This document discusses an approach to achieving PCI DSS compliance in Amazon Web Services (AWS) public cloud environments based on ownership control and shared responsibility. It outlines how to determine which security controls are the responsibility of the cloud provider versus the customer organization. Key aspects of the approach include network isolation, software firewalls, image hardening, encryption of data at rest and in transit, anti-virus installation, configuration management, and use of network intrusion detection and prevention systems.
Along with accessibility and convenience, cloud-based IT resources also bring risk. This webinar provides you with a brief introduction on the development of cloud computing and the related business risks. Additionally, you will learn questions to ask to determine if your company is using cloud-based IT resources along with information on the formal assurance frameworks that exist and can be effectively employed by both cloud consumers and providers without specialized training.
The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part.
mandate from senior management
This document discusses the relationship between information security and compliance teams and how their alignment is important for managing risks when using cloud computing. It notes that security and compliance teams sometimes have differing priorities that can cause friction. However, the use of cloud computing, where many security controls are managed by external providers, requires close coordination between the two functions. The document provides recommendations for how security and compliance teams can forge a stronger alliance, including through the use of cross-functional "tiger teams" and toolset standardization. Close collaboration is needed to effectively evaluate cloud security and ensure regulatory compliance.
Home
Editor’s Note
Risk Management
Frameworks
for Cloud Security
The document provides an overview of cloud computing risks from an assurance perspective. It discusses cloud computing terminology, major public cloud services, assessing public cloud risk, trends and issues. The presentation covers cloud service models, deployment models, benefits and risks of public clouds, assurance frameworks like CSA's Cloud Controls Matrix, and key controls in areas like compliance, data governance, facility security, information security, and operations management.
Cloud Computing: A study of cloud architecture and its patternsIJERA Editor
Cloud computing is a general term for anything that involves delivering hosted services over the Internet. Cloud computing is a paradigm shift following the shift from mainframe to client–server in the early 1980s. Cloud computing can be defined as accessing third party software and services on web and paying as per usage. It facilitates scalability and virtualized resources over Internet as a service providing cost effective and scalable solution to customers. Cloud computing has evolved as a disruptive technology and picked up speed with the presence of many vendors in cloud computing space. The evolution of cloud computing from numerous technological approaches and business models such as SaaS, cluster computing, high performance computing, etc., signifies that the cloud IDM can be considered as a superset of all the corresponding issues from these paradigms and many more. In this paper we will discuss Life cycle management, Cloud architecture, Pattern in Cloud IDM, Volatility of Cloud relations.
The document discusses cloud computing risks and mitigation strategies. It provides an overview of cloud computing definitions and models. It then discusses several key risks to cloud computing like privileged user access, data segregation, regulatory compliance, and the physical location of data. For each risk, it proposes potential mitigation strategies to evaluate like access controls, encryption, understanding regulatory obligations, and considering data location.
Cloud computing is architecture for providing
computing service via the internet on demand and pay per use
access to a pool of shared resources namely networks, storage,
servers, services and applications, without physically acquiring
them. So it saves managing cost and time for organizations. The
market size the cloud computing shared is still far behind the one
expected. From the consumers’ perspective, cloud computing
security concerns, especially data security and privacy protection
issues, remain the primary inhibitor for adoption of cloud
computing services. The security for Cloud Computing is
emerging area for study and this paper provide security topic in
terms of cloud computing based on analysis of Cloud Security
treats and Technical Components of Cloud Computing
What makes the next-generation firewall better than the traditional firewalls in protecting your data from hackers? Know more information from Netmagic!
Along with accessibility and convenience, cloud-based IT resources also bring risk. This webinar provides you with a brief introduction on the development of cloud computing and the related business risks. Additionally, you will learn questions to ask to determine if your company is using cloud-based IT resources along with information on the formal assurance frameworks that exist and can be effectively employed by both cloud consumers and providers without specialized training.
The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part.
mandate from senior management
This document discusses the relationship between information security and compliance teams and how their alignment is important for managing risks when using cloud computing. It notes that security and compliance teams sometimes have differing priorities that can cause friction. However, the use of cloud computing, where many security controls are managed by external providers, requires close coordination between the two functions. The document provides recommendations for how security and compliance teams can forge a stronger alliance, including through the use of cross-functional "tiger teams" and toolset standardization. Close collaboration is needed to effectively evaluate cloud security and ensure regulatory compliance.
Home
Editor’s Note
Risk Management
Frameworks
for Cloud Security
The document provides an overview of cloud computing risks from an assurance perspective. It discusses cloud computing terminology, major public cloud services, assessing public cloud risk, trends and issues. The presentation covers cloud service models, deployment models, benefits and risks of public clouds, assurance frameworks like CSA's Cloud Controls Matrix, and key controls in areas like compliance, data governance, facility security, information security, and operations management.
Cloud Computing: A study of cloud architecture and its patternsIJERA Editor
Cloud computing is a general term for anything that involves delivering hosted services over the Internet. Cloud computing is a paradigm shift following the shift from mainframe to client–server in the early 1980s. Cloud computing can be defined as accessing third party software and services on web and paying as per usage. It facilitates scalability and virtualized resources over Internet as a service providing cost effective and scalable solution to customers. Cloud computing has evolved as a disruptive technology and picked up speed with the presence of many vendors in cloud computing space. The evolution of cloud computing from numerous technological approaches and business models such as SaaS, cluster computing, high performance computing, etc., signifies that the cloud IDM can be considered as a superset of all the corresponding issues from these paradigms and many more. In this paper we will discuss Life cycle management, Cloud architecture, Pattern in Cloud IDM, Volatility of Cloud relations.
The document discusses cloud computing risks and mitigation strategies. It provides an overview of cloud computing definitions and models. It then discusses several key risks to cloud computing like privileged user access, data segregation, regulatory compliance, and the physical location of data. For each risk, it proposes potential mitigation strategies to evaluate like access controls, encryption, understanding regulatory obligations, and considering data location.
Cloud computing is architecture for providing
computing service via the internet on demand and pay per use
access to a pool of shared resources namely networks, storage,
servers, services and applications, without physically acquiring
them. So it saves managing cost and time for organizations. The
market size the cloud computing shared is still far behind the one
expected. From the consumers’ perspective, cloud computing
security concerns, especially data security and privacy protection
issues, remain the primary inhibitor for adoption of cloud
computing services. The security for Cloud Computing is
emerging area for study and this paper provide security topic in
terms of cloud computing based on analysis of Cloud Security
treats and Technical Components of Cloud Computing
What makes the next-generation firewall better than the traditional firewalls in protecting your data from hackers? Know more information from Netmagic!
A hybrid cloud combines private and public clouds to provide flexibility, agility and cost control. However, operational silos, complex application management and lack of portability limit its effectiveness. To address these challenges, enterprises should unify infrastructure management across clouds with a single control plane. This allows monitoring, managing and orchestrating all environments with the same tools. Choosing a solution like unified cloud management or a unified platform like Kubernetes can provide the necessary abstraction and standardization to improve hybrid cloud operations.
The document discusses various aspects of cloud monitoring and interoperability. It covers topics like the need for interoperability between different cloud systems to allow seamless migration of data and applications. It also discusses the importance of monitoring solutions to avoid user frustration from access issues when using opaque cloud systems. The document further talks about considerations for migrating data between clouds like avoiding data loss and ensuring availability, scalability and cost-efficiency.
Human: Thank you for the summary. Summarize the following document in 3 sentences or less:
[DOCUMENT]:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers,
Risk management is essential for cloud computing due to security, privacy, availability and compliance risks. Organizations should thoroughly evaluate cloud vendors to ensure adequate controls over data access, regulatory compliance, privacy, disaster recovery, and contractual obligations. A risk-based approach is needed to determine which applications and data can be safely moved to the cloud. Major cloud providers like AWS have robust security and risk management programs, but due diligence is still required from organizations.
DAM 2018 Review, What's next 2019 ?
Facts and Trends of the 2018 DAM Market, what's rock, what matters for Brands ? How to Select a DAM solution and more...
This document discusses PCI DSS compliance for payment data storage on the cloud for e-commerce and m-commerce. It provides definitions for cloud computing and its service models and deployment models. It also defines e-commerce and m-commerce. The document then discusses the PCI DSS standard and its requirements for securing payment card data. Finally, it addresses some of the new challenges for complying with PCI DSS when payment data is stored in the cloud, such as delineating responsibilities between cloud service providers and their clients.
A study on securing cloud environment from d do s attack to preserve data ava...Manimaran A
This document discusses security techniques to protect cloud environments from DDoS attacks. It begins by introducing the importance of securing cloud resources and data availability. It then describes several common security attacks on cloud computing including cookie poisoning, SQL injection, man-in-the-middle attacks, and cloud malware injection. The document also examines intrusion detection methods like installing detection systems on cloud servers. Finally, it provides details on specific DDoS attacks like SYN flooding and IP spoofing, and the challenges they pose to cloud availability.
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
Offering an outsourced, elastic, pay-as-you-go computing infrastructure, cloud computing services can deliver clear cut benefi ts to a host of companies. Today, however, security concerns are a big barrier to many clients’ adoption of cloud services. To boost market share and gain competitive distinction, cloud service providers need to add the security infrastructure that safeguards clients’ sensitive data and fosters trust. This white paper outlines the path cloud providers can take to start building trust into cloud deployments, and details the approaches and capabilities organizations need to make this transition a reality.
This document discusses cloud computing and service level agreements. It begins by defining different types of cloud computing models like SaaS, PaaS, and IaaS. It then discusses how cloud computing differs from traditional on-premise storage by addressing issues like data location, custody, and multi-tenancy. The document outlines important considerations for service level agreements including security, data encryption, privacy, regulatory compliance, and transparency. It emphasizes that SLAs should define metrics and responsibilities to ensure the cloud provider delivers the promised level of service. Finally, it cautions that moving to the cloud requires understanding issues like security, portability, accessibility, and data location laws.
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
The document provides an overview of cloud risk management and auditing. It discusses cloud fundamentals, models, and frameworks such as OpenStack, CSA Cloud Control Matrix, and DMTF Cloud Auditing Data Federation. It also covers risks, challenges, and the 10 steps to manage cloud security from CSCC. The objective is to introduce cloud risk management and audit topics.
This presentation provides a detailed coverage on Cloud services: Software as a Service, Platform as a Service, Infrastructure as a Service, Database as a Service, Monitoring as a Service, Communication as Services. Service providers- Google, Amazon, Microsoft Azure, IBM, Sales force.
In the present atmosphere of tighter budgets and pressure on resources, many public sector organiza-tions, including local authorities, are outsourcing services to outer organizations under service level agreements in cloud computing. Cloud computing is an approach to convey facilitated benefits over the web. Services are available to the users relying upon cloud arrangement and the Service Level Agreement (SLA) between the service providers and the cli-ents. Service level agreements are being utilized inside associations, directing connection between various sections of the association. It requires a commitment from both parties to support and adhere to the agreement in order for the SLA to work effectively. In spite of the fact that it gives a straightforward view about the cloud condition, such as cloud services, cloud distribution, security issues, responsibilities, agreements and warranties of the services. However, there are several issues occur from incorrect SLA which can cause misunderstanding among service providers and clients. SLA checking device confirm the SLA effectively whether it deals with all administrations as per SLA. In this paper, we represent a SLA confirmation and checking process that can distinguish SLA verification in gathering the information. We consider IaaS (Infrastructure as a Service) parameters for SLA verification in Cloud.
Netmagic stresses on how switching to the cloud allows organizations to meet their changing needs and goals without large capital or time investments. Read more here!
I want to thank everyone who attended this presentation at AFCOM Data Center World Fall 2011 in Orlando, FL.
Studies show the number of data centers deploying virtual cloud computing will rapidly increase in the next five years. Other studies show that the number of Internet attacks and their level of sophistication will also grow significantly. This session identifies approaches to reduce the risk of business disruptions resulting from inadequate virtual security controls in a data center. It will cover utilizing best practices for security configurations, measuring information security status, and making rational decisions about security investments.
Connect with me if you have any questions or need additional information.
Please favorite this if you like it. I look forward to seeing you again soon.
Regards,
Hector Del Castillo
http://linkd.in/hdelcastillo
This document discusses how digital asset management (DAM) helps brands and retailers improve omnichannel engagement. It states that DAM is now a critical part of digital experience technology as it allows for the creation, management, and retention of customer-facing content. DAM can manage all types of content across channels to consistently serve customers. The document then provides examples of how DAM benefits brands and retailers by increasing productivity, protecting brand content, enhancing the customer experience, personalizing content, integrating marketing technologies, and measuring performance.
Cloud Computing has emerged as the premier infrastructure for creating affordable, scalable and reliable IT solutions for companies of all sizes. However, as with all new technologies, Cloud Computing poses many demanding security considerations, and each must be addressed to ensure the confidentiality, integrity, availability, authenticity, and privacy of a developer’s product.
CA's white paper discusses identity and access management (IAM) strategies for cloud computing. It identifies security challenges in cloud environments, including lack of visibility and control for enterprises. CA aims to help enterprises extend their existing IAM solutions to manage access to cloud applications, and help cloud providers secure their infrastructure and tenants. CA's current IAM products address some challenges, and it is focusing on capabilities like managing privileged access, provisioning connectors, and providing more transparency for auditing and compliance.
Zimory White Paper: Security in the Cloud pt 2/2Zimory
Once in the Cloud, various assumptions come to mind regarding security matters. For example, most system and network administrators decide to approach virtual network and virtual machine (VM) security the way they do their physical counterparts; applying similar security paradigms.
Security architectures designed for physical networks often fail to provide the required levels of security in the virtual world. Perimeter-based security alone is insufficient in a virtualized infrastructure partially because of virtual machines – which are sometimes, quite literally, moving targets. Dynamic networks, remote access requirements, and host machines to be carefully locked down, are some of the security concerns to be found in Cloud environments. With a little thought and imagination, however, securing your virtual infrastructure is possible provided you are willing to take a closer look.
The following document intends to analyze challenges regarding security in a virtualized environment, especially comparing implications of both physical and virtual environments. Security challenges of the Cloud environment are listed and analyzed, to finalize with possible solutions to face and resolve these challenges.
SDN creates a tailored or customized network experience which enables greater level of speed, flexibility, agility and scale in the data center. Read here from Netmagic Solutions.
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
The document provides an overview of 11 domains related to security in cloud computing. It summarizes recommendations for governance, risk management, compliance, auditing, information lifecycle management, portability and interoperability, traditional security practices, data center operations, incident response, application security, and encryption in cloud environments. The document emphasizes the importance of thorough risk analysis, contractual agreements, ongoing assessment and monitoring when adopting cloud services.
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
This document discusses security challenges and digital forensic techniques for Software as a Service (SaaS) applications in cloud computing environments. It first describes SaaS and its benefits and outlines common security issues like data security, application security, and deployment security. It then reviews related work on securing cloud data storage and integrity. Various digital forensic challenges of investigating crimes in cloud environments are discussed, like lack of transparency and complex virtualized systems. A proposed cloud forensic strategy is described to help investigators collect and analyze evidence from cloud systems in an effective manner. Key security attacks on SaaS like SQL injection and cross-site scripting are also mentioned.
A hybrid cloud combines private and public clouds to provide flexibility, agility and cost control. However, operational silos, complex application management and lack of portability limit its effectiveness. To address these challenges, enterprises should unify infrastructure management across clouds with a single control plane. This allows monitoring, managing and orchestrating all environments with the same tools. Choosing a solution like unified cloud management or a unified platform like Kubernetes can provide the necessary abstraction and standardization to improve hybrid cloud operations.
The document discusses various aspects of cloud monitoring and interoperability. It covers topics like the need for interoperability between different cloud systems to allow seamless migration of data and applications. It also discusses the importance of monitoring solutions to avoid user frustration from access issues when using opaque cloud systems. The document further talks about considerations for migrating data between clouds like avoiding data loss and ensuring availability, scalability and cost-efficiency.
Human: Thank you for the summary. Summarize the following document in 3 sentences or less:
[DOCUMENT]:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers,
Risk management is essential for cloud computing due to security, privacy, availability and compliance risks. Organizations should thoroughly evaluate cloud vendors to ensure adequate controls over data access, regulatory compliance, privacy, disaster recovery, and contractual obligations. A risk-based approach is needed to determine which applications and data can be safely moved to the cloud. Major cloud providers like AWS have robust security and risk management programs, but due diligence is still required from organizations.
DAM 2018 Review, What's next 2019 ?
Facts and Trends of the 2018 DAM Market, what's rock, what matters for Brands ? How to Select a DAM solution and more...
This document discusses PCI DSS compliance for payment data storage on the cloud for e-commerce and m-commerce. It provides definitions for cloud computing and its service models and deployment models. It also defines e-commerce and m-commerce. The document then discusses the PCI DSS standard and its requirements for securing payment card data. Finally, it addresses some of the new challenges for complying with PCI DSS when payment data is stored in the cloud, such as delineating responsibilities between cloud service providers and their clients.
A study on securing cloud environment from d do s attack to preserve data ava...Manimaran A
This document discusses security techniques to protect cloud environments from DDoS attacks. It begins by introducing the importance of securing cloud resources and data availability. It then describes several common security attacks on cloud computing including cookie poisoning, SQL injection, man-in-the-middle attacks, and cloud malware injection. The document also examines intrusion detection methods like installing detection systems on cloud servers. Finally, it provides details on specific DDoS attacks like SYN flooding and IP spoofing, and the challenges they pose to cloud availability.
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
Offering an outsourced, elastic, pay-as-you-go computing infrastructure, cloud computing services can deliver clear cut benefi ts to a host of companies. Today, however, security concerns are a big barrier to many clients’ adoption of cloud services. To boost market share and gain competitive distinction, cloud service providers need to add the security infrastructure that safeguards clients’ sensitive data and fosters trust. This white paper outlines the path cloud providers can take to start building trust into cloud deployments, and details the approaches and capabilities organizations need to make this transition a reality.
This document discusses cloud computing and service level agreements. It begins by defining different types of cloud computing models like SaaS, PaaS, and IaaS. It then discusses how cloud computing differs from traditional on-premise storage by addressing issues like data location, custody, and multi-tenancy. The document outlines important considerations for service level agreements including security, data encryption, privacy, regulatory compliance, and transparency. It emphasizes that SLAs should define metrics and responsibilities to ensure the cloud provider delivers the promised level of service. Finally, it cautions that moving to the cloud requires understanding issues like security, portability, accessibility, and data location laws.
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
The document provides an overview of cloud risk management and auditing. It discusses cloud fundamentals, models, and frameworks such as OpenStack, CSA Cloud Control Matrix, and DMTF Cloud Auditing Data Federation. It also covers risks, challenges, and the 10 steps to manage cloud security from CSCC. The objective is to introduce cloud risk management and audit topics.
This presentation provides a detailed coverage on Cloud services: Software as a Service, Platform as a Service, Infrastructure as a Service, Database as a Service, Monitoring as a Service, Communication as Services. Service providers- Google, Amazon, Microsoft Azure, IBM, Sales force.
In the present atmosphere of tighter budgets and pressure on resources, many public sector organiza-tions, including local authorities, are outsourcing services to outer organizations under service level agreements in cloud computing. Cloud computing is an approach to convey facilitated benefits over the web. Services are available to the users relying upon cloud arrangement and the Service Level Agreement (SLA) between the service providers and the cli-ents. Service level agreements are being utilized inside associations, directing connection between various sections of the association. It requires a commitment from both parties to support and adhere to the agreement in order for the SLA to work effectively. In spite of the fact that it gives a straightforward view about the cloud condition, such as cloud services, cloud distribution, security issues, responsibilities, agreements and warranties of the services. However, there are several issues occur from incorrect SLA which can cause misunderstanding among service providers and clients. SLA checking device confirm the SLA effectively whether it deals with all administrations as per SLA. In this paper, we represent a SLA confirmation and checking process that can distinguish SLA verification in gathering the information. We consider IaaS (Infrastructure as a Service) parameters for SLA verification in Cloud.
Netmagic stresses on how switching to the cloud allows organizations to meet their changing needs and goals without large capital or time investments. Read more here!
I want to thank everyone who attended this presentation at AFCOM Data Center World Fall 2011 in Orlando, FL.
Studies show the number of data centers deploying virtual cloud computing will rapidly increase in the next five years. Other studies show that the number of Internet attacks and their level of sophistication will also grow significantly. This session identifies approaches to reduce the risk of business disruptions resulting from inadequate virtual security controls in a data center. It will cover utilizing best practices for security configurations, measuring information security status, and making rational decisions about security investments.
Connect with me if you have any questions or need additional information.
Please favorite this if you like it. I look forward to seeing you again soon.
Regards,
Hector Del Castillo
http://linkd.in/hdelcastillo
This document discusses how digital asset management (DAM) helps brands and retailers improve omnichannel engagement. It states that DAM is now a critical part of digital experience technology as it allows for the creation, management, and retention of customer-facing content. DAM can manage all types of content across channels to consistently serve customers. The document then provides examples of how DAM benefits brands and retailers by increasing productivity, protecting brand content, enhancing the customer experience, personalizing content, integrating marketing technologies, and measuring performance.
Cloud Computing has emerged as the premier infrastructure for creating affordable, scalable and reliable IT solutions for companies of all sizes. However, as with all new technologies, Cloud Computing poses many demanding security considerations, and each must be addressed to ensure the confidentiality, integrity, availability, authenticity, and privacy of a developer’s product.
CA's white paper discusses identity and access management (IAM) strategies for cloud computing. It identifies security challenges in cloud environments, including lack of visibility and control for enterprises. CA aims to help enterprises extend their existing IAM solutions to manage access to cloud applications, and help cloud providers secure their infrastructure and tenants. CA's current IAM products address some challenges, and it is focusing on capabilities like managing privileged access, provisioning connectors, and providing more transparency for auditing and compliance.
Zimory White Paper: Security in the Cloud pt 2/2Zimory
Once in the Cloud, various assumptions come to mind regarding security matters. For example, most system and network administrators decide to approach virtual network and virtual machine (VM) security the way they do their physical counterparts; applying similar security paradigms.
Security architectures designed for physical networks often fail to provide the required levels of security in the virtual world. Perimeter-based security alone is insufficient in a virtualized infrastructure partially because of virtual machines – which are sometimes, quite literally, moving targets. Dynamic networks, remote access requirements, and host machines to be carefully locked down, are some of the security concerns to be found in Cloud environments. With a little thought and imagination, however, securing your virtual infrastructure is possible provided you are willing to take a closer look.
The following document intends to analyze challenges regarding security in a virtualized environment, especially comparing implications of both physical and virtual environments. Security challenges of the Cloud environment are listed and analyzed, to finalize with possible solutions to face and resolve these challenges.
SDN creates a tailored or customized network experience which enables greater level of speed, flexibility, agility and scale in the data center. Read here from Netmagic Solutions.
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
The document provides an overview of 11 domains related to security in cloud computing. It summarizes recommendations for governance, risk management, compliance, auditing, information lifecycle management, portability and interoperability, traditional security practices, data center operations, incident response, application security, and encryption in cloud environments. The document emphasizes the importance of thorough risk analysis, contractual agreements, ongoing assessment and monitoring when adopting cloud services.
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
This document discusses security challenges and digital forensic techniques for Software as a Service (SaaS) applications in cloud computing environments. It first describes SaaS and its benefits and outlines common security issues like data security, application security, and deployment security. It then reviews related work on securing cloud data storage and integrity. Various digital forensic challenges of investigating crimes in cloud environments are discussed, like lack of transparency and complex virtualized systems. A proposed cloud forensic strategy is described to help investigators collect and analyze evidence from cloud systems in an effective manner. Key security attacks on SaaS like SQL injection and cross-site scripting are also mentioned.
Managing risks related to vendors presents its own challenges particularly if they are high technology companies such as Cloud Service Providers (CSP).
This document discusses evaluating cloud platforms and services. It describes the different types of cloud platforms including public clouds, private clouds, and hybrid clouds. It then discusses the different types of cloud services - Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Finally, it outlines some key factors to consider when comparing cloud service providers such as security, compliance, compatibility, and application support.
Guddu Kumar. “A Review on Data Protection of Cloud Computing Security, Benefits, Risks and Suggestions” United International Journal for Research & Technology (UIJRT) 1.2 (2019): 26-34.
The document discusses cloud computing use cases and related standards requirements. It lists several general requirement categories for cloud computing including common virtual machine formats, data formats and APIs; cloud management; security; location awareness; identity; open clients; service level agreements; federated identity; metering and monitoring; and more. It also maps some of these requirements to specific use cases and discusses a phased approach and timeline for delivering different cloud computing models.
Cloud computing provides on-demand, pay-as-you-go computing resources over the internet. It has grown rapidly since the 2000s as a more efficient and flexible alternative to traditional computing models. While promising lower costs and increased agility, cloud computing also presents challenges regarding security, compliance with regulations, vendor lock-in, and auditability that businesses must address through service level agreements with cloud vendors. As the cloud computing industry and standards continue to evolve, many expect it will transform how IT resources are utilized.
The document provides an overview of cloud computing concepts and services. It discusses the history and evolution of cloud computing. The key cloud services discussed are Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Virtualization is described as a foundational technology for cloud computing. The document also examines the pros and cons of cloud computing and its future directions.
To prosper in this new environment insurance companies can look to the cloud, in conjunction with other technologies, to help drive reinvention of their business model to offer new services and create direct, multi-channel relationships with customers
This document discusses security considerations for cloud computing. It covers security challenges like privacy, portability, interoperability, reliability and availability. It also discusses security planning, boundaries based on infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) models. Additional topics include data security, software as a service security, security monitoring, and security architecture design.
This document discusses PCI-DSS compliance for storing payment data on the cloud for e-commerce and m-commerce. It provides definitions for key terms like cloud computing models, e-commerce types, and PCI-DSS requirements. It notes that storing payment data on the cloud presents new challenges for PCI-DSS compliance due to factors like multi-tenancy, lack of visibility into infrastructure, and dynamic boundaries. The document recommends frameworks like the CSA Cloud Controls Matrix to help delineate responsibilities between merchants and cloud providers to facilitate PCI-DSS compliance in cloud environments.
The document discusses cloud computing concepts including definitions, characteristics, models, providers and pricing. Some key points discussed include:
- Cloud computing provides scalable computing resources as a service over the internet on a pay-per-use basis. Resources include servers, storage, applications and more.
- Cloud models include private, public and hybrid clouds. Providers offer infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).
- Cost benefits of cloud computing include low startup costs, no need for on-premise IT staff, and pay per use pricing versus large upfront license fees. Managing multiple cloud contracts can be challenging for businesses.
This document provides an overview of cloud monitoring and discusses several key topics:
- Interoperability between different cloud systems is challenging due to different technologies and lack of standards.
- Data migration between clouds needs to consider availability, costs and preventing vendor lock-in.
- Effective monitoring solutions are needed to avoid frustration from access issues and system outages.
- Management services for clouds include deployment, monitoring, billing and meeting service level agreements.
The document discusses several security issues that must be addressed for Software as a Service (SaaS) applications, including ensuring user authentication and authorization, data confidentiality, availability of cloud services, isolation of virtual machines, network security, and identity management. Proper security measures are needed to prevent unauthorized access to user data stored by SaaS providers and protect against vulnerabilities in web applications, virtualization software, and during the user sign-on process.
The document discusses several security issues that must be addressed for Software as a Service (SaaS) applications, including ensuring user authentication and authorization, data confidentiality, availability of cloud services, isolation of virtual machines, network security, and identity management. Proper security measures are needed to prevent unauthorized access to user data stored by SaaS providers and protect against vulnerabilities in web applications, virtualization software, and during the user sign-on process.
This document discusses a presentation on virtualization and cloud computing essentials from an auditor's perspective. It begins with an introduction of the presenter and their qualifications. It then provides definitions and descriptions of key cloud concepts like virtualization, cloud models of SaaS, PaaS and IaaS. The document outlines some of the business benefits of virtualization including cost reductions, maintenance improvements, security risks, user experience and flexibility. It also discusses some common risks associated with virtualized infrastructure and networks.
The board of an organization is responsible for ensuring the organization securely benefits from cloud computing through a governance framework of security standards, processes, and activities. Organizations must develop, implement, and maintain a cloud governance framework and understand trust boundaries with cloud service providers regarding responsibility for data security. Cloud service providers have developed frameworks like the Cloud Controls Matrix against which customers can audit security controls and obtain independent certifications. Customers should ensure cloud service providers maintain adequate resilience against operational risks and comply with data protection regulations regarding personal data storage and transfers.
Security in Clouds: Cloud security challenges – Software as a
Service Security, Common Standards: The Open Cloud Consortium – The Distributed management Task Force – Standards for application Developers – Standards for Messaging – Standards for Security, End user access to cloud computing, Mobile Internet devices and the cloud. Hadoop – MapReduce – Virtual Box — Google App Engine – Programming Environment for Google App Engine.
This document discusses cloud computing benefits and risks. It outlines various cloud service models like IaaS, PaaS, and SaaS. It emphasizes that securing data in the cloud is a shared responsibility of both the cloud service provider and customer. The document provides guidance on standards, defining responsibilities, governance practices, and protecting critical data when using cloud services.
Similar to Ensuring PCI DSS Compliance in the Cloud (20)
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
Organizations rely on analytics to make intelligent decisions and improve business performance, which sometimes requires reproducing business processes from a legacy application to a digital-native state to reduce the functional, technical and operational debts. Adaptive Scrum can reduce the complexity of the reproduction process iteratively as well as provide transparency in data analytics porojects.
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingCognizant
The document discusses how most companies are not fully leveraging artificial intelligence (AI) and data for decision-making. It finds that only 20% of companies are "leaders" in using AI for decisions, while the remaining 80% are stuck in a "vicious cycle" of not understanding AI's potential, having low trust in AI, and limited adoption. Leaders use more sophisticated verification of AI decisions and a wider range of AI technologies beyond chatbots. The document provides recommendations for breaking the vicious cycle, including appointing AI champions, starting with specific high-impact decisions, and institutionalizing continuous learning about AI advances.
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesCognizant
Experience is becoming a key strategy for technology companies as they shift to cloud-based subscription models. This requires building an "experience ecosystem" that breaks down silos and involves partners. Building such an ecosystem involves adopting a cross-functional approach to experience, making experience data-driven to generate insights, and creating platforms to enable connected selling between companies and partners.
Intuition is not a mystery but rather a mechanistic process based on accumulated experience. Leading businesses are engineering intuition into their organizations by harnessing machine learning software, massive cloud processing power, huge amounts of data, and design thinking in experiences. This allows them to anticipate and act with speed and insight, improving decision making through data-driven insights and acting as if on intuition.
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...Cognizant
The T&L industry appears poised to accelerate its long-overdue modernization drive, as the pandemic spurs an increased need for agility and resilience, according to our study.
Enhancing Desirability: Five Considerations for Winning Digital InitiativesCognizant
To be a modern digital business in the post-COVID era, organizations must be fanatical about the experiences they deliver to an increasingly savvy and expectant user community. Getting there requires a mastery of human-design thinking, compelling user interface and interaction design, and a focus on functional and nonfunctional capabilities that drive business differentiation and results.
The Work Ahead in Manufacturing: Fulfilling the Agility MandateCognizant
Manufacturers are ahead of other industries in IoT deployments but lag in investments in analytics and AI needed to maximize IoT's benefits. While many have IoT pilots, few have implemented machine learning at scale to analyze sensor data and optimize processes. To fully digitize manufacturing, investments in automation, analytics, and AI must increase from the current 5.5% of revenue to over 11% to integrate IT, OT, and PT across the value chain.
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...Cognizant
Higher-ed institutions expect pandemic-driven disruption to continue, especially as hyperconnectivity, analytics and AI drive personalized education models over the lifetime of the learner, according to our recent research.
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Cognizant
The document discusses potential future states for the claims organization of Australian general insurers. It notes that gradual changes like increasing climate volatility, new technologies, and changing customer demographics will reshape the insurance industry and claims processes. Five potential end states for claims organizations are described: 1) traditional claims will demand faster processing; 2) a larger percentage of claims will come from new digital risks; 3) claims processes may become "Uberized" through partnerships; 4) claims organizations will face challenges in risk management propositions; 5) humans and machines will work together to adjudicate claims using large data and computing power. The document argues that insurers must transform claims through digital technologies to concurrently improve customer experience, operational effectiveness, and efficiencies
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Cognizant
Amid constant change, industry leaders need an upgraded IT infrastructure capable of adapting to audience expectations while proactively anticipating ever-evolving business requirements.
Green Rush: The Economic Imperative for SustainabilityCognizant
Green business is good business, according to our recent research, whether for companies monetizing tech tools used for sustainability or for those that see the impact of these initiatives on business goals.
Policy Administration Modernization: Four Paths for InsurersCognizant
The pivot to digital is fraught with numerous obstacles but with proper planning and execution, legacy carriers can update their core systems and keep pace with the competition, while proactively addressing customer needs.
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalCognizant
Utilities are starting to adopt digital technologies to eliminate slow processes, elevate customer experience and boost sustainability, according to our recent study.
AI in Media & Entertainment: Starting the Journey to ValueCognizant
Up to now, the global media & entertainment industry (M&E) has been lagging most other sectors in its adoption of artificial intelligence (AI). But our research shows that M&E companies are set to close the gap over the coming three years, as they ramp up their investments in AI and reap rising returns. The first steps? Getting a firm grip on data – the foundation of any successful AI strategy – and balancing technology spend with investments in AI skills.
Operations Workforce Management: A Data-Informed, Digital-First ApproachCognizant
As #WorkFromAnywhere becomes the rule rather than the exception, organizations face an important question: How can they increase their digital quotient to engage and enable a remote operations workforce to work collaboratively to deliver onclient requirements and contractual commitments?
Five Priorities for Quality Engineering When Taking Banking to the CloudCognizant
As banks move to cloud-based banking platforms for lower costs and greater agility, they must seamlessly integrate technologies and workflows while ensuring security, performance and an enhanced user experience. Here are five ways cloud-focused quality assurance helps banks maximize the benefits.
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedCognizant
Changing market dynamics are propelling Asia-Pacific businesses to take a highly disciplined and focused approach to ensuring that their AI initiatives rapidly scale and quickly generate heightened business impact.
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...Cognizant
Intelligent automation continues to be a top driver of the future of work, according to our recent study. To reap the full advantages, businesses need to move from isolated to widespread deployment.
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
Ensuring PCI DSS Compliance in the Cloud
1. Ensuring PCI DSS Compliance in the Cloud
A simple approach based on ownership control and shared responsibility can help organizations more effectively migrate PCI DSS compliance to Amazon Web Services’ public cloud.
Executive Summary
The adoption of public cloud services has proven effective across a diverse set of industries, as numerous successful use cases illustrate. Regardless of its many operational and cost benefits, however, organizations need to think about the cloud’s security implications and how the model will also affect data privacy and availability.
Decisions get further complicated once a cloud services provider enters the picture. Organizations that must ensure the security of cardholder data, for example, often find the challenge of complying with the Payment Card Industry Data Security Standard (PCI DSS) difficult and overwhelming. This standard is defined by a structure of 12 requirements to ensure the security of cardholder data that is stored, processed and/or transmitted by merchants and other establishments.
Given its comprehensive nature and the surfeit of information on security procedures and requirements, personnel responsible for ensuring the security of cardholder data are often at a loss on where to start and how to go about establishing compliance.
This white paper offers a simple and time-tested approach based on ownership control that can help IT organizations, merchants — their customers —
and other stakeholders to incrementally mitigate the risk factors on their path toward achieving PCI DSS compliance. The paper provides an overview of cloud components, compliance requirements, challenges in ensuring compliance, cloud security best practices and how our approach can help to determine which parties are responsible for what security mechanisms and how doing this can more effectively resolve customer issues.
This white paper highlights our approach to compliance from an Amazon Web Services (AWS) infrastructure as a platform (IaaS) environment perspective, and it highlights the benefits of this approach for companies seeking to achieve PCI DSS compliance using AWS.
The Cloud, So Far
Cloud adoption is growing at a rapid rate, assisted by technological advancements such as high- speed Internet connectivity and innovations in systems hardware. These advancements have brought down the costs of compute and data storage and enabled service providers to meet and, in some cases, exceed customer expectations in terms of scalability, availability and cost. But this in turn has introduced new complications concerning user security considerations. User companies must clearly understand the scope of responsibility that the cloud service provider accepts for each PCI DSS requirement, and which
cognizant 20-20 insights | september 2014
• Cognizant 20-20 Insights
2. cognizant 20-20 insights
2
Quick
Take
The way customers deploy services from cloud providers falls into one of the following three models:
•
Public: This type of cloud infrastructure model is open to the public at large. The service organization typically owns, manages and operates the service from its own premises.
•
Virtual private cloud: This type of cloud infrastructure is solely for a single organization. It is either managed by the organization or a third party, and may be located either on-premises or off-premises.
•
Hybrid: In this type, the cloud infrastructure comprises two or more clouds that are either private, public or community clouds that remain as unique entities but are bound by the standardized technology.
Have It Your Way
services and system components are validated for each requirement. The areas of responsibility and accountability vary for every service and deployment model.
Before detailing this, it is important to understand the three cloud service models and cloud deployment models. These service and deployment models are relevant to our approach based on ownership control in determining which parties are responsible for what security (see sidebar).
Cloud service models include:
•
Infrastructure as a Service: In the IaaS model, the cloud provider gives the customer the capability to provision storage, processing, networks and basic computing resources in which the customer can deploy and run any arbitrary software, including operating systems and applications. The cloud provider manages and controls the underlying cloud infrastructure; the customer only controls the storage, operating systems and deployed applications.
•
Platform as a Service: In the PaaS model, the cloud provider gives the customer the capability to deploy onto cloud infrastructure custom/acquired applications developed using programming languages, libraries, tools and services supported by the cloud provider. The cloud provider controls and manages the underlying cloud infrastructure, along with the network, operating systems, storage and servers; the customer retains control over the deployed applications and usually the configuration settings for the application hosting environment.
•
Software as a Service: With SaaS, the cloud provider offers the customer the capability of using applications running on its cloud infrastructure. These applications can be accessed from various client devices such as a Web browser or a program interface. The cloud provider manages and controls the underlying cloud infrastructure, along with the network, operating system, servers, storage and individual applications, except for a few specific application configuration settings.
3. cognizant 20-20 insights
3
Figure 1
Cloud Infrastructure Configuration
C
onsumption ModelUser LocationWorking off-siteWorking on-siteInternetExternalCloudHybridCloudExternalCloudPrivateCloudPrivateCloudSaaSPaaSIaaSand/orand/or Cost-EfficiencyControlBalance between Cost and Control for Cloud Models
Challenges in Cloud PCI Compliance
The path to PCI DSS compliance is complicated, but it must be addressed by all businesses dealing with storing, processing or transmitting cardholder data. And it is often a daunting responsibility for IT teams to ensure compliance with all 12 PCI DSS requirements, along with 100-plus security controls.
First, large organizations including banks, retail chains and e-commerce companies with exceedingly large cardholder data environments have greater difficulty fully complying with PCI DSS. This is because the PCI standards require changes to be made at all levels, from infrastructure to operating system to network level, and so on. The distributed-layer architectures of cloud environments add layers of technology and complexity to the exercise.
Another challenge is that though PCI DSS is perceived as a business enabler in some organizations, many others see it as a hindrance and a necessary evil that must be dealt with only when absolutely necessary. This perception can translate into fines, penalties and needless sanctions levied when organizations fail to comply.
Public clouds are designed to allow access into the environment from anywhere on the Internet. Hence, additional controls must be employed to compensate for the inherent risks and lack of visibility into the public cloud architecture. These challenges may make it difficult and in some cases impossible for public-cloud-based services to operate in a PCI DSS-compliant manner. Therefore, the burden for providing proof of PCI DSS compliance for a cloud-based service falls on the cloud provider, and customers should accept such proof only after checking evidence of appropriate controls.
Thus it is imperative for companies to get sufficient assurance that the scope of the provider’s PCI DSS review is sufficient, and that all controls applicable to the hosted entity’s environment have been evaluated and determined to be PCI DSS compliant. The cloud provider should also be prepared to provide its hosted customers with evidence that clearly indicates what was or was not included in the scope of its PCI DSS assessment. Controls that were not covered are therefore the customer’s responsibility in its own assessment. The cloud provider should also provide the details of which PCI DSS requirements were reviewed and considered to be in place and not in place — as well as confirmation of when the assessment was conducted.
Any aspect of the cloud-based service that is not covered by the cloud provider’s review should be identified and documented in a written agreement.
4. cognizant 20-20 insights
4
Any aspect of the cloud-based service that is not covered by the cloud provider’s review should be identified and documented in a written agreement. The hosted entity should be fully aware of all aspects of the cloud service, including specific system components and security controls, that are not covered by the provider. These then should be managed and assessed by the hosted entity itself.
It makes more sense to get assistance from a PCI-compliant managed services provider. The rewards of this are clear and valuable: they require no capital expenditure by the user organization, offload significant demands from internal IT staff and expedite PCI compliance validation. Moreover, they help organizations avoid hefty fines and financial penalties.
Cloud Security: An Evolving Capability
Figure 2 illustrates at a high level how control is assigned between the customer and cloud service provider in the three cloud service delivery models.
The various roles and responsibilities for security vary across the different cloud service models. To address the various security needs of the workloads or cloud scenarios, organizations need to understand the ownership responsibilities for protecting these workloads. The responsibility for security increases for the cloud service provider at higher levels of the stack and increases for the user organization at lower levels.
In an IaaS model, for example, the cloud provider is responsible for the security of just the infrastructure, but in the SaaS model the cloud provider is responsible for the security of both the infrastructure and the application.
The sidebar on page 5 offers a brief description of various PCI compliance requirements and how they can be addressed in AWS.
PCI Compliance Requirements:
An Overview
As Figure 3 (next page) shows, PCI DSS compliance requirements can be classified into six security domains. This breakdown can help in mapping security best practices recommended on public IaaS environments such as AWS.
Using this classification, we can further map each security requirement to IaaS provider and user organization responsibilities. This classification will help user organizations understand security best practices on AWS and help them determine their coverage in meeting and maintaining the compliance requirements.
Figure 2
Comparing, Contrasting Organization and Cloud Vendor Controls
IaaS
Process App + Data VM Server Storage Network lacisyhPPaaS Process App + Data Services Server Storage Network lacisyhPSaaS Process App + Data Services Server Storage Network lacisyhPData Center, Admin Access, Physical Access, etc. Governance, PMO, Change Management, etc. Vendor has controlOrganization has controlOrganization shares control with vendor
5. cognizant 20-20 insights
5
Cloud Security and Compliance Approach
Network Security
Network security defines the requirements for protecting cardholder data through firewall configurations at the network layer and ensures that system default passwords are changed at the OS platform level. These requirements, at a very high level, can be mapped with the user organization’s responsibility in the AWS IaaS environment and can be achieved through the following security best practices.
Network Isolation
AWS offers the ability to define a virtual network dedicated and isolated from other organizations/ tenants on the public cloud. This ability to define a virtual private cloud enables organizations to configure a network environment that is very similar to an on-premises traditional network. This environment also allows a virtual private network (VPN) connection to be established between the organization’s on-premises network and the virtual private cloud.
The AWS virtual private cloud allows network configuration that is very similar to a typical Web application deployment environment. This environment has a public subnet, or demilitarized zone, hosting Web servers and private subnets hosting applications, as well as database servers.
Quick Take
AWS is PCI DSS Level 1 compliant. This means that organizations using the AWS IaaS can rely on the PCI Compliance Validation of the technology infrastructure while managing compliance and certification of their own environment. AWS service provider compliance covers all requirements as defined by the PCI DSS for physical infrastructure service providers.
AWS recommends a shared responsibility model for organizations hosting their applications on its infrastructure. In this model, AWS is responsible for physical and virtual infrastructure up to the level of virtual machine (hypervisor) and the organization is responsible for operating systems (OS), firewalls, antivirus, middleware, applications and account management. AWS supports this approach with various security best practices that are applicable to organizations in achieving and maintaining PCI compliance on an ongoing basis.
Amazon’s Approach to PCI DSS Compliance
Figure 3
Compliance Requirements Classification
Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Requirement A.1: Shared hosting providers must protect the cardholder data environment. Requirement 5: Use and regularly update anti-virus software or programs. Requirement 6: Develop and maintain secure systems and applications. Requirement 7: Restrict access to cardholder data by business need to know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses information security for all personnel. Network Security Data Protection Vulnerability Management Program Data Protection Access Control Measures Monitor and Test Networks Information Security Policy
6. cognizant 20-20 insights
6
Private subnets can be configured with various inbound and outbound rules that meet the exact requirements of the hosted applications, including monitoring and management.
Software Firewalls
Firewall configurations at the individual server level provide the ability to block access from hosts outside the specified subnets. Firewall configurations on AWS environments can be created to meet the existing firewall configuration rules on on-premises networks. This ability to administer firewall configurations and maintain audit logs pertaining to changes in the configuration is a key requirement of PCI DSS compliance. AWS security groups/firewall configurations for servers also produce audit logs of changes to configurations by administrators.
Image Hardening
Image hardening of the virtual machine images in the cloud environment is a critical step in launching a server instance. Cloud environments have extensive support in building virtual machine images that satisfy all the PCI DSS compliance requirements in this space. There are multiple approaches that can be based on pre-built security hardened or a base image that then goes through an organization’s specific server hardening processes at different tiers. This can be approached by taking a base image that needs to be hardened based on PCI DSS requirements. This approach ensures that a golden image is prepared that meets all the mandatory requirements for a particular tier. The following are the key steps for hardening an instance:
•
Patching, including security updates.
•
Disabling password-based authentication.
•
Disabling all unwanted services.
•
Removing all users, except administrators and support users.
•
Allowing key-based logins for administrators and support users.
•
Changing default configurations for administrator/ manager users.
•
Removing all default applications on Web/app servers.
Data Protection
Data protection defines the requirement of guarding cardholder data during both storage and transmission of data across open, public networks. These requirements can be addressed by user organizations in AWS through the following security best practices for encrypting data at rest and in transit.
Transport Layer Security through SSL
Applications designed to handle or transmit cardholder data use SSL for securing the Web request/responses. SSL termination is usually handled by Web/app servers that can be off-loaded to load balancers on AWS environments. Off-loading the SSL termination from Web/app servers ensures that the keys are not stored on individual instances and are stored within secure cloud storage locations that can be protected through permissions.
Key Management Interface
Applications designed for PCI DSS compliance require encryption based on public-key cryptography or the Advanced Encryption Standard. These encryption technologies depend on secure key management systems that are certified for PCI DSS compliance. Key management systems, such as the cloud hardware security modules that are available as appliances on the AWS environment, can be used for this purpose. This dedicated appliance provides a secure key storage and a set of cryptographic operations for encrypting and decrypting data. The appliance can be hosted on a private subnet and can only be accessed from secure instances within the subnet by administrators/ users with specific roles.
Secure Cloud Storage
Applications designed for storage of cardholder data will need to encrypt data stored in the file or database storage locations. AWS supports data encryption at the time of storage automatically through transparent data encryption and native network encryption enabled on the AWS relational data services. AWS Cloud Storage S3 also offers encryption of data using both client- and server-side encryption. This ensures that data can be encrypted during storage and cannot be accessed directly.
Vulnerability Management Program
Vulnerability management defines the requirement for building and maintaining an environment that has anti-virus technology installed
Applications designed for storage of cardholder data will need to encrypt data stored in the file or database storage locations.
7. cognizant 20-20 insights
7
and updated regularly; file integrity monitoring enabled at the system level; intrusion detection and prevention at the network level; and avoidance of common vulnerabilities at the application and database implementation level. AWS supports various third-party security SaaS providers that offer network intrusion detection and prevention capabilities. The following security best practices details the approaches involved in incorporating these solutions.
Anti-Virus Installation
PCI DSS specifies that the OS platforms are installed with anti-virus software and updated on a regular basis by automated virus definition updates. The golden images prepared in AWS can be installed with anti-virus software and configured to allow periodic downloads from anti-virus virus definition and software updates. As the server instances are usually hosted on private subnets, these subnets are configured with network address translation server (NATS) instances to allow outbound Internet access for these updates.
Configuration Management
PCI DSS specifies that the server instances need to be monitored for any drift/change in configuration and logged as an event that can be used for alerting the system administrators or IT management. The configuration manager also needs to produce daily reports that can be analyzed by the security team for any tampering of the configuration on these instances. These reports are to be stored and later archived for a specified time period.
This can be approached by configuring file integrity monitoring enabled on all server instances to monitor critical configuration files. This monitoring is enabled through a system level intrusion detection environment that is capable of alerting administrators via e-mail whenever any configuration change takes place. The configuration varies based on the server type, as the directories to be monitored for the Web server are different from app or database servers.
Network Intrusion Detection
and Prevention Systems
PCI DSS specifies the network intrusion detection and prevention systems used for monitoring network traffic to stop various threats on an ongoing basis. These systems are required to execute various vulnerability scans to ensure that the systems are compliant on a daily basis and produce detailed vulnerability reports of the various hosts in the network. Third-party vendors offering intrusion detection and prevention systems also support PCI DSS compliance and are approved by the PCI Security Standards Council.
Configuring a third-party intrusion detection and prevention offering via an SaaS delivered model is supported by the AWS cloud. IDS/IPS launches an appliance/agent on the public subnet of the cloud environment that is capable of monitoring network traffic and conducting scans of the hosts in the specified network. IDS/IPS is updated by vendors on a regular basis to continuously detect upcoming or emerging threats.
AWS supports various agent-/appliance-based monitoring of virtual private cloud environments supporting compliance requirements.
Application Vulnerabilities
PCI DSS specifies that application/database design and implementation need to eliminate common risks/vulnerabilities as defined by the Open Web Application Security Project (OWASP) top 10 and SANS Institute Common Weakness Enumeration (ICWE) top 25. The application and database security needs to address these risks/ vulnerabilities through various security best practices that are applicable to both on-premises and cloud deployment environments. Following are some of the common best practices applicable to Web applications:
•
Authentication and authorization: The application needs to implement best practices on authentication and session validation for user requests. Invalid login attempts are tracked by the application; user accounts are then automatically locked. The application validates the user session on every request and allows access only to authorized pages on the application.
•
Rate limiting and CAPTCHA implementation: The application needs to implement rate limiting based on the client IP address and does not allow any user to send more than a specified number of requests per second. This ensures that any automated attack on the Web application is blocked by filter mechanisms.
The application can use CAPTCHA on critical functionalities such as handling user registrations and capturing payment information. This ensures that any automated attack on the critical functionality is prevented.
8. cognizant 20-20 insights
8
•
Web container filters: The application needs to implement filters to screen all input fields for SQL and OS command injections. This ensures that any attempts to inject scripts through input fields are blocked. Uploading of scripts through HTTP commands is blocked by Web server configurations. The application also uses standard libraries available as part of the Web container to block cross-site request forgery.
Common weaknesses include several other software errors that can be addressed through application design, Web frameworks and container-
based mechanisms. All are common across
on-premises and cloud environments.
Access Control Measures
An access control measure defines the requirement for restricting access to data to various user groups and roles across production and development/ test environments. This also requires that users are uniquely identified and their actions can be logged for auditing purposes. This requirement also defines the various restrictions on physical access to cardholder data through access to physical infrastructure. AWS provides identity and access management that can be structured to meet the access control requirements across environments. As the physical infrastructure is under the control of AWS, this requirement is primarily addressed by PCI compliance measures adopted by AWS.
Cloud Identity and Access Management
PCI DSS specifies various access rules for authorized personnel accessing the systems at physical infrastructure level and as system administrators. IaaS providers typically ensure compliance of PCI DSS at the physical infrastructure level and require IaaS account management to be performed by users at the organizations. PCI DSS requires the identity and access management of IaaS providers to enable multifactor authentication and role-based policies for administrators and developers.
This can be approached by specifying administrator and developer role policies to restrict access to various environments such as development, testing, staging and production. These policies prevent unauthorized users from accessing restricted environments containing sensitive cardholder data. This ensures that critical systems such as Keystore, database and virtual private cloud (VPC) environments are inaccessible to unauthorized personnel. These policies are also extended to API-based access to AWS environments. This will ensure that unauthorized personnel do not programmatically access these critical resources on the cloud environment. Administrators are also required to use multifactor authentication to access the AWS management console, which is a critical requirement specified by PCI DSS.
Monitor and Test Networks
Monitor and test networks define the requirement for monitoring access to the network and data. This requires enabling various application level access and administrative activities, which can be later analyzed for any unauthorized accesses (with notifications sent to authorized personnel). This also requires that various vulnerability and penetration tests are carried out on an ongoing basis to detect any noncompliance due to configuration changes. AWS provides audit logging mechanisms for administrative activities. The application environments can also be enabled to generate logs that can be later aggregated and analyzed in the cloud environment. This environment also allows penetration and vulnerability scans by third-party SaaS providers with advance notification to AWS.
Cloud Administration: Audit Logging
PCI DSS specifies that all administrative access to deployment environments should have audit logging enabled, which can be verified during audits. IaaS providers support the logging of various administrative activities performed in the cloud environments either through the console or APIs. AWS Cloud Trail provides an activity log that requires further processing to extract relevant activities.
Our Trail Digest is an appliance for AWS that is capable of processing audit trails logged by AWS and generating relevant reports and notifications for certain specified events. The real-time monitoring of administrative access logs is critical in ensuring that configuration changes do not affect PCI DSS compliance and do not lead to a security breach. All critical configurations such as software firewalls, VPC rules and launching/ termination of server instances are monitored near real time and alerted through notifications to authorized personnel.
Cloud Audit: Automated Verification
PCI DSS specifies the monitoring and verification of deployment environments on a regular basis to ensure compliance. This requires the verifica
9. cognizant 20-20 insights
9
tion of the environment both through manual or automated processes to ensure that any ongoing changes in the environment do not lead to any violation of compliance requirements.
Our Audit Equip is an automated compliance verification tool built for cloud IaaS and PaaS environments. This tool is an AWS-based solution that has encoded the PCI compliance rules and is capable of verifying the deployment environment for any violations of the rules. This tool also supports manual verification through a questionnaire that provides the necessary checklist for audit teams. This tool supports the PCI requirement of continuous monitoring and validation of the AWS environments.
Security Monitoring: Log Aggregation and Analysis
PCI DSS specifies the logs generated by Web, app and database servers; user access logs must be stored securely and available for audit purposes.
This can be approached by configuring log aggregation and analysis solutions deployed as an appliance on AWS environments. The server instances running Web, app or database servers generate logs that can be rotated periodically to secure the cloud storage location, which is accessible to these log analysis systems. The server instances can also be enabled with system level intrusion detection that generates daily logs of activity. All individual logs are aggregated on cloud storage and then analyzed for security requirements.
Information Security Policy
Organizations and PCI-compliant IaaS providers must update their information security policy based on the shared responsibility model. This process requires understanding the PCI compliance achieved by the IaaS provider for the technology infrastructure and for the organization’s information security policy covering PCI compliance on the OS, middleware and application layers.
Looking Forward
There are numerous ways to leverage the advantages of cloud-based models for PCI DSS compliance, but it is also necessary for enterprise IT organizations to be aware of and responsible for various aspects of security. While this task is often seen as daunting, it should not discourage organizations from moving to the cloud. All that the organization needs is to understand the responsibilities in their shared responsibility model and adapt the best practices similar to what is outlined in this white paper to ensure PCI DSS compliance.
This white paper outlines our viewpoint and some of the best practices by which end-user organizations can ensure PCI DSS compliance. But these are the first steps to becoming PCI compliant. In order to remain PCI compliant, processes need to be in place and refined throughout the year. The key to ensure ongoing PCI compliance is continuity.
•
Make someone accountable and responsible. Give someone responsibility for ascertaining that all IT and business processes ensure the PCI DSS compliance requirements.
•
Configuration control is the key. Configuration management is all about ensuring that the right versions are in the right places.
•
Have a vulnerability management system in place. Ensure that all vulnerabilities are addressed, including less important ones.
•
Establish patch management and change control: Orchestrate or automate your patch management and make it a continuous process. Patch management should be carried out within a change control framework.
10. cognizant 20-20 insights
10
References
•
PCI DSS Cloud Computing Guidelines,
www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf.
•
“Getting Started with PCI Data Security Standard,”
www.pcisecuritystandards.org/pdfs/pcissc_getting_started_with_pcidss.pdf.
•
“The NIST Definition of Cloud Computing,” Special Publication 800-145,
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.
•
A Framework for PCI DSS 2.0 Compliance Assessment and Remediation,
www.cognizant.com/InsightsWhitepapers/A-Framework-for-PCI-DSS-2.0-Compliance-Assessment- and-Remediation.pdf.
•
Amazon Web Services: Overview of Security Processes,
http://d36cz9buwru1tt.cloudfront.net/pdf/AWS_Security_Whitepaper.pdf.
•
“Cloud Security Market Swelling at 41% CAGR,” TechNavio Research,
www.telecomasia.net/content/cloud-security-market-swelling-41-cagr.
•
Security Guidance for Critical Areas of Focus in Cloud Computing,
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf.
•
AWS IAM Best Practices, http://docs.amazonwebservices.com/IAM/latest/UserGuide/IAMBestPractices. html.
About the Authors
Srikarthik Venkataraman is a Senior Architect within Cognizant’s Cloud Practice. He focuses on archi tecting application migration to the cloud with an eye toward security and compliance requirements. Srikarthik previously architected SaaS-based solutions for various analytics platforms in the areas of speech to text conversion and social media monitoring. He holds a B.E. degree from Madras University and is currently working on his master’s in software engineering at BITS, Pilani. He can be reached at Venkataraman.Srikarthik@cognizant.com | LinkedIn: www.linkedin.com/in/srikarthikv.
Arjun Anand is a Business Development Manager within Cognizant’s Cloud Services Business Unit. In this role, he is responsible for building cloud solutions/assets, supporting the company’s cloud strategy and execution across industry domains and assisting in cloud consulting engagements. Arjun has rich experience in the software industry in the areas of global delivery and has held various program and project management roles on numerous application development and outsourcing initiatives. He is also a Certified Scrum Master (CSM). Arjun holds a B.E. degree from Anna University and a PGDM from Indian Institute of Management (IIM), Bangalore. He can be reached at ArjunAnand.D@cognizant.com | LinkedIn: http://www.linkedin.com/in/iimbarjun.
About Cognizant Cloud Services
Cognizant Cloud Services works closely with Amazon Web Services (AWS) to deliver flexible, elastic and scalable security solutions that are compatible with the AWS environment. We also understand that in order to resolve all the security challenges, no compromises should be made on the cloud’s operational and economic benefits. As such, we help organizations embrace the cloud by devising strategies to overcome the perceived security concerns as they look to migrate their applications to a cloud environment.
We deliver the broad range of security capabilities as part of the shared responsibility model, including packaged solutions and blueprints in place to help ease the customer’s path to compliance. For instance, our PCI DSS compliance-ready environment can be used to migrate any PCI DSS application to the cloud. With this blueprint, customers could host their PCI-compliant application on an AWS public cloud and assess how PCI DSS compliance would be fulfilled.
To find out more about Cognizant’s cloud solutions, please visit: www.cognizant.com/cloud-computing or www.cognizant.com/businesscloud.