SlideShare a Scribd company logo

PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

Download as PPTX, PDF
RightScale
RightScale

Speaker: Phil Cox, Director Security and Compliance, RightScale Over the past few years, PCI compliance in the public cloud has been a growing topic of concern and interest. Like us, you probably have heard assertions from both sides of the topic – some stating that one can be a PCI compliant merchant using public IaaS cloud, others stating that it is impossible. We’ll discuss foundational principles and mindsets for PCI compliance, how to determine system/application scope and requirement applicability, and how to meet top-level PCI DSS (Data Security Standard) requirements in the public IaaS cloud.

TechnologyBusiness
1 of 34
#rightscale Is Achievable PCI Compliance in Public Cloud
#2 #rightscale RightScale Story • We accept credit cards for payment: a Merchant, and must be meet PCI DSS compliance as part of our contract • We only use public cloud services: We are “All-In” cloud so to speak • Thus we needed to design, implement, and maintain a PCI environment in the public cloud
#rightscale My Core Message for Today: PCI compliance in public cloud is achievable
#4 #rightscale Agenda • Your selection of partners matter • Application design and system deployment are key • Walkthrough of PCI DSS
#5 #rightscale Partners Matter • Your choice of: • Cloud Service Provider • Assessor: Qualified Security Assessor (QSA) or Internal Resource • Will have a significant impact on your ability to achieve compliance
#6 #rightscale Cloud Service Provider • Partnership has an implicit “shared responsibility” model • CSP has to be doing their part • IaaS – Everything up to and including the hypervisor (or equivalent) • PaaS – IaaS + underlying OS and supporting applications • SaaS – PaaS + data protection
#7 #rightscale What to look for in a CSP • Is on “Approved Service Providers” list (i.e., completed level 1) *OR* has done a Level 2 assessment and can show you their validation results (essence of Requirement 2.4) • Many providers go through the rigor of ensuring compliance internally, but not the cost of hiring an external QSA • Do not dismiss a potential partner because they are not on the list. If you are going to dismiss them, do it because they are not transparent. • Will sign a contract that states they must protect CHD in accordance with PCI DSS to the extent it applies to them (Requirement 12.8.2)
#8 #rightscale Assessor • This will be the authority who signs off on your compliance • If they don’t understand the technology or application, the chances of sign-off are small • There are A LOT of charlatans out there. Be wise with your $ spend
#9 #rightscale What to look for in an Assessor • They must understand cloud technology, and in ideally the cloud technology you are using • A good default choice for an external Assessor is the one who did the assessment for your chosen CSP (assuming there was one) • If you don’t want/need to use an external auditor, then …determine if you have the knowledge internally • The caveat: Internal assessor may know the tech, but they need to just as versed in the PCI DSS
#rightscale As a reminder: PCI compliance in public cloud is achievable
#11 #rightscale Application Design • Your ability to achieve PCI compliance in the public cloud is primarily based on how much forethought you gave to the application in its design • Most providers, and all cloud-based operating systems can be PCI compliant. The same cannot be said for all applications • Ask the following questions: • What data am I storing? Why? Can I get away without it? • Do I know the communication flow of the application? Can I restrict communications to specific system roles? • Am I using well-known, public vetted cryptography standards?
#12 #rightscale Application Guidelines • Here are guidelines I have used to ensure an application is “securable” from a PCI perspective: 1. Do not store the Primary Account Number (PAN) if you do not need it. • Many payment processors have mechanisms for recurring billing or credits. Depending on your situation, it is highly likely that you do not need to store the PAN, thus making your life significantly easier from a PCI DSS compliance standpoint. 2. If you are going to store PAN, then the design of crypto mechanism and, more importantly, the key management of data in the DB, is critical • This is really not a “cloud” thing, and is dealt with in any PCI application that stores CHD.
#13 #rightscale Application Guidelines (cont.) 3. Terminate SSL/TLS at the load balancer and run all other traffic over the private interface/network • This assumes that the “private” interfaces have been designed to meet the definition of “non-public” as far as PCI DSS • This is the case with Amazon Web Services. Traffic between the private IP addresses can be considered a private network and not require encryption. This does not mean that you can’t or shouldn’t do it, just that you do not have to in order to meet PCI DSS requirements. 4. Validate all user input • While this is not a “cloud” issue, it is THE main intrusion vector Yep, that’s pretty much it: Protect it in transit/at rest (if needed) & Test for bad code • It is not rocket science, but most folks don’t do these right
#14 #rightscale Harden the Systems • Protect the system • Firewalls (remember ingress and egress) • Change defaults • Install patches • Watch the system for odd behavior or changes • Shout out to CloudPassage • Manage the firewall rules and separation of duty that PCI DSS requires, and will make achieving compliance much easier. • I recommend using a public cloud management solution. Trying to do this by hand is error-prone.
#rightscale Once again: PCI compliance in public cloud is achievable
#16 #rightscale PCI and Cloud Snapshot • Those that need special consideration because of cloud: 1, 3, 9, 10, 11, 12 (orange) • Those that are more about HOW than WHAT: 2, 4, 5, 6, 7, 8 (blue)
#17 #rightscale Requirement 1: Firewalls • Design the application and communications flows so they can be secured • The state of networking features in cloud have an affect on how you provide isolation for scoping • e.g. AWS EC2 general Security Groups are NOT adequate: No egress filtering • Review/audit regularly to make sure design and implementations have not changed • One nice aspect of the cloud is that since automation is part of the DNA, automation of these reviews is easier
#18 #rightscale Requirement 2: Defaults • Make sure to change the vendor supplied defaults • RightScale ServerTemplates™ are a great way to enforce this, as well as provide version control of configurations • The cloud actually helps you: Have to plan • There is not “throw in the CD, plug in the cable, and leave it” • Cloud should give you a leg up in this area, as this is part of Cloud DNA so to speak
#19 #rightscale Requirement 3: Protect CHD • Gets down to: • Do not store what you don’t need • Good crypto selection • Proper key management • For block/storage level encryption, use of a third party like TrendMicro SecureCloud (or similar) is a big help here • Note: Cloud really is not an issue here, as you have many of the same concerns in a managed hosting environment. The main difference is between owned or third-party infrastructure.
#20 #rightscale Stored PAN Tangent • Assume you store PAN in the DB • Not tokenized, truncated, or hashed • For most of us, you need to mask on display • Per Requirement 3 if you store CHD, then you must encrypt • Does your DB support it? If not, then have to do in App • Use encrypted filesystem on block storage in addition • Inject keys at instance launch • Management of encryption keys is the big issue • Rotation – You need to plan on how to do this! • Storage – In memory is best, restricted filesystem is next best
#21 #rightscale Requirement 4: Encrypt transmission • No huge difference between cloud or hosted here • Biggest item is determining private vs. public networks • SSL/TLS is the defacto way to do this
#22 #rightscale Requirement 5: AV and Malware • Not much specific to a “cloud” deployment • Servers come and go more frequently, so you need to make sure the AV solution is operating correctly • If I had Windows systems for servers, I’d be using RightScale ServerTemplates to make sure things were configured correctly • Nice aspect of the cloud is that since automation is part of the DNA, automation of this should actually make it easier to meet the requirements
#23 #rightscale Requirement 6: Development & System Admin • The “what” (securing systems) is not really a “cloud” specific problem, but the “how” is • Need to deploy hardened systems • RightScale ServerTemplates and built in versioning makes it easy and provides change tracking. You can choose how you want to do it, just do it • Nice aspect of the cloud is that since automation is part of the DNA, automation of these should actually make it easier to meet the requirements
#24 #rightscale Requirements 7 & 8: Restrict Access & Users • Again, not the “What to do” that is the issue, but “How to do it” • Make sure you enforce it on EVERY system • Role-Based Access Control (RBAC) and ServerTemplate features of RightScale and a strict provisioning policy to get this done. You can choose any method that works • I use a combination of RightScale, policies, and regular audits. You can choose any method that works • Really no different than a hosted environment
#25 #rightscale Requirement 9: Physical • You need to worry about user systems and any hard copy • Really no different than a hosted environment
#26 #rightscale Requirement 10: Logging & Tracking • Basically need host-based tools • The lack of transparency into some of the devices you don’t have access to (e.g., hypervisor logs) needs to be taken into account • I use RightScale to configure systems and send local system and application logs to central log server • You can choose any method that works for you • Use of a 3rd party is a BIG WIN here
#27 #rightscale Requirement 11: Testing • Coordination with the CSP when doing testing may be something that is new and require modification of your process • “Internal” testing becomes a bit tricky • I recommend: • Automated tools - Continuous • Internal experts – Monthly or more • 3rd party testing – Annually • While you can use a Web App Firewall (WAF), I prefer testing • Use both if you can
#28 #rightscale Requirement 12: Governance • The policies need to exist with or without the cloud • Must ensure appropriate language is included in contracts with partners • Biggest issues I run into: • Ensure that if you share CHD with others, contracts state they must protect CHD in accordance with PCI DSS • Have an incident response plan and make sure it works!
#29 #rightscale Summary • Your selection of partners matter • Application design and system deployment are key • Know how the PCI DSS applies to you
#rightscale One last time: PCI compliance in public cloud is achievable
#31 #rightscale Action Item • Investigate where you are at in the context of PCI and public cloud compliance
#rightscale Questions???
#33 #rightscale Wrap-Up • I have walked this path • Contact me if you need help
#34 #rightscale My Contact Info • Email: phil@rightscale.com • Twitter: sec_prof • Google+: phil@rightscale.com

Recommended

Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
Practical DMD Scripting
Practical DMD Scripting Practical DMD Scripting
Practical DMD Scripting Zenoss
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesAmazon Web Services
 
Start Up Austin 2017: Production Preview - How to Stop Bad Things From Happening
Start Up Austin 2017: Production Preview - How to Stop Bad Things From HappeningStart Up Austin 2017: Production Preview - How to Stop Bad Things From Happening
Start Up Austin 2017: Production Preview - How to Stop Bad Things From HappeningAmazon Web Services
 
The Top Outages of 2021: Analysis and Takeaways
The Top Outages of 2021: Analysis and TakeawaysThe Top Outages of 2021: Analysis and Takeaways
The Top Outages of 2021: Analysis and TakeawaysThousandEyes
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseIvan Dwyer
 
Dynatrace FreeTrial Test Drive
Dynatrace FreeTrial Test DriveDynatrace FreeTrial Test Drive
Dynatrace FreeTrial Test DriveJerry Tan
 
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalytics
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalyticsconf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalytics
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalyticsTom LaGatta
 

Recommended

Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
Practical DMD Scripting
Practical DMD Scripting Practical DMD Scripting
Practical DMD Scripting Zenoss
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesAmazon Web Services
 
Start Up Austin 2017: Production Preview - How to Stop Bad Things From Happening
Start Up Austin 2017: Production Preview - How to Stop Bad Things From HappeningStart Up Austin 2017: Production Preview - How to Stop Bad Things From Happening
Start Up Austin 2017: Production Preview - How to Stop Bad Things From HappeningAmazon Web Services
 
The Top Outages of 2021: Analysis and Takeaways
The Top Outages of 2021: Analysis and TakeawaysThe Top Outages of 2021: Analysis and Takeaways
The Top Outages of 2021: Analysis and TakeawaysThousandEyes
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseIvan Dwyer
 
Dynatrace FreeTrial Test Drive
Dynatrace FreeTrial Test DriveDynatrace FreeTrial Test Drive
Dynatrace FreeTrial Test DriveJerry Tan
 
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalytics
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalyticsconf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalytics
conf2015_TLaGatta_CHarris_Splunk_BusinessAnalytics_DeliveringHighLevelAnalyticsTom LaGatta
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionSplunk
 
Managing Network Performance Within and Beyond Your Enterprise
Managing Network Performance Within and Beyond Your EnterpriseManaging Network Performance Within and Beyond Your Enterprise
Managing Network Performance Within and Beyond Your EnterpriseThousandEyes
 
How to Detect Heartbleed with Wire Data Analytics
How to Detect Heartbleed with Wire Data AnalyticsHow to Detect Heartbleed with Wire Data Analytics
How to Detect Heartbleed with Wire Data AnalyticsExtraHop Networks
 
Democratising Security: Update Your Policies or Update Your CV
Democratising Security: Update Your Policies or Update Your CVDemocratising Security: Update Your Policies or Update Your CV
Democratising Security: Update Your Policies or Update Your CVExtraHop Networks
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security BrokersRobin Vermeirsch
 
Realities of Data Security
Realities of Data SecurityRealities of Data Security
Realities of Data SecurityPriyanka Aash
 
The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...
The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...
The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...Randy Shoup
 
Get the Message Across: Seamlessly Transport Data to Apps, Anywhere
Get the Message Across: Seamlessly Transport Data to Apps, AnywhereGet the Message Across: Seamlessly Transport Data to Apps, Anywhere
Get the Message Across: Seamlessly Transport Data to Apps, AnywhereVMware Tanzu
 
Getting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-convergedGetting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-convergedSynapse360
 
ThousandEyes Overview
ThousandEyes Overview ThousandEyes Overview
ThousandEyes Overview ThousandEyes
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityScott Carlson
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsAlert Logic
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
 
The Newgistics Digital Transformation Journey
The Newgistics Digital Transformation JourneyThe Newgistics Digital Transformation Journey
The Newgistics Digital Transformation JourneyZenoss
 
Soluciones Dynatrace
Soluciones DynatraceSoluciones Dynatrace
Soluciones DynatraceInnovation Strategies
 
Gartner event mesh solace - phil scanlon - gold coast
Gartner event mesh solace - phil scanlon - gold coastGartner event mesh solace - phil scanlon - gold coast
Gartner event mesh solace - phil scanlon - gold coastPhil Scanlon
 
2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09aCristian Garcia G.
 
From Relational Database Management to Big Data: Solutions for Data Migration...
From Relational Database Management to Big Data: Solutions for Data Migration...From Relational Database Management to Big Data: Solutions for Data Migration...
From Relational Database Management to Big Data: Solutions for Data Migration...Cognizant
 
Empowering Marketing Solutions Teams
Empowering Marketing Solutions TeamsEmpowering Marketing Solutions Teams
Empowering Marketing Solutions TeamsZenoss
 
Empathy in Monitoring
Empathy in MonitoringEmpathy in Monitoring
Empathy in MonitoringZenoss
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightScale
 
Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013
Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013
Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013RightScale
 

More Related Content

What's hot

Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionSplunk
 
Managing Network Performance Within and Beyond Your Enterprise
Managing Network Performance Within and Beyond Your EnterpriseManaging Network Performance Within and Beyond Your Enterprise
Managing Network Performance Within and Beyond Your EnterpriseThousandEyes
 
How to Detect Heartbleed with Wire Data Analytics
How to Detect Heartbleed with Wire Data AnalyticsHow to Detect Heartbleed with Wire Data Analytics
How to Detect Heartbleed with Wire Data AnalyticsExtraHop Networks
 
Democratising Security: Update Your Policies or Update Your CV
Democratising Security: Update Your Policies or Update Your CVDemocratising Security: Update Your Policies or Update Your CV
Democratising Security: Update Your Policies or Update Your CVExtraHop Networks
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security BrokersRobin Vermeirsch
 
Realities of Data Security
Realities of Data SecurityRealities of Data Security
Realities of Data SecurityPriyanka Aash
 
The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...
The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...
The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...Randy Shoup
 
Get the Message Across: Seamlessly Transport Data to Apps, Anywhere
Get the Message Across: Seamlessly Transport Data to Apps, AnywhereGet the Message Across: Seamlessly Transport Data to Apps, Anywhere
Get the Message Across: Seamlessly Transport Data to Apps, AnywhereVMware Tanzu
 
Getting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-convergedGetting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-convergedSynapse360
 
ThousandEyes Overview
ThousandEyes Overview ThousandEyes Overview
ThousandEyes Overview ThousandEyes
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityScott Carlson
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsAlert Logic
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
 
The Newgistics Digital Transformation Journey
The Newgistics Digital Transformation JourneyThe Newgistics Digital Transformation Journey
The Newgistics Digital Transformation JourneyZenoss
 
Gartner event mesh solace - phil scanlon - gold coast
Gartner event mesh solace - phil scanlon - gold coastGartner event mesh solace - phil scanlon - gold coast
Gartner event mesh solace - phil scanlon - gold coastPhil Scanlon
 
From Relational Database Management to Big Data: Solutions for Data Migration...
From Relational Database Management to Big Data: Solutions for Data Migration...From Relational Database Management to Big Data: Solutions for Data Migration...
From Relational Database Management to Big Data: Solutions for Data Migration...Cognizant
 
Empowering Marketing Solutions Teams
Empowering Marketing Solutions TeamsEmpowering Marketing Solutions Teams
Empowering Marketing Solutions TeamsZenoss
 
Empathy in Monitoring
Empathy in MonitoringEmpathy in Monitoring
Empathy in MonitoringZenoss
 

What's hot (20)

Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
 
Managing Network Performance Within and Beyond Your Enterprise
Managing Network Performance Within and Beyond Your EnterpriseManaging Network Performance Within and Beyond Your Enterprise
Managing Network Performance Within and Beyond Your Enterprise
 
How to Detect Heartbleed with Wire Data Analytics
How to Detect Heartbleed with Wire Data AnalyticsHow to Detect Heartbleed with Wire Data Analytics
How to Detect Heartbleed with Wire Data Analytics
 
Democratising Security: Update Your Policies or Update Your CV
Democratising Security: Update Your Policies or Update Your CVDemocratising Security: Update Your Policies or Update Your CV
Democratising Security: Update Your Policies or Update Your CV
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers
 
Realities of Data Security
Realities of Data SecurityRealities of Data Security
Realities of Data Security
 
The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...
The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...
The eBay Architecture: Striking a Balance between Site Stability, Feature Ve...
 
Get the Message Across: Seamlessly Transport Data to Apps, Anywhere
Get the Message Across: Seamlessly Transport Data to Apps, AnywhereGet the Message Across: Seamlessly Transport Data to Apps, Anywhere
Get the Message Across: Seamlessly Transport Data to Apps, Anywhere
 
Getting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-convergedGetting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-converged
 
ThousandEyes Overview
ThousandEyes Overview ThousandEyes Overview
ThousandEyes Overview
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud Security
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
 
The Newgistics Digital Transformation Journey
The Newgistics Digital Transformation JourneyThe Newgistics Digital Transformation Journey
The Newgistics Digital Transformation Journey
 
Soluciones Dynatrace
Soluciones DynatraceSoluciones Dynatrace
Soluciones Dynatrace
 
Gartner event mesh solace - phil scanlon - gold coast
Gartner event mesh solace - phil scanlon - gold coastGartner event mesh solace - phil scanlon - gold coast
Gartner event mesh solace - phil scanlon - gold coast
 
2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a
 
From Relational Database Management to Big Data: Solutions for Data Migration...
From Relational Database Management to Big Data: Solutions for Data Migration...From Relational Database Management to Big Data: Solutions for Data Migration...
From Relational Database Management to Big Data: Solutions for Data Migration...
 
Empowering Marketing Solutions Teams
Empowering Marketing Solutions TeamsEmpowering Marketing Solutions Teams
Empowering Marketing Solutions Teams
 
Empathy in Monitoring
Empathy in MonitoringEmpathy in Monitoring
Empathy in Monitoring
 

Similar to PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightScale
 
Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013
Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013
Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013RightScale
 
Cloud computing elisheba wiggins
Cloud computing elisheba wigginsCloud computing elisheba wiggins
Cloud computing elisheba wigginsElisheba Wiggins
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
Cloudera federal summit
Cloudera federal summitCloudera federal summit
Cloudera federal summitMatt Carroll
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 
RightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale
 
When small problems become big problems
When small problems become big problemsWhen small problems become big problems
When small problems become big problemsAdrian Cole
 
Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?
Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?
Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?TechWell
 
How Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run ITHow Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run ITPeter HJ van Eijk
 
Thin Air or Solid Ground? Practical Cloud Security
Thin Air or Solid Ground? Practical Cloud SecurityThin Air or Solid Ground? Practical Cloud Security
Thin Air or Solid Ground? Practical Cloud SecurityDan Fitzgerald, CISSP, CIPM
 
Cloudera Federal Forum 2014: EzBake, the DoDIIS App Engine
Cloudera Federal Forum 2014: EzBake, the DoDIIS App EngineCloudera Federal Forum 2014: EzBake, the DoDIIS App Engine
Cloudera Federal Forum 2014: EzBake, the DoDIIS App EngineCloudera, Inc.
 
Cloud migration presentation
Cloud migration presentationCloud migration presentation
Cloud migration presentationyeshlenchetty
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPADiemShin
 
How to Migrate to Cloud with Complete Confidence and Trust
How to Migrate to Cloud with Complete Confidence and TrustHow to Migrate to Cloud with Complete Confidence and Trust
How to Migrate to Cloud with Complete Confidence and TrustApcera
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool sangam biradar
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2Anne Starr
 
Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...LeMeniz Infotech
 
Avoiding Cloud Computing Planning & Implementation Failure
Avoiding Cloud Computing Planning & Implementation FailureAvoiding Cloud Computing Planning & Implementation Failure
Avoiding Cloud Computing Planning & Implementation FailureNathaniel Payne
 

Similar to PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013 (20)

Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public Cloud
 
Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013
Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013
Tips For a Successful Cloud Proof-of-Concept - RightScale Compute 2013
 
Cloud computing elisheba wiggins
Cloud computing elisheba wigginsCloud computing elisheba wiggins
Cloud computing elisheba wiggins
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Cloudera federal summit
Cloudera federal summitCloudera federal summit
Cloudera federal summit
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
RightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to Cloud
 
When small problems become big problems
When small problems become big problemsWhen small problems become big problems
When small problems become big problems
 
Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?
Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?
Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?
 
How Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run ITHow Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run IT
 
Thin Air or Solid Ground? Practical Cloud Security
Thin Air or Solid Ground? Practical Cloud SecurityThin Air or Solid Ground? Practical Cloud Security
Thin Air or Solid Ground? Practical Cloud Security
 
Cloud Security.ppt
Cloud Security.pptCloud Security.ppt
Cloud Security.ppt
 
Cloudera Federal Forum 2014: EzBake, the DoDIIS App Engine
Cloudera Federal Forum 2014: EzBake, the DoDIIS App EngineCloudera Federal Forum 2014: EzBake, the DoDIIS App Engine
Cloudera Federal Forum 2014: EzBake, the DoDIIS App Engine
 
Cloud migration presentation
Cloud migration presentationCloud migration presentation
Cloud migration presentation
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
 
How to Migrate to Cloud with Complete Confidence and Trust
How to Migrate to Cloud with Complete Confidence and TrustHow to Migrate to Cloud with Complete Confidence and Trust
How to Migrate to Cloud with Complete Confidence and Trust
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2
 
Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...
 
Avoiding Cloud Computing Planning & Implementation Failure
Avoiding Cloud Computing Planning & Implementation FailureAvoiding Cloud Computing Planning & Implementation Failure
Avoiding Cloud Computing Planning & Implementation Failure
 

More from RightScale

10 Must-Have Automated Cloud Policies for IT Governance
10 Must-Have Automated Cloud Policies for IT Governance10 Must-Have Automated Cloud Policies for IT Governance
10 Must-Have Automated Cloud Policies for IT GovernanceRightScale
 
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOpsKubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOpsRightScale
 
Optimize Software, SaaS, and Cloud with Flexera and RightScale
Optimize Software, SaaS, and Cloud with Flexera and RightScaleOptimize Software, SaaS, and Cloud with Flexera and RightScale
Optimize Software, SaaS, and Cloud with Flexera and RightScaleRightScale
 
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About NowPrepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About NowRightScale
 
How to Set Up a Cloud Cost Optimization Process for your Enterprise
How to Set Up a Cloud Cost Optimization Process for your EnterpriseHow to Set Up a Cloud Cost Optimization Process for your Enterprise
How to Set Up a Cloud Cost Optimization Process for your EnterpriseRightScale
 
Multi-Cloud Management with RightScale CMP (Demo)
Multi-Cloud Management with RightScale CMP (Demo)Multi-Cloud Management with RightScale CMP (Demo)
Multi-Cloud Management with RightScale CMP (Demo)RightScale
 
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBMComparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBMRightScale
 
How to Allocate and Report Cloud Costs with RightScale Optima
How to Allocate and Report Cloud Costs with RightScale OptimaHow to Allocate and Report Cloud Costs with RightScale Optima
How to Allocate and Report Cloud Costs with RightScale OptimaRightScale
 
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...RightScale
 
Using RightScale CMP with Cloud Provider Tools
Using RightScale CMP with Cloud Provider ToolsUsing RightScale CMP with Cloud Provider Tools
Using RightScale CMP with Cloud Provider ToolsRightScale
 
Best Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and ComplianceBest Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and ComplianceRightScale
 
Automating Multi-Cloud Policies for AWS, Azure, Google, and More
Automating Multi-Cloud Policies for AWS, Azure, Google, and MoreAutomating Multi-Cloud Policies for AWS, Azure, Google, and More
Automating Multi-Cloud Policies for AWS, Azure, Google, and MoreRightScale
 
The 5 Stages of Cloud Management for Enterprises
The 5 Stages of Cloud Management for EnterprisesThe 5 Stages of Cloud Management for Enterprises
The 5 Stages of Cloud Management for EnterprisesRightScale
 
9 Ways to Reduce Cloud Storage Costs
9 Ways to Reduce Cloud Storage Costs9 Ways to Reduce Cloud Storage Costs
9 Ways to Reduce Cloud Storage CostsRightScale
 
Serverless Comparison: AWS vs Azure vs Google vs IBM
Serverless Comparison: AWS vs Azure vs Google vs IBMServerless Comparison: AWS vs Azure vs Google vs IBM
Serverless Comparison: AWS vs Azure vs Google vs IBMRightScale
 
Best Practices for Cloud Managed Services Providers: The Path to CMP Success
Best Practices for Cloud Managed Services Providers: The Path to CMP SuccessBest Practices for Cloud Managed Services Providers: The Path to CMP Success
Best Practices for Cloud Managed Services Providers: The Path to CMP SuccessRightScale
 
Cloud Storage Comparison: AWS vs Azure vs Google vs IBM
Cloud Storage Comparison: AWS vs Azure vs Google vs IBMCloud Storage Comparison: AWS vs Azure vs Google vs IBM
Cloud Storage Comparison: AWS vs Azure vs Google vs IBMRightScale
 
2018 Cloud Trends: RightScale State of the Cloud Report
2018 Cloud Trends: RightScale State of the Cloud Report2018 Cloud Trends: RightScale State of the Cloud Report
2018 Cloud Trends: RightScale State of the Cloud ReportRightScale
 
Got a Multi-Cloud Strategy? How RightScale CMP Helps
Got a Multi-Cloud Strategy? How RightScale CMP HelpsGot a Multi-Cloud Strategy? How RightScale CMP Helps
Got a Multi-Cloud Strategy? How RightScale CMP HelpsRightScale
 
How to Manage Cloud Costs with RightScale Optima
How to Manage Cloud Costs with RightScale OptimaHow to Manage Cloud Costs with RightScale Optima
How to Manage Cloud Costs with RightScale OptimaRightScale
 

More from RightScale (20)

10 Must-Have Automated Cloud Policies for IT Governance
10 Must-Have Automated Cloud Policies for IT Governance10 Must-Have Automated Cloud Policies for IT Governance
10 Must-Have Automated Cloud Policies for IT Governance
 
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOpsKubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
 
Optimize Software, SaaS, and Cloud with Flexera and RightScale
Optimize Software, SaaS, and Cloud with Flexera and RightScaleOptimize Software, SaaS, and Cloud with Flexera and RightScale
Optimize Software, SaaS, and Cloud with Flexera and RightScale
 
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About NowPrepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
 
How to Set Up a Cloud Cost Optimization Process for your Enterprise
How to Set Up a Cloud Cost Optimization Process for your EnterpriseHow to Set Up a Cloud Cost Optimization Process for your Enterprise
How to Set Up a Cloud Cost Optimization Process for your Enterprise
 
Multi-Cloud Management with RightScale CMP (Demo)
Multi-Cloud Management with RightScale CMP (Demo)Multi-Cloud Management with RightScale CMP (Demo)
Multi-Cloud Management with RightScale CMP (Demo)
 
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBMComparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
 
How to Allocate and Report Cloud Costs with RightScale Optima
How to Allocate and Report Cloud Costs with RightScale OptimaHow to Allocate and Report Cloud Costs with RightScale Optima
How to Allocate and Report Cloud Costs with RightScale Optima
 
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
 
Using RightScale CMP with Cloud Provider Tools
Using RightScale CMP with Cloud Provider ToolsUsing RightScale CMP with Cloud Provider Tools
Using RightScale CMP with Cloud Provider Tools
 
Best Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and ComplianceBest Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and Compliance
 
Automating Multi-Cloud Policies for AWS, Azure, Google, and More
Automating Multi-Cloud Policies for AWS, Azure, Google, and MoreAutomating Multi-Cloud Policies for AWS, Azure, Google, and More
Automating Multi-Cloud Policies for AWS, Azure, Google, and More
 
The 5 Stages of Cloud Management for Enterprises
The 5 Stages of Cloud Management for EnterprisesThe 5 Stages of Cloud Management for Enterprises
The 5 Stages of Cloud Management for Enterprises
 
9 Ways to Reduce Cloud Storage Costs
9 Ways to Reduce Cloud Storage Costs9 Ways to Reduce Cloud Storage Costs
9 Ways to Reduce Cloud Storage Costs
 
Serverless Comparison: AWS vs Azure vs Google vs IBM
Serverless Comparison: AWS vs Azure vs Google vs IBMServerless Comparison: AWS vs Azure vs Google vs IBM
Serverless Comparison: AWS vs Azure vs Google vs IBM
 
Best Practices for Cloud Managed Services Providers: The Path to CMP Success
Best Practices for Cloud Managed Services Providers: The Path to CMP SuccessBest Practices for Cloud Managed Services Providers: The Path to CMP Success
Best Practices for Cloud Managed Services Providers: The Path to CMP Success
 
Cloud Storage Comparison: AWS vs Azure vs Google vs IBM
Cloud Storage Comparison: AWS vs Azure vs Google vs IBMCloud Storage Comparison: AWS vs Azure vs Google vs IBM
Cloud Storage Comparison: AWS vs Azure vs Google vs IBM
 
2018 Cloud Trends: RightScale State of the Cloud Report
2018 Cloud Trends: RightScale State of the Cloud Report2018 Cloud Trends: RightScale State of the Cloud Report
2018 Cloud Trends: RightScale State of the Cloud Report
 
Got a Multi-Cloud Strategy? How RightScale CMP Helps
Got a Multi-Cloud Strategy? How RightScale CMP HelpsGot a Multi-Cloud Strategy? How RightScale CMP Helps
Got a Multi-Cloud Strategy? How RightScale CMP Helps
 
How to Manage Cloud Costs with RightScale Optima
How to Manage Cloud Costs with RightScale OptimaHow to Manage Cloud Costs with RightScale Optima
How to Manage Cloud Costs with RightScale Optima
 

Recently uploaded

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Recently uploaded (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

  • 2. #2 #rightscale RightScale Story • We accept credit cards for payment: a Merchant, and must be meet PCI DSS compliance as part of our contract • We only use public cloud services: We are “All-In” cloud so to speak • Thus we needed to design, implement, and maintain a PCI environment in the public cloud
  • 3. #rightscale My Core Message for Today: PCI compliance in public cloud is achievable
  • 4. #4 #rightscale Agenda • Your selection of partners matter • Application design and system deployment are key • Walkthrough of PCI DSS
  • 5. #5 #rightscale Partners Matter • Your choice of: • Cloud Service Provider • Assessor: Qualified Security Assessor (QSA) or Internal Resource • Will have a significant impact on your ability to achieve compliance
  • 6. #6 #rightscale Cloud Service Provider • Partnership has an implicit “shared responsibility” model • CSP has to be doing their part • IaaS – Everything up to and including the hypervisor (or equivalent) • PaaS – IaaS + underlying OS and supporting applications • SaaS – PaaS + data protection
  • 7. #7 #rightscale What to look for in a CSP • Is on “Approved Service Providers” list (i.e., completed level 1) *OR* has done a Level 2 assessment and can show you their validation results (essence of Requirement 2.4) • Many providers go through the rigor of ensuring compliance internally, but not the cost of hiring an external QSA • Do not dismiss a potential partner because they are not on the list. If you are going to dismiss them, do it because they are not transparent. • Will sign a contract that states they must protect CHD in accordance with PCI DSS to the extent it applies to them (Requirement 12.8.2)
  • 8. #8 #rightscale Assessor • This will be the authority who signs off on your compliance • If they don’t understand the technology or application, the chances of sign-off are small • There are A LOT of charlatans out there. Be wise with your $ spend
  • 9. #9 #rightscale What to look for in an Assessor • They must understand cloud technology, and in ideally the cloud technology you are using • A good default choice for an external Assessor is the one who did the assessment for your chosen CSP (assuming there was one) • If you don’t want/need to use an external auditor, then …determine if you have the knowledge internally • The caveat: Internal assessor may know the tech, but they need to just as versed in the PCI DSS
  • 10. #rightscale As a reminder: PCI compliance in public cloud is achievable
  • 11. #11 #rightscale Application Design • Your ability to achieve PCI compliance in the public cloud is primarily based on how much forethought you gave to the application in its design • Most providers, and all cloud-based operating systems can be PCI compliant. The same cannot be said for all applications • Ask the following questions: • What data am I storing? Why? Can I get away without it? • Do I know the communication flow of the application? Can I restrict communications to specific system roles? • Am I using well-known, public vetted cryptography standards?
  • 12. #12 #rightscale Application Guidelines • Here are guidelines I have used to ensure an application is “securable” from a PCI perspective: 1. Do not store the Primary Account Number (PAN) if you do not need it. • Many payment processors have mechanisms for recurring billing or credits. Depending on your situation, it is highly likely that you do not need to store the PAN, thus making your life significantly easier from a PCI DSS compliance standpoint. 2. If you are going to store PAN, then the design of crypto mechanism and, more importantly, the key management of data in the DB, is critical • This is really not a “cloud” thing, and is dealt with in any PCI application that stores CHD.
  • 13. #13 #rightscale Application Guidelines (cont.) 3. Terminate SSL/TLS at the load balancer and run all other traffic over the private interface/network • This assumes that the “private” interfaces have been designed to meet the definition of “non-public” as far as PCI DSS • This is the case with Amazon Web Services. Traffic between the private IP addresses can be considered a private network and not require encryption. This does not mean that you can’t or shouldn’t do it, just that you do not have to in order to meet PCI DSS requirements. 4. Validate all user input • While this is not a “cloud” issue, it is THE main intrusion vector Yep, that’s pretty much it: Protect it in transit/at rest (if needed) & Test for bad code • It is not rocket science, but most folks don’t do these right
  • 14. #14 #rightscale Harden the Systems • Protect the system • Firewalls (remember ingress and egress) • Change defaults • Install patches • Watch the system for odd behavior or changes • Shout out to CloudPassage • Manage the firewall rules and separation of duty that PCI DSS requires, and will make achieving compliance much easier. • I recommend using a public cloud management solution. Trying to do this by hand is error-prone.
  • 15. #rightscale Once again: PCI compliance in public cloud is achievable
  • 16. #16 #rightscale PCI and Cloud Snapshot • Those that need special consideration because of cloud: 1, 3, 9, 10, 11, 12 (orange) • Those that are more about HOW than WHAT: 2, 4, 5, 6, 7, 8 (blue)
  • 17. #17 #rightscale Requirement 1: Firewalls • Design the application and communications flows so they can be secured • The state of networking features in cloud have an affect on how you provide isolation for scoping • e.g. AWS EC2 general Security Groups are NOT adequate: No egress filtering • Review/audit regularly to make sure design and implementations have not changed • One nice aspect of the cloud is that since automation is part of the DNA, automation of these reviews is easier
  • 18. #18 #rightscale Requirement 2: Defaults • Make sure to change the vendor supplied defaults • RightScale ServerTemplates™ are a great way to enforce this, as well as provide version control of configurations • The cloud actually helps you: Have to plan • There is not “throw in the CD, plug in the cable, and leave it” • Cloud should give you a leg up in this area, as this is part of Cloud DNA so to speak
  • 19. #19 #rightscale Requirement 3: Protect CHD • Gets down to: • Do not store what you don’t need • Good crypto selection • Proper key management • For block/storage level encryption, use of a third party like TrendMicro SecureCloud (or similar) is a big help here • Note: Cloud really is not an issue here, as you have many of the same concerns in a managed hosting environment. The main difference is between owned or third-party infrastructure.
  • 20. #20 #rightscale Stored PAN Tangent • Assume you store PAN in the DB • Not tokenized, truncated, or hashed • For most of us, you need to mask on display • Per Requirement 3 if you store CHD, then you must encrypt • Does your DB support it? If not, then have to do in App • Use encrypted filesystem on block storage in addition • Inject keys at instance launch • Management of encryption keys is the big issue • Rotation – You need to plan on how to do this! • Storage – In memory is best, restricted filesystem is next best
  • 21. #21 #rightscale Requirement 4: Encrypt transmission • No huge difference between cloud or hosted here • Biggest item is determining private vs. public networks • SSL/TLS is the defacto way to do this
  • 22. #22 #rightscale Requirement 5: AV and Malware • Not much specific to a “cloud” deployment • Servers come and go more frequently, so you need to make sure the AV solution is operating correctly • If I had Windows systems for servers, I’d be using RightScale ServerTemplates to make sure things were configured correctly • Nice aspect of the cloud is that since automation is part of the DNA, automation of this should actually make it easier to meet the requirements
  • 23. #23 #rightscale Requirement 6: Development & System Admin • The “what” (securing systems) is not really a “cloud” specific problem, but the “how” is • Need to deploy hardened systems • RightScale ServerTemplates and built in versioning makes it easy and provides change tracking. You can choose how you want to do it, just do it • Nice aspect of the cloud is that since automation is part of the DNA, automation of these should actually make it easier to meet the requirements
  • 24. #24 #rightscale Requirements 7 & 8: Restrict Access & Users • Again, not the “What to do” that is the issue, but “How to do it” • Make sure you enforce it on EVERY system • Role-Based Access Control (RBAC) and ServerTemplate features of RightScale and a strict provisioning policy to get this done. You can choose any method that works • I use a combination of RightScale, policies, and regular audits. You can choose any method that works • Really no different than a hosted environment
  • 25. #25 #rightscale Requirement 9: Physical • You need to worry about user systems and any hard copy • Really no different than a hosted environment
  • 26. #26 #rightscale Requirement 10: Logging & Tracking • Basically need host-based tools • The lack of transparency into some of the devices you don’t have access to (e.g., hypervisor logs) needs to be taken into account • I use RightScale to configure systems and send local system and application logs to central log server • You can choose any method that works for you • Use of a 3rd party is a BIG WIN here
  • 27. #27 #rightscale Requirement 11: Testing • Coordination with the CSP when doing testing may be something that is new and require modification of your process • “Internal” testing becomes a bit tricky • I recommend: • Automated tools - Continuous • Internal experts – Monthly or more • 3rd party testing – Annually • While you can use a Web App Firewall (WAF), I prefer testing • Use both if you can
  • 28. #28 #rightscale Requirement 12: Governance • The policies need to exist with or without the cloud • Must ensure appropriate language is included in contracts with partners • Biggest issues I run into: • Ensure that if you share CHD with others, contracts state they must protect CHD in accordance with PCI DSS • Have an incident response plan and make sure it works!
  • 29. #29 #rightscale Summary • Your selection of partners matter • Application design and system deployment are key • Know how the PCI DSS applies to you
  • 30. #rightscale One last time: PCI compliance in public cloud is achievable
  • 31. #31 #rightscale Action Item • Investigate where you are at in the context of PCI and public cloud compliance
  • 33. #33 #rightscale Wrap-Up • I have walked this path • Contact me if you need help
  • 34. #34 #rightscale My Contact Info • Email: phil@rightscale.com • Twitter: sec_prof • Google+: phil@rightscale.com

Editor's Notes

  1. Just touch on these, we’ll cover them in the following slides
  2. Just touch on these, we’ll cover them in the following slides
  3. Partnership, NOT JUST CLOUD
  4. The GIST of this page is that part of your compliance relies on the compliance of your provider, and they have 2 ways to “prove” that: Be on the list, or be willing to prove it to you at a level you are satisfied with.Note, that in the letter of the law, you would need to perform due diligence on those listed as well. MEANING, JUST BECAUSE THEY ARE LISTED DOES NOT GIVE YOU A GET OUT OF JAIL FRE CARD IF YOU ARE COMPROMISED.You must feel comfortable with your providers security. In reality, the level 2 who is willing to work with you may be a better fit. But it is up to you, just remember, they do NOT HAVE TO BE ON THE LIST!
  5. Key here is an assessor that knows cloud. There are WAY TOO MANY WHO DO NOT!
  6. Your DESING IS KEY … if you don’t design it right, you are hosed. But that goes for any environment, not just cloud. I say this, with the understanding that there are good partners to have out there, you are most likely to hose yourself.
  7. Note on “Not storing the PAN”, use one of these:One-way hashes based on strong cryptography (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN)Index tokens and pads (pads must be securely stored)Strong cryptography with associated key-management So you have options to encryption. As a matter of fact, encryption is the hardest to do correctly.It has been my experience that MOST folks who keep the PAN do NOT need it. THIS IS THE MOST CRITICAL DECISION YOU WILL MAKE, AND IT HAS A DIRECT AFFECT ON THE EASE OF PCI COMPLIANCE
  8. This is really about deploying secure systems. From where I stand, it should be no different than any other system you deploy: It should be built secure.The one advantage of Cloud is meeting the “1 systems 1 service” rule. Given the characteristics of Cloud, doing the 1:1 is much simpler.
  9. A snapshotOrange: In general these have special considerations for CloudBlue: In general, Cloud does not alter what you do significantlyWe’ll hit these more in the next sldies{IF SHORT ON TIME, MAKE THESE BRIEF AND REFERENCE THE BLOG AND ASSOCIATED PDF}
  10. BIGGEST issue here is the maturity of the networking, and the fact that you need to use host based firewalls on all instances. It is just a different way of doing things than most are a custom. It is however that way that Cloud works.NOTE: If you use a Virtual Private Cloud or something like that, this is a bit different. Remember everything I am talking about is Public.
  11. This is “Change the things a hacker read in an install or setup guide to break into your systems”
  12. If you use file- or column-level database encryption, then you are golden as long as it is based on public crypto and has great key managementIf you used Disk level encryption, the encryption method cannot have: A direct association with the operating system, orDecryption keys that are associated with user accounts So TrendMicro SecureCloud is a solution that you can use.
  13. 3rd party:CloudPassageSPLUNKTrendMicro Deep SecuritySumo LogicAny SIEM
  14. Just touch on these, we’ll cover them in the following slides