walt Conway @ 403 Labs Martin McKeay @ Verizon Mike Dahn @ PWC Doug Barbin @ BrightLine Jason Chan @ Netflix 193
192.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. Additional Materials In the notes, there are links to various useful reading, in addition to CSA and other sites mentioned in the class. Go to www.cloudsecurityalliance.org for the latest information on our educational resources 194
193.
© 2011 Cloud
Security Alliance, Inc. All rights reserved. 195
Download now