This document discusses key considerations for achieving PCI DSS compliance in public cloud environments. It outlines the scope of responsibility between cloud service providers (CSPs) and their customers, providing an example breakdown. It also provides a basic checklist for PCI compliance in the cloud and suggestions for limiting the scope of PCI controls. Incident response procedures and securing data throughout its lifecycle in the cloud are also addressed.
Securing Digital Identities and Transactions in the Cloud Security GuideSafeNet
Instead of spending thousands of dollars, and weeks, to install, customize, and integrate
business transaction applications in-house on local servers and workstations, running these
transactions ‘in the cloud,’ or on virtualized platforms, offers an attractive, simple, and costeffective
option.
In order to foster a level of trust matching that of existing internal enterprise resources, and
to sustain compliance with internal policy and external regulations, it is essential that cloud
platforms adopt a cryptographic deployment model. Through this adoption, organizations can
ensure ownership and confi dentiality of the cloud, integrity of business processes, transactional
non-repudiation, and streamlined compliance with heightened security standards—without
negatively impacting performance and reliability of cloud resources.
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...Novell
This session will help you understand what cloud security is and how to implement it in your enterprise. It will discuss the technical aspects of cloud security and how we can help you secure the cloud while ensuring sensitive information always remains behind the firewall.
Guide answers the questions like - Which tools are available in the marketplace to mitigate ddos attacks? Is Scrubbing Center enough to mitigate ddos attacks?
A breakdown of the top misconceptions enterprises are facing when assessing the security levels of cloud computing environments, and the realities behind them
Securing Digital Identities and Transactions in the Cloud Security GuideSafeNet
Instead of spending thousands of dollars, and weeks, to install, customize, and integrate
business transaction applications in-house on local servers and workstations, running these
transactions ‘in the cloud,’ or on virtualized platforms, offers an attractive, simple, and costeffective
option.
In order to foster a level of trust matching that of existing internal enterprise resources, and
to sustain compliance with internal policy and external regulations, it is essential that cloud
platforms adopt a cryptographic deployment model. Through this adoption, organizations can
ensure ownership and confi dentiality of the cloud, integrity of business processes, transactional
non-repudiation, and streamlined compliance with heightened security standards—without
negatively impacting performance and reliability of cloud resources.
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...Novell
This session will help you understand what cloud security is and how to implement it in your enterprise. It will discuss the technical aspects of cloud security and how we can help you secure the cloud while ensuring sensitive information always remains behind the firewall.
Guide answers the questions like - Which tools are available in the marketplace to mitigate ddos attacks? Is Scrubbing Center enough to mitigate ddos attacks?
A breakdown of the top misconceptions enterprises are facing when assessing the security levels of cloud computing environments, and the realities behind them
With several DDoS defense technologies available in the market, which one is good for your organization? Choose the mitigation solution that works best for your needs.
Data Center Security Now and into the FutureCisco Security
Understand all the latest Data Center trends and Data Center security requirements. Take a deep dive on Cisco’s value-added integrated approach on Data Center Security Strategy.
DDoS Defense for the Hosting Provider - Protection for you and your customersStephanie Weagle
Distributed Denial of Service (DDoS) attacks are major threats to hosting providers as well as datacenter operators, and traditional game plans for protecting shared infrastructure should be revisited to better protect availability and allow hosting providers to potentially create incremental revenue streams. DDoS attacks can have a devastating impact on not only the customer under attack, but also on the hosting provider and other customers within the same shared network infrastructure.
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
Security represents one of the biggest concerns about cloud computing. In this session we’ll get past the FUD with a real-world look at some key issues. We’ll discuss the infrastructure necessary to support rationalization and security services, explore architecture for defense –in-depth, and deal frankly with the good, the bad, and the ugly in Cloud security. (As presented by Dave Chappelle at OTN Architect Day in Chicago, October 24, 2011.)
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
Steve Roderick, CEO of gotoBilling, differentiates his end-to-end software payment service in a highly competitive marketplace. How? He trusts a formula that’s a critical component of every business. Sound security — particularly when properly layered — helps organizations defend against breach, protect their brands, ensure compliance and avoid fines. And it’s a message that’s resonating with customers and winning business.
To eliminate DDoS false positive RADAR™ provides visibility on legitimate requests that are blocked towards each web-facing IP/target in their network environment.
Mindtree's managed firewall service has been carefully designed to fit the diverse requirements of today's connected enterprises. From large scale global deployments to small and remote offices, Mindtree has a managed firewall service designed to align with each individual organization's security initiatives and budgetary requirements.
Will your organization or enterprise expand cost-effectively with the power of a managed cloud? We outline 10 key reasons why this strategy will help you improve security, simplify compliance, reduce costs and streamline scalability.
Over the past few years, PCI compliance in the public cloud has been a growing topic of concern and interest. Like us, you probably have heard assertions from both sides of the topic - some stating that one can be a PCI compliant merchant using public IaaS cloud, others stating that it is impossible. Join us in this webinar as our Director of Security and Compliance, Phil Cox, addresses these concerns and demonstrates how PCI compliance in the public IaaS cloud is indeed possible.
In this webinar we’ll discuss:
- Foundational principles and mindsets for PCI compliance
- How to determine system/application scope and requirement applicability
- Top-level PCI DSS (Data Security Standard) requirements and how to meet them in the public IaaS cloud
This webinar is perfect for those who are searching for solid answers on security in the public cloud. Our goal with this webinar is to educate you with the information you need to have confidence and make the most of your public cloud, while dispelling any myths surrounding the topic of security and the public cloud.
Usage Based Metering in the Cloud (Subscribed13)Zuora, Inc.
CloudPassage - Rand Wacker, VP Products
Link Bermuda - Winston Morton, VP Technology
Want to move to a usage-based pricing model but afraid of how to accurately measure and bill your customers? Come and learn about the processes and technology used to manage this advanced pricing model from two leading cloud service providers.
With several DDoS defense technologies available in the market, which one is good for your organization? Choose the mitigation solution that works best for your needs.
Data Center Security Now and into the FutureCisco Security
Understand all the latest Data Center trends and Data Center security requirements. Take a deep dive on Cisco’s value-added integrated approach on Data Center Security Strategy.
DDoS Defense for the Hosting Provider - Protection for you and your customersStephanie Weagle
Distributed Denial of Service (DDoS) attacks are major threats to hosting providers as well as datacenter operators, and traditional game plans for protecting shared infrastructure should be revisited to better protect availability and allow hosting providers to potentially create incremental revenue streams. DDoS attacks can have a devastating impact on not only the customer under attack, but also on the hosting provider and other customers within the same shared network infrastructure.
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
Security represents one of the biggest concerns about cloud computing. In this session we’ll get past the FUD with a real-world look at some key issues. We’ll discuss the infrastructure necessary to support rationalization and security services, explore architecture for defense –in-depth, and deal frankly with the good, the bad, and the ugly in Cloud security. (As presented by Dave Chappelle at OTN Architect Day in Chicago, October 24, 2011.)
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
Steve Roderick, CEO of gotoBilling, differentiates his end-to-end software payment service in a highly competitive marketplace. How? He trusts a formula that’s a critical component of every business. Sound security — particularly when properly layered — helps organizations defend against breach, protect their brands, ensure compliance and avoid fines. And it’s a message that’s resonating with customers and winning business.
To eliminate DDoS false positive RADAR™ provides visibility on legitimate requests that are blocked towards each web-facing IP/target in their network environment.
Mindtree's managed firewall service has been carefully designed to fit the diverse requirements of today's connected enterprises. From large scale global deployments to small and remote offices, Mindtree has a managed firewall service designed to align with each individual organization's security initiatives and budgetary requirements.
Will your organization or enterprise expand cost-effectively with the power of a managed cloud? We outline 10 key reasons why this strategy will help you improve security, simplify compliance, reduce costs and streamline scalability.
Over the past few years, PCI compliance in the public cloud has been a growing topic of concern and interest. Like us, you probably have heard assertions from both sides of the topic - some stating that one can be a PCI compliant merchant using public IaaS cloud, others stating that it is impossible. Join us in this webinar as our Director of Security and Compliance, Phil Cox, addresses these concerns and demonstrates how PCI compliance in the public IaaS cloud is indeed possible.
In this webinar we’ll discuss:
- Foundational principles and mindsets for PCI compliance
- How to determine system/application scope and requirement applicability
- Top-level PCI DSS (Data Security Standard) requirements and how to meet them in the public IaaS cloud
This webinar is perfect for those who are searching for solid answers on security in the public cloud. Our goal with this webinar is to educate you with the information you need to have confidence and make the most of your public cloud, while dispelling any myths surrounding the topic of security and the public cloud.
Usage Based Metering in the Cloud (Subscribed13)Zuora, Inc.
CloudPassage - Rand Wacker, VP Products
Link Bermuda - Winston Morton, VP Technology
Want to move to a usage-based pricing model but afraid of how to accurately measure and bill your customers? Come and learn about the processes and technology used to manage this advanced pricing model from two leading cloud service providers.
PCI compliance is a steep enough challenge, but what happens when your entire infrastructure is in AWS? Do the same concepts of network segmentation and separation apply, and if so how? At what point do AWS compliance efforts intersect with your compliance efforts? This session will cover how Warren Rogers Associates is using the Palo Alto Networks VM-Series for AWS to maintain separation of data and traffic in AWS to improve security and achieve PCI compliance.
Warren Rogers Associates pioneered the development of Statistical Inventory Reconciliation Analysis (SIRA) and Continual Reconciliation for monitoring underground fuel tanks and associated lines. These methods are certified in accordance with EPA requirements and have been used by petroleum marketers for more than 25 years. Today, Warren Rogers specializes in statistical analysis and precision fuel system diagnostics for the retail petroleum industry and develops innovative ways to identify and combat fuel shrinkage and theft. Session sponsored by Palo Alto Networks.
Securing The Clouds with The Standard Best Practices-1.pdfChinatu Uzuegbu
The Technology adoptions in the Cloud are overwhelming . The global shift towards the Cloud is also overwhelming! It is important to build the stronger walls of Security around the Cloud.......
Get to know which security standards are applicable to OpenStack clouds
Evgeniya Shumakher, Mirantis
Compliance with critical industry and regulatory standards used to be mostly the concern of application makers and customers integrating their solutions. Cloud computing – especially IaaS – has made things a lot more complicated. Meanwhile, emerging cloud-specific standards, like FedRAMP or CSA cloud security guidelines, are suggesting new, complex and stringent requirements – while also offering critical guidance.
The presentation offers an inside look at the process:
The most important compliance and security standards for cloud builders,
Where existing OpenStack resources can fully or partially solve common compliance problems
Where standards support within OpenStack is currently thin
The common workflow for architecting standards-compliant clouds,
Common risks and emerging opportunities.
Take a closer look at PCI Compliance for private OpenStack clouds
Scott Carlson, PayPal
PCI Compliance is very important for large financial institutions. As one of the larger installations of OpenStack within the Financial space, PayPal has driven forward the PCI conversation and will be sharing the technical perspective on the following related to PCI and OpenStack Private Clouds:
How does OpenStack fit into an existing PCI-Compliant Environment
When there is not an external Cloud Service Provider, how does your team need to compensate
What are the design choices required to continue to be PCI-Compliant
Physical versus Logical devices
Hypervisor versus Guest compliance
Management Networks for PCI and non-PCI Zones
The case study won’t give a fully prescriptive talk on how to obtain PCI compliance, because there is a lot more to gaining compliance than just making your cloud compliant, but will help to understand:
Where existing OpenStack resources can fully or partially solve PCI compliance problems,
Where OpenStack community needs to join together to solve in order to continue growth
into PCI-compliant spaces.
This presentation was delivered at the 2nd International Conference on Recent Trends in Information Technology and Computer Science in Mumbai. The paper deals with security issues in Cloud Computing, its mitigation and proposes a secure cloud mechanism with an implementation of the single-sign on mechanism on the Ubuntu Enterprise Cloud
The presentation starts with a blank slate for those who have no idea of what cloud and virtualization world is to gradually building up till handling security issues.If any one wants the soft copy,please ask for it at anupam@blumail.org
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
Trust and Cloud Computing, removing the need to trust your cloud providerDavid Wallom
Presentation at CloudSecurityExpo 2106 publicly describing the Porridge distributed remote attestation using multiple trusted Third Parties as a way of building a cryptographically secure cloud service. Allowing users to know the cloud they are using is in exactly the format they expect. This will be commercially available through the Antyran product. This work is supported by InnovateUK KTP in partnership between University of Oxford e-Research centre and 100PercentIT. Other partners not in the KTP in include OctaInnovations.
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is critical for any enterprise IT departments. This requires a set of 12 cloud-based apps including infrastructure as a service (IaaS), software as a service (SaaS) and platform as a service (PaaS). With Amazon Web Services (AWS) as an environment, we offer a guide to the key considerations for PCI DSS compliance
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
Learn how to remove operational complexity from achieving secure – and easily auditable – user access to your AWS systems. Automate tightly controlled user access in highly dynamic AWS environments. Painlessly report exactly who accessed which resources, from where, and when – in near real-time – and save your teams thousands of hours in audit prep work.
Similar to What You Need To Know About The New PCI Cloud Guidelines (20)
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
Presentation slides from Black Hat 2016. Presented by Sami Laine, Principal Technologist at CloudPassage & Aaron McKeown, Lead Security Architect of Xero.
Looking to make a huge impact? So are we. At CloudPassage, we are all about making cloud computing safer and more agile for leading global enterprises. It’s a big and important challenge. And one that requires smart, sharp, creative talent that is second to none in the industry.
Transforming the CSO Role to Business EnablerCloudPassage
The world is not only getting smaller, it’s getting faster. Today’s CEOs are focused on business agility, innovation and competitive advantage to drive growth and profit. And cloud computing is taking center stage as the disruptive force powering faster, more agile business innovation. But threats to the business are growing, often putting the CSO is the uncomfortable position to say “no," or to — wisely — slow down new initiatives to make sure they are handled carefully. So how does the CSO transform to enabler of business growth and innovation while simultaneously protecting the business? CloudPassage CTO Amrit Williams discusses the case for this transformation, why cloud computing can be your friend, five actionable steps CSOs can adopt to become business enablers, and how the right cloud security platform can help.
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
Software-Defined Security Bestows Simplicity
By:
Carson Sweet
CEO & Co-founder
CloudPassage
Once an over-hyped buzzword, software-defined security is now a high-value strategy seeing adoption by large enterprises across industries. Hear real implementations of solutions spanning multiple private, public and hybrid infrastructures.
Businesses who want to stay ahead of the curve and achieve maximum efficiency and consistency are adopting cloud infrastructure. Keeping up with dynamic cloud environments, achieving scalable, automated, flexible, and secure cloud infrastructures means increased business agility. But how can you manage security as you migrate to cloud infrastructures?
Join Rishi Vaish, VP of Product at RightScale & Amrit Williams, CTO at CloudPassage as they discuss:
Recent findings from RightScale's State of the Cloud survey
Why hybrid cloud is the standard of choice
3 strategies for existing cloud server workloads
Benefits and security challenges of migrating to cloud infrastructures
Choosing a hybrid strategy - management and security practices to get the utmost resource flexibility
Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security:
Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps
Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities
Examples of security automation, case situations minimizing risk and driving flexibility for DevOps
See how SaaS provider CloudPassage integrates security into its own development and operations workflows
Cloud Security: Make Your CISO SuccessfulCloudPassage
Enterprises today cannot get by without a clear strategy for cloud security. Whether the organization’s adoption of cloud environments (private, public or hybrid) is mandated by business strategy or by unsanctioned employee use, CISOs and their security teams need to be prepared for this inevitable infrastructure shift.
Attend and learn how to build a cloud security strategy that makes your CISO successful. Join Rich Mogull, lead analyst at Securosis, and Nick Piagentini, Solution Architect at CloudPassage as they discuss the following topics:
-Cloud is Different, But Not the Way You Think
-Adapting Security for Cloud Computing Principles
-Getting Started: Practical Applications
-CISO Cloud Security Checklist
Secure Cloud Development Resources with DevOpsCloudPassage
Adoption of cloud resources by development teams has created a security problem. The self-service and on-demand nature of the cloud increases the company attack surface in unknown ways. How can security operations teams ensure the DevOps teams maintain their needed agility while also being compliant to company security requirements?
Presented by Andrew Storms and Eric Hoffman at RSAC 2014
45 Minutes to PCI Compliance in the CloudCloudPassage
Join CloudPassage CEO, Carson Sweet and Sumo Logic Founding VP of Product & Strategy, Bruno Kurtic, for a webinar on “45 minutes to PCI Compliance in the Cloud”.
What You Will Learn:
-Understand the typical challenges faced by enterprises for achieving PCI on cloud infrastructure
-Learn how purpose-built SaaS-based cloud security solutions can save you tens of thousands in audit costs by speeding your time to compliance
-Get a quick demo of the CloudPassage Halo and Sumo Logic solutions that provide the telemetry and query/reporting engines respectively for cloud PCI
Comprehensive Cloud Security Requires an Automated ApproachCloudPassage
Andras Cser, VP Principal Analyst at Forrester Research and Carson Sweet, CEO at CloudPassage discussed a new enterprise security architecture that will:
-Apply elastic compute power, big data, and massively horizontal distribution of security controls and telemetry.
-Automate security and compliance monitoring in a scalable and portable manner across both traditional datacenter and cloud environments.
-Address both data at rest and in motion and create minimal resource impact across environments.
Security that works with, not against, your SaaS businessCloudPassage
Enterprises that offer Software-as-a-service (SaaS) solutions are able to provide their customers with clear benefits over on-premise software - lower upfront costs, simplified IT infrastructure and painless updates.
However, security and compliance are the #1 inhibitors to enterprises building SaaS applications. Unlike the old days of selling boxed software, where securing the on-premise environment was your customer’s problem, as a SaaS provider, you now need to be responsible for the security of your entire SaaS infrastructure stack. At the same time, the vast majority of security tools at your disposal were never designed for this new agile, elastic model and are therefore inflexible and unable to cope. Ultimately, poor security choices can impact your SaaS business, slowing down sales opportunities, and hurting customer trust and company brand.
But a new breed of security architecture has now emerged. Born in the cloud and purpose-built to secure SaaS environments, these security-as-a-service solutions automate security and compliance monitoring, and are built to support the scalability, portability and depth of protection you need to secure these elastic environments.
What You Will Learn:
Why static security architectures break Software-as-a-Service business models
What a SaaS business needs to secure its infrastructure
Security-as-a-Service: A new security architecture for SaaS
How CloudPassage Halo has helped secure SaaS business
What You Haven't Heard (Yet) About Cloud SecurityCloudPassage
Did you know that 4 out of 5 companies are using cloud architectures? Did you also know that 22% of cloud hosting users believe that their cloud service provider is responsible for the security of their cloud server instances, yet 38% have a high level of concern with losing control of their servers and data in public cloud environments?
Join Andrew Hay, Chief Evangelist at CloudPassage, and Wendy Nather, Research Director at 451 Research, as they dive into these and other findings from the CloudPassage 2012 Security and the Cloud survey. Wendy Nather will also discuss cloud security related trends and observations from 451 Research's findings.
During this live 30-minute webinar, you will learn about:
-The challenges and fears identified by individuals looking to embrace cloud architectures
-Current cloud adoption trends and future individual and organizational expansion plans
-How people are securely delivering applications using cloud architectures
Join the discussion with Andrew Hay, Chief Evangelist of CloudPassage and Dave Shackleford, Senior Vice President, Research and Chief Technology Officer of IANS.
In this presentation, we will discuss:
- How compliance is affected by using private, hybrid, and public cloud environments
- What to consider when researching providers who offer "PCI-compliant" clouds
- Recommendations for improving compliance and security posture in the cloud
What You Need To Know About The New PCI Cloud Guidelines
1. #PCICloud
What You Need To Know About
The New PCI Cloud Guidelines
Dave Shackleford Chris Brenton
CTO, IANS Director of Security,
CloudPassage, Inc.
2. Session Agenda
• Can PCI DSS compliance be achieved in public cloud?!
• Scope and responsibility example!
• Checklist for PCI DSS compliance!
• Suggestions for limiting PCI scope!
• Breakdown of the shared responsibility model!
• Securing and assessing data in a CSP environment !
• Incident Response!
• Questions!
3. Helpful PCI Cloud Guidance?
PCI DSS = 75 Pages of compliance goodness�
�
PCI Cloud SIG Guidance = 52 pages describing how to
apply those 75 pages to:�
�
• Public cloud�
• Private cloud�
• Hybrid cloud�
• IaaS�
• PaaS�
• SaaS�
• Nested providers�
• and more!�
5. The Big Question
• Can PCI DSS compliance be achieved in public cloud?
– Yes and folks are doing it
• The easy way
– Work with a PCI DSS certified CSP
– Perform a gap analysis against the CSPs “PCI scope and
responsibility” documentation
• Their scope should include any nested providers
– Make sure you fill in all the gaps J
• The hard way
– Work with a CSP that has not achieved PCI compliance
– Your auditor must scope and review their environment
– You essentially must certify the CSP while footing the bill
7. Scope & Responsibility Example - CSP
PCI #� PCI DSS Requirement� Testing Procedure� Customer
Responsibility�
9.1� Use appropriate Verify the FUBAR Cloud
facility entry existence of Services maintains
controls to limit and physical security the physical
monitor physical controls for each security for all in-
access to systems computer room, scope services.�
in the cardholder data center, and
data environment.� other physical
areas with
systems in the
cardholder data
environment.�
8. Scope & Responsibility Example - Client
PCI #� PCI DSS Requirement� Testing Procedure� Customer
Responsibility�
1.3.1� Implement a DMZ to Verify that a DMZ is FUBAR customers
limit inbound traffic implemented to are responsible for
to only system limit inbound traffic implementing
components that to only system perimeter firewalls
provide authorized components that through the FUBAR
publicly accessible provide authorized GUI interface for
services, protocols publicly accessible their in-scope
and ports.� services, protocols services. FUBAR
and ports.� customers are
responsible for
developing
appropriate firewall
rules for their DMZ
and internal network.�
9. A Basic Checklist
ü Understand the flow of credit card info
– What processes/services handle it?
– What communications exchange it?
– What drives/partitions store it?
ü Understand what SaaS services will have Admin control
– Can be in-scope if controlling servers handling credit card info
ü Flow diagrams are your friend, leverage them
ü Delineate portions that are internal vs. external
ü For internal portions, you need to address all 12 PCI req.
ü For external portions
– Understand the CSPs scope and responsibility documentation
– Fill in the gaps as required
10. Section 6.5
• Does not directly address PCI requirements
• Has lots of good info on how/why cloud is an evolving tech
• Caveats for legacy security tools
• Example: Introspection
– Expands the functionality of the hypervisor
– Provides visibility of VM memory, disk & network via API
– In private virtualization, leveraged for implementing security
– Problematic in public cloud
• Expands the attack surface of the hypervisor
• Leaves no forensic trail on the VM itself
• Can be a serious issue in public IaaS
– Provider manages hypervisor
– Client manages their unique VMs
11. Limiting PCI Scope�
The new guidance offers the following
suggestions for limiting PCI scope:�
– Don’t store, process or transmit payment card
data in the cloud�
– Implement a dedicated physical infrastructure�
– Minimize reliance on third-party CSPs for
protecting payment card data�
– Ensure that clear-text account data is never
accessible in the cloud �
13. Who is responsible for Security?�
AWS Shared Responsibility Model
Data!
“…the customer should assume
responsibility and management of,
Responsibility�
App Code!
but not limited to, the guest operating
Customer
system…and associated application App Framework!
software...”
“it is possible for customers to
Operating System!
enhance security and/or meet more
stringent compliance requirements
Virtual Machine!
with the addition of… host based Hypervisor!
Responsibility�
firewalls, host based intrusion
Provider
detection/prevention, encryption and Compute & Storage!
key management.”
Amazon Web Services: Shared Network!
Overview of Security Processes
Physical Facilities!
14. Data Security�
• Securing and assessing data in a CSP
environment can be very challenging�
• The data may be in:�
– Multiple physical locations�
– Multiple countries�
– Multiple data formats�
• Data security processes within a CSP
environment needs to be closely evaluated�
15. Data Acquisition, Storage, Lifecycle�
• Data flows need to be developed and
constructed for all client and CSP networks�
• All data “capture” points need to be identified
and protected�
– Memory and VM snapshots included, as are
hypervisor access methods�
• Data lifecycle is critical to identify and clarify�
– Data should be protected at all stages in and out
of CSP environment, and disposed of properly�
16. Data Classification and Encryption�
• CSPs should meet data classification requirements
for clients before migration to the cloud�
– Cardholder data, credentials, and crypto keys are
examples�
• All sensitive data should use data-level encryption�
– Crypto keys should be stored separately�
– All key custodians should be defined and listed, in both
client and CSP environments�
– Unique keys should be in place for each client�
17. Data Decommissioning and Disposal�
• Clearly define data disposal techniques within
the CSP �
• Document “Termination of Service”
procedures �
• Ensure that all data is deleted permanently
when agreements have been terminated,
even if encrypted�
18. Incident Response�
• Clients need to discuss data breach
notification with CSPs�
– Clients may also need to notify CSPs about data
breaches in their environments, to mitigate risk to
other clients�
• Definitions of what constitutes a breach
should be defined and agreed on before
doing business�
19. Incident Response Continued�
• Notification processes and timelines should
be in SLAs�
• Discuss the potential for client data to be
captured by 3rd parties during a breach
investigation �
• The PCI guidance acknowledges that incident
response and detection may be almost
impossible if a VM has been decommissioned
or removed!�
20. Questions?
Dave Shackleford" Chris Brenton"
CTO, IANS" Director of Security, CloudPassage"
@IANS_Security" @CloudPassage"