In this presentation, ControlCase discusses the following:
- About the cloud
- About PCI DSS
- PCI DSS in the cloud
- How to keep sensitive data secure as you move to the cloud
4. Evolving Payment Landscape
• Mobile Payments
• “Cloud Based” Payment Providers
• Point to Point Encryption
4 / 32
5. What is the Cloud
• Hosting Provider Private Cloud
› NCR
› IBM/ATT
› Rackspace
• Amazon Cloud
› EC2
• Internal Cloud
› Virtualization within internal datacenter
5 / 32
6. Key Compliance Differences
• Private vs. Public network
• Physical vs. Logical Access
• Known Physical Boundaries vs. Unknown
• Known Access vs. Unknown
6 / 32
8. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
8 / 32
12. How Does the Compliant Cloud Work?
Minimum Requirements: (2) Servers, (1) “DMZ” and (1) Internal
12 / 32
13. PCI DSS Requirements
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
13 / 32
14. Firewalls
• Cloud Provider
› Must provide ability for DMZ to be created in the cloud
environment; OR
› Must have multiple clouds for DMZ and internal network
• You (The customer)
› Must ensure DMZ has been implemented consistent with
PCI requirements
14 / 32
15. Configuration Standards
• Cloud provider
› Must prove that secure configurations are implemented
for the base platform hosting the VMs.
• You (the customer)
› Must ensure secure configuration exists within the cloud
images of the operating systems.
15 / 32
17. Protect Cardholder Data in Transmission
You must ensure data being transmitted is
encrypted.
17 / 32
18. Antivirus
• Cloud provider
› Must prove that base platform/hypervisors have
appropriate antivirus measures
• You (the customer)
› You must ensure all cloud images of operating systems
have antivirus software installed
18 / 32
19. Secure Applications
You must ensure all applications are developed
securely and without vulnerabilities.
19 / 32
20. Access Control and User IDs
• Cloud Provider
› Must prove that access control/user IDs have been
implemented for the base platform/hypervisor hosting the
VMs.
• You (the customer)
› Are responsible for access control within your cloud
images of your operating systems.
20 / 32
21. Physical Security
• Cloud provider
› The cloud provider must prove that physical security
controls are in place where the base platform hosting the
virtual machines is physically located.
• You (the customer)
› Must ensure you are hosting the cloud that has physical
security enabled.
21 / 32
22. Logging and Monitoring
• Cloud Provider
› Must prove that logging is appropriately implemented for
base platform/hypervisors hosting the VMs.
› Must prove that logging is appropriately implemented for
network and security devices within the environment.
• You (the customer)
› Are responsible for logging within the cloud images of the
operating systems.
22 / 32
23. Vulnerability Management
• Cloud Provider
› Must prove that vulnerabilities are assessed and removed
appropriately for the base platform/hypervisors hosting
the VMs.
› Must prove that vulnerabilities are assessed and removed
appropriately for network and security devices within the
environment
• You (the customer)
› Are responsible for assessing the internal, external and
application vulnerabilities within the cloud images of the
operating systems.
23 / 32
24. Policies and Procedures
• Cloud Provider
› Must prove that policies exist appropriately for the base
platform/hypervisors hosting the VMs.
• You (the customer)
› Must ensure that policies address the security aspects
specific to the applications being deployed in the VM.
24 / 32
25. PCI DSS Requirements
25 / 32
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
26. Key Takeaways as you Make Cloud Decisions
• Ensure Cloud Provider is PCI DSS Certified
› Not in the context of them taking credit cards as a
merchant, rather as an infrastructure provider
• Ensure through report on compliance (RoC) that
all requirements are covered in scope EXCEPT
› Requirement 3 (Encrypt cardholder data)
› Requirement 4 (Encrypt cardholder transmission)
› Requirement 6 (Application security)
26 / 32
When it comes to handling sensitive consumer data, PCI DSS make sure we’re all on the same page. PCI DSS stands for Payment Card Industry Data Security Standard, and it provides security guidelines for any business that processes, stores or transmits payment card account data. These guidelines were originally established jointly by the top 5 card issuers: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The guidelines are maintained and monitored by a non-profit agency watchdog called the PCI Security Standards Council, or PCI SSC.
When it comes to handling sensitive consumer data, PCI DSS make sure we’re all on the same page. PCI DSS stands for Payment Card Industry Data Security Standard, and it provides security guidelines for any business that processes, stores or transmits payment card account data. These guidelines were originally established jointly by the top 5 card issuers: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The guidelines are maintained and monitored by a non-profit agency watchdog called the PCI Security Standards Council, or PCI SSC.
When it comes to handling sensitive consumer data, PCI DSS make sure we’re all on the same page. PCI DSS stands for Payment Card Industry Data Security Standard, and it provides security guidelines for any business that processes, stores or transmits payment card account data. These guidelines were originally established jointly by the top 5 card issuers: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The guidelines are maintained and monitored by a non-profit agency watchdog called the PCI Security Standards Council, or PCI SSC.
When it comes to handling sensitive consumer data, PCI DSS make sure we’re all on the same page. PCI DSS stands for Payment Card Industry Data Security Standard, and it provides security guidelines for any business that processes, stores or transmits payment card account data. These guidelines were originally established jointly by the top 5 card issuers: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The guidelines are maintained and monitored by a non-profit agency watchdog called the PCI Security Standards Council, or PCI SSC.
Moving data storage to the cloud can bring tremendous benefits…the question is, how do you protect that data? How do you apply traditional PCI DSS measures – things like segmentation, network-based firewalls and intrusion protection –when you don’t own or control the infrastructure?
We need to emphasize that the risk of security breaches is very real – and none of us are immune. It really is a little like the Wild West out there… Case in point: In early 2011, electronics giant Sony experienced one of the biggest breaches in history. Hackers stole names, birth dates and possibly credit card numbers for nearly 77 million people who played online video games through Sony’s PlayStation console. Breaches have also been experienced by Bank of America, Epsilon (a leading provider of email and multi-channel marketing services), clothing retailer TJ Maxx, and Heartland Payment Systems. And the news gets worse … experts say that hackers are increasingly targeting smaller companies, because they figure their security systems are weaker than the bigger, more sophisticated companies.
So it’s critical to realize that every organization, of every size, has to accept that the risks to their sensitive data is very real.
Our goal here today is to show you how you can leverage all the advantages of cloud storage, without exposing your sensitive data to risk.
In truth, the same PCI DSS security principles that apply to your traditional operations still apply to your cloud operations. Where things differ is in the actions you take to apply those principles. This is what we’re going to walk you through today.
In traditional environments, PCI DSS requires you to establish a perimeter of security around your data. Typically, as we mentioned a minute ago, we do this through segmentation, firewalls and intrusion protection. In the cloud, we can achieve the same perimeter effect by using what is called a “DMZ” server in conjunction with your internal server, established within an Amazon Virtual Private Cloud, or VPC.
The Amazon VPC lets you partition a private, isolated section of the Amazon Web Services cloud, where you can launch your servers within a virtual network that you define.
Within this virtual network, you can layer protection on top of your internal server by using what is called a DMZ server. This name comes from the term “demilitarized zone”, and just like a demilitarized zone, this server provides a layer of protection for your internal server which houses your internal local area network. The DMZ server, which may be protected by a border firewall, provides connectivity to the public and all of your external-facing services, while your user database and sensitive data are stored on your internal server. An internal firewall prevents your DMZ server and your internal server from communicating directly with each other. In the event of an attack, the DMZ server may be vulnerable – but your internal server will remain secure.
So how does this really work? How we adapt the PCI DSS to achieve this compliant cloud?
Current PCI standards specify 12 requirements for compliance, organized into six related groups called “control objectives.” These same objectives and the same 12 requirements also apply to the cloud. (read the 12 requirements) Let’s walk through how to apply these 12 requirements to the cloud.
Firewalls are required in a cloud environment, just as they are in a non-cloud environment.
If you have multiple cloud servers, such as an internal network server and a DMZ server, then you must ensure that your web servers are published on the DMZ cloud and that your databases containing cardholder data are published on your internal network cloud. Your cloud provider would then be responsible for providing firewall rule set attestations.
If you have a flat cloud environment, such as Amazon Web Services, you are responsible for implementing software firewalls that achieve DMZ and internal cloud boundaries themselves.
From a configuration management perspective, both the cloud provider and you have distinct responsibilities.
The cloud provider is responsible for proving that secure configurations are implements for the host/hypervisor environment, that is, the base platform hosting the virtual machines. The cloud provider must show this through a shareable Report on Compliance or by submitting to a client audit.
You, the customer, are responsible for ensuring secure configuration exists within the cloud images of the operating systems.
Just as in a non-cloud environment, you are responsible for ensuring that any data you store is encrypted and protected.
Just as in a non-cloud environment, you are responsible for ensuring that any data being transmitted is encrypted.
Just as in a non-cloud environment, you are responsible for ensuring that all cloud images of operating systems have antivirus software installed.
Just as in a non-cloud environment, you are responsible for ensuring that all applications are developed in a secure manner and do not have any vulnerabilities, such as OWASP.
From an access control/user ID perspective, the cloud provider and you the customer each have distinct responsibilities.
The cloud provider is responsible for proving that access control and user Ids have been implements for the host/hypervisor environment, that is, the base platform hosting the virtual machines. This must be demonstrated by a shareable Report on Compliance or by submitting to a client audit.
You are responsible for access control within your cloud images of your operating systems.
The cloud provider is responsible for proving that physical security controls have been implemented for the location wither the host environment, that is, the base platform hosting the virtual machines, is physically located. This must be demonstrated by a shareable Report on Compliance or by submitting to a client audit.
From a logging perspective, both the cloud provider and you the customer have responsibilities.
The cloud provider is responsible for proving that logging is appropriately implemented for the host/hypervisor environment, that is, the base platform hosting the virtual machines. This must be demonstrated by a shareable Report on Compliance or by submitting to a client audit.
You are responsible for logging within the cloud images of the operating systems.
From a vulnerability management perspective, there are responsibilities for both the cloud provider and you the customer.
The cloud provider must prove that vulnerabilities are assessed and removed appropriately for the host/hypervisor environment, that is, the base platform hosting the virtual machines. Again, this must be demonstrated through a shareable Report on Compliance or by submitting to a client audit.
You are responsible for assessing the internal, external and application vulnerabilities within the cloud images of the operating systems.
From a policy and procedure perspective, again, there are cloud provider responsibilities and you the customer responsibilities.
The cloud provider is responsible for proving that policies exist appropriately for the host/hypervisor environment, that is, the base platform hosting the virtual machines. This must be demonstrated by a shareable Report on Compliance or by submitting to a client audit.
You are responsible for ensuring that policies address the security aspects specific to the applications being deployed in the virtual machine.
So that’s how you implement the existing 12 PCI DSS requirements in a cloud environment. Of course, we’ve only touched on the basics of how the requirement apply to the cloud. If you’d like help in developing and implementing the actual policies and procedures that will keep your organization PCI compliant, ControlCase is ready to help.
From a policy and procedure perspective, again, there are cloud provider responsibilities and you the customer responsibilities.
The cloud provider is responsible for proving that policies exist appropriately for the host/hypervisor environment, that is, the base platform hosting the virtual machines. This must be demonstrated by a shareable Report on Compliance or by submitting to a client audit.
You are responsible for ensuring that policies address the security aspects specific to the applications being deployed in the virtual machine.
ControlCase provides everything you need to achieve and maintain PCI compliance, all in one convenient one-stop-shop. We call this “Compliance as a Service” or CaaS. And we like to think of it as “PCI in a box.” Our services include:
PCI training
Web application security testing
Logging and monitoring
Penetration testing
Internal vulnerability assessments
Card data discovery
ASV scans
File integrity monitoring, and of course,
PCI DSS certification
We saw this slide earlier, when we discussed how the compliant cloud works. We’d like to point out what the ControlCase compliant cloud looks like, by adding 2 important layers of monitoring.
First, our Security Operations Center monitors logs from both your DMZ and your internal server, 24/7/365. Using advanced Security Information and Event Management software, we proactively provide real-time analysis of security alerts, and we involve your security team as needed.
And second, each quarter, our CaaS Team conducts Internal Vulnerability Assessments and Penetration Testing. This requires that our team have access to 1 Windows server and 1 Linux server within your private cloud during testing.
So why choose ControlCase?
Only ControlCase has the global reach – with more than 200 clients in 15 countries and growing rapidly – and the certified resources – we are a PCI DSS Qualified Security Assessor, a QSA for Point-to-Point Encryption, and a Certified ASV vendor. We provide you with a broad portfolio of highly reliable turnkey CaaS solutions at a significant cost savings to you. We bring a blend of cloud-based and software-based automation and managed services to help you address regulations such as PCI DSS, Sarbanes Oxley, HIPAA, and the Gramm-Leach Billey Act. And we’d love to talk with you about the security and compliance challenges you face.
To learn more about PCI compliance, visit us at www.ControlCase.com, or call us at 1.703.483.6383 if you’re in the U.S., or 9820293399 if you’re in India. We look forward to talking with you!