Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PCI and the Cloud

Avatar for CloudPassage CloudPassage
August 29, 2012
Technology
2
79

PCI and the Cloud

Join the discussion with Andrew Hay, Chief Evangelist of CloudPassage and Dave Shackleford, Senior Vice President, Research and Chief Technology Officer of IANS.
Avatar for CloudPassage

CloudPassage

August 29, 2012
Tweet

More Decks by CloudPassage

See All by CloudPassage
Delivering Secure OpenStack IaaS for SaaS Products
Avatar for CloudPassage cloudpassage
1
94
Automating Secure Server Baselines with Puppet
Avatar for CloudPassage cloudpassage
2
100
Automating Security for the Cloud (Why We All Need To Care)
Avatar for CloudPassage cloudpassage
1
72

Other Decks in Technology

See All in Technology
関数型プログラミングで 「脳がバグる」を乗り越える
Avatar for manabeai manabeai
2
220
マネジメントって難しい、けどおもしろい / Management is tough, but fun! #em_findy
Avatar for ar_tama ar_tama
7
1.2k
スタートアップに選択肢を 〜生成AIを活用したセカンダリー事業への挑戦〜
Avatar for Nstock nstock
0
270
対話型音声AIアプリケーションの信頼性向上の取り組み
Avatar for 株式会社IVRy(社員登壇資料) ivry_presentationmaterials
1
560
Lufthansa ®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for danielconkling870 lufthanahelpsupport
0
220
成長し続けるアプリのためのテストと設計の関係、そして意思決定の記録。
Avatar for SansanTech sansantech
PRO
0
130
american airlines®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for cassowary3740 supportflight
1
110
ゼロからはじめる採用広報
Avatar for Yuta Horii yutadayo
3
1k
推し書籍📚 / Books and a QA Engineer
Avatar for akihisa1210 ak1210
0
110
IPA&AWSダブル全冠が明かす、人生を変えた勉強法のすべて
Avatar for iwamot iwamot
PRO
2
210
Delta airlines®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for ape1422 airtravelguide
0
350
20250707-AI活用の個人差を埋めるチームづくり
Avatar for shnjtk shnjtk
6
4.1k

Featured

See All Featured
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
189
11k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
134
9.4k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
31
1.3k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
40
1.9k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
29
5.4k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
6.6k
Docker and Python
Avatar for Tania Allard trallard
44
3.5k
A better future with KSS
Avatar for Kyle Neath kneath
238
17k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
524
40k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
55
5.7k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
48
2.9k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
53k

Transcript

  1. PCI and the Cloud Dave Shackleford, CTO, IANS Andrew Hay,

    Chief Evangelist, CloudPassage 8/29/2012  Hashtag  -­‐  #PCIcloud  

  2. Who We Are Dave Shackleford SVP of Research & CTO

    at IANS Copyright © 2012 IANS. All rights reserved. 2 Andrew Hay Chief Evangelist at CloudPassage, Inc.  Interact  with  us  on  Twi8er  using  the  #PCIcloud  hashtag  

  3. Introduction •  There are lots of questions about PCI in

    cloud environments…but few answers to date Copyright © 2012 IANS. All rights reserved. 3 How  will  compliance   be  affected  with   various  cloud   configura?ons?   What  should  we   look  for  in  PCI-­‐ compliant   providers?   How  can  I   sa?sfy  the   security  and   control   requirements?   Can  I  even   be  PCI   compliant  in   the  cloud?   What  does   a  ‘PCI   Compliant’   cloud  even   mean?   What  am  I   responsible  for   in  Private/ Public/Hybrid   clouds?   Will  my   exis?ng   technical   controls  work   in  cloud?  

  4. It’s Not All Doom and Gloom •  Yes, you can

    be PCI compliant in the cloud! •  You will likely need some different tools and processes •  Not all providers are created equal! •  There is no “silver bullet” – but the responsibility is still yours Copyright © 2012 IANS. All rights reserved. 4

  5. Survey Results: Compliance & Standards •  What standards or regulatory

    compliance mandates apply to your cloud project(s)? Copyright © 2012 IANS. All rights reserved. 5 5.3%   5.3%   5.3%   5.3%   5.3%   15.8%   31.6%   36.8%   42.1%   84.2%   0.0%   20.0%   40.0%   60.0%   80.0%   100.0%   GLBA   FISMA   COPPA   Cloud  Audit   CIPA   CoBIT   ISO   SOX   HIPAA   PCI  DSS  

  6. A Little About Cloud Types Copyright © 2012 IANS. All

    rights reserved. 6 Private Cloud / Hybrid Staging US Public Cloud Provider Legacy Datacenter / Colo DB App Server Auth Server DB Load Balancer EU Public Cloud Provider DB App Server App Server Load Balancer DB App Server App Server App Server DB App Server App Server App Server Auth Server Auth Server

  7. Survey Results - Environments •  Which of the following cloud

    hosting environments are leveraged by your project(s)? Copyright © 2012 IANS. All rights reserved. 7 16.7%   27.8%   33.3%   38.9%   44.4%   A  private  Pla`orm-­‐as-­‐a-­‐Service  (PaaS)   A  private  cloud  hosted  in  your  own  data   center   A  public,  mul?-­‐tenant  Pla`orm-­‐as-­‐a-­‐Service   (PaaS)   A  public,  mul?-­‐tenant  cloud  provider   A  private  cloud  hosted  and/or  operated  by   an  external  provider  

  8. Who is responsible for Security? Copyright © 2012 IANS. All

    rights reserved. 8 Physical Facilities! Hypervisor! Compute & Storage! Shared Network! Virtual Machine! Data! App Code! App Framework! Operating System! Customer Responsibility   Provider Responsibility   AWS Shared Responsibility Model “…the customer should assume responsibility and management of, but not limited to, the guest operating system…and associated application software...” “it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: ! Overview of Security Processes

  9. General Notes on Cloud Service Providers (CSPs) •  Compliance concerns

    will vary depending on whether CSP is SaaS, PaaS, IaaS •  CSPs should be on the card brands’ “approved list” •  PCI compliance should be in contract Copyright © 2012 IANS. All rights reserved. 9

  10. What Else to Look For: CSPs •  Evidence of audit

    and attestation – combination of “PCI Compliance” and perhaps SSAE 16 •  Cloud SLAs and contract provisions •  Who is responsible for what? This should be clear! •  You cannot outsource your compliance status! •  But you CAN take steps to secure the requirements under your control Copyright © 2012 IANS. All rights reserved. 10

  11. Requirement Areas 1-3 PCI  DSS  Requirement   Cloud  Concerns  and

     Comments   1:  Install/maintain  firewall  configs   1.  Data  flow  is  important   2.  Host-­‐based  firewalls  may  make  the   most  sense   3.  Hardware  and  some  network  may  be   up  to  the  CSP   2:  Vendor  defaults   1.  Virtualiza?on  templates  can  help   (once  they  are  secured  properly)   2.  CSP  audit  data  may  be  needed   3.  Always  check  for  inappropriate   sehngs   3:  Protect  stored  data   1.  Op?ons  will  depend  on  data  storage   type   2.  Cloud  storage  pla`orms  may  have   their  own  op?ons   Copyright © 2012 IANS. All rights reserved. 11 Protect the perimeter, internal, and wireless networks. Secure payment card applications. Protect stored cardholder data.

  12. Requirement Areas 4-6 PCI  DSS  Requirement   Cloud  Concerns  and

     Comments   4:  Encrypt  data  in  transit   1.  VPN  connec?ons  to/from  cloud   environment   2.  Leverage  SSL  connec?ons   5:  Use  and  update  an?-­‐malware       1.  Ensure  an?-­‐malware  is  built  into   templates  for  deployment   6:  Develop/maintain  secure  systems  and   apps   1.  Build  security  into  apps  and  VM   templates  in  the  cloud   2.  Be  wary  of  provisioning  and  “cloud   burs?ng”   Copyright © 2012 IANS. All rights reserved. 12 Secure payment card applications. Monitor and control access to your systems. Protect stored cardholder data.

  13. Requirement Areas 7-9 PCI  DSS  Requirement   Cloud  Concerns  and

     Comments   7:  Restrict  access  to  Cardholder  Data   (CHD)  by  “Need  to  Know”   1.  Leverage  any  role-­‐based  controls  (e.g.   Amazon  IAM  and  others)   2.  Build  controls  into  cloud  systems  and   manage  normally  (if  possible)   8:  Use  unique  IDs  for  accessing  PCI   systems       1.  Proper  configura?on  management   and  role/group  management  are   required   9:  Restrict  physical  access       1.  This  is  en?rely  on  the  CSP  –  similar  to   a  hos?ng  environment   Copyright © 2012 IANS. All rights reserved. 13 Monitor and control access to your systems. Monitor and control access to your systems. Monitor and control access to your systems.

  14. Requirement Areas 10-12 PCI  DSS  Requirement   Cloud  Concerns  and

     Comments   10:  Track  and  monitor  access  to  CHD   1.  Will  your  CSP  provide  any  logs?  If  so,   which  ones?   2.  Send  your  own  logs  to  a  central  log   server  in  the  cloud  or  elsewhere   11:  Test  PCI  systems  and  processes   1.  Test  your  cloud  assets  –  this  may   require  a  different  coordina?on  level   with  the  CSP   2.  Ask  for  CSP  test  reports  if  relevant   12:  Maintain  informa?on  security  policies         1.  Update  any/all  policies  that  may  have   ?es  to  the  new  cloud-­‐based  assets.   Copyright © 2012 IANS. All rights reserved. 14 Monitor and control access to your systems. Monitor and control access to your systems. Finalize remaining compliance efforts, and ensure all controls are in place.

  15. Survey Results: Audit •  How many times has your cloud

    project been audited for adherence to the compliance standards above? Copyright © 2012 IANS. All rights reserved. 15 66.7%   9.5%   23.8%   Never   Once   More  than  three   ?mes  

  16. Survey Results: Controls •  What cloud security technologies did your

    auditors expect you to have deployed? Copyright © 2012 IANS. All rights reserved. 16 Firewalls  &  Access   control   78.6%   SIEM/LM   71.4%   WAF   71.4%   Mul?-­‐factor   authen?ca?on   64.3%   Database  encryp?on   57.1%   Network  encryp?on   57.1%   NIDS   57.1%   Patch  management   57.1%   Disk  encryp?on   42.9%   HIDS   35.7%   Configura?on   monitoring   35.7%   FIM   35.7%   Code  scanning   35.7%  

  17. Survey Results: Who Audited? •  Who performed your cloud compliance

    audit (big four, small firm, QSA)? Copyright © 2012 IANS. All rights reserved. 17 6.7%   6.7%   6.7%   13.3%   66.7%   A  LARGE  ACCOUNTING  FIRM  (E.G.  ONE  OF   THE  “BIG  FOUR”)   A  LARGE  TECHNOLOGY  INTEGRATOR  OR   TECHNICAL  CONSULTING  FIRM   A  SMALLER  FIRM  SPECIALIZING  IN   INFORMATION  SECURITY  TECHNOLOGY   A  SMALLER  FIRM  SPECIALIZING  IN  GENERAL   RISK  MANAGEMENT,  GOVERNANCE  AND   COMPLIANCE   INTERNAL/SELF  AUDIT  

  18. How Do I Secure Servers in the Cloud? Copyright ©

    2012 IANS. All rights reserved. 18 Dynamic firewall & access control Server account visibility & control Server compromise & intrusion alerting Server forensics and security analysis Configuration and package security Integration & automation capabilities Servers in hybrid and public clouds must be self-defending with highly automated controls like…

  19. Mapping Compliance to the Cloud Copyright © 2012 IANS. All

    rights reserved. 19 Summary PCI Milestones & Goals Milestone Goals CloudPassage Coverage Firewall Automation Multi-Factor Authentication Account Management Vulnerability Scanning Configuration Security Security Event Audit & Alerting File Integrity Monitoring 1 Remove sensitive authentication data and limit data retention. 2 Protect the perimeter, internal, and wireless networks. ! ! ! ! ! 3 Secure payment card applications. ! ! ! ! ! ! ! 4 Monitor and control access to your systems. ! ! ! ! ! 5 Protect stored cardholder data. ! ! ! ! ! ! ! 6 Finalize remaining compliance efforts, and ensure all controls are in place. ! ! ! ! ! ! !

  20. Firewalling Without Network Control Copyright © 2012 IANS. All rights

    reserved. 20

  21. Traditional Datacenter (DC) Firewalling Copyright © 2012 IANS. All rights

    reserved. 21 DB Load Balancer Auth Server App Server DB Load Balancer App Server DB dmz dmz core core Firewall Firewall � www-4

  22. Moving to the Cloud Copyright © 2012 IANS. All rights

    reserved. 22 DB Load Balancer Auth Server App Server DB Load Balancer App Server DB dmz dmz core core Firewall Firewall

  23. Moving to the Cloud Copyright © 2012 IANS. All rights

    reserved. 23 dmz dmz core core Firewall Firewall DB Load Balancer Auth Server App Server DB Load Balancer App Server DB public cloud

  24. Moving to the Cloud Copyright © 2012 IANS. All rights

    reserved. 24 DB Load Balancer App Server App Server Auth Server DB Load Balancer DB public cloud

  25. Moving to the Cloud Copyright © 2012 IANS. All rights

    reserved. 25 public cloud Load Balancer App Server App Server DB Master � �

  26. Dynamic Cloud Firewalling Copyright © 2012 IANS. All rights reserved.

    26 public cloud Load Balancer FW App Server FW App Server FW DB Master FW

  27. Dynamic Cloud Firewalling Copyright © 2012 IANS. All rights reserved.

    27 public cloud Load Balancer FW App Server FW App Server FW Load Balancer FW DB Master FW DB Slave FW App Server FW

  28. Dynamic Cloud Firewalling Copyright © 2012 IANS. All rights reserved.

    28 public cloud App Server IP Load Balancer FW App Server FW App Server FW Load Balancer FW DB Master FW DB Slave FW App Server FW

  29. Dynamic Cloud Firewalling Copyright © 2012 IANS. All rights reserved.

    29 public cloud App Server IP Load Balancer FW App Server FW App Server FW Load Balancer FW DB Master FW DB Slave FW

  30. Lessons to Learn Copyright © 2012 IANS. All rights reserved.

    30 Whatever firewall options you have, use them Make sure your firewall rules are updated quickly and automatically Plan for the future, because you will be multi-cloud

  31. Securing Highly Dynamic Servers Copyright © 2012 IANS. All rights

    reserved. 31

  32. Traditional DC Operations Model Copyright © 2012 IANS. All rights

    reserved. 32 private datacenter Capacity is mostly static Servers are long-lived Security risk on servers is mitigated by network defenses www-3 www-4 www-2 www-1 www-1 � www-2 � www-3 � www-4 �

  33. Cloud Operations Model Copyright © 2012 IANS. All rights reserved.

    33 www Capacity is highly dynamic www www www www www www www www Gold Master

  34. Cloud Operations Model Copyright © 2012 IANS. All rights reserved.

    34 Capacity is highly dynamic Servers are short lived www www-2 � www www www www Gold Master public cloud

  35. Cloud Operations Model Copyright © 2012 IANS. All rights reserved.

    35 www Gold Master www www www � www � Capacity is highly dynamic Servers are short lived www �

  36. Cloud Operations Model Copyright © 2012 IANS. All rights reserved.

    36 Gold Master Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally www � www � www www www www www www www www www � www

  37. Cloud Operations Model Copyright © 2012 IANS. All rights reserved.

    37 Gold Master Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally www www-1 � www-2 � www www www www www www www www � www What does server security mean in this environment?

  38. Ensuring Cloud Server Integrity Copyright © 2012 IANS. All rights

    reserved. 38 www www-1 � www-2 � www www www

  39. Ensuring Cloud Server Integrity Copyright © 2012 IANS. All rights

    reserved. 39 Scan for misconfigurations due to deployment or debugging issues www www-1 � www-2 � www www www �

  40. Ensuring Cloud Server Integrity Copyright © 2012 IANS. All rights

    reserved. 40 Scan for misconfigurations due to deployment or debugging issues www www-1 � www-2 � www www www � � � Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly

  41. Ensuring Cloud Server Integrity Copyright © 2012 IANS. All rights

    reserved. 41 Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly www www-1 � www-2 � www www www � � � � Monitor business code for unintended or malicious changes

  42. Ensuring Cloud Server Integrity Copyright © 2012 IANS. All rights

    reserved. 42 www-3 www-1 � www-2 � www-4 www-2 www-1 � � � � Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly Monitor business code for unintended or malicious changes Automate management and monitoring of these critical operational security points

  43. Lessons to Learn Copyright © 2012 IANS. All rights reserved.

    43 Embrace the flexibility of the cloud; re-think operations Secure your server integrity by keeping images up-to-date and monitor closely for changes Know what areas of security you are responsible for and automate them heavily

  44. Best Practices •  Read and understand what your provider does,

    and what you are responsible for, with regards to PCI •  When moving servers outside your data center, ensure that they are hardened and compliant before they are exposed to the public •  Start with public cloud, PCI everywhere else is relatively easy! •  Focus on securing the tenets of PCI that you can control Copyright © 2012 IANS. All rights reserved. 44

  45. Thank You & Questions Dave Shackleford CTO, IANS [email protected] Andrew

    Hay Chief Evangelist, CloudPassage [email protected] Copyright © 2012 IANS. All rights reserved. 45   Follow  us  on  Twi8er:   twi$er.com/ians_security   twi$er.com/cloudpassage       www.cloudpassage.com/pci-­‐kit